I've had quite a few GDPR conversations, done a decent amount of reading around the subject and even been to a full on 2 hour GDPR training session, but I'm still confused about a few points: We have a jobs web site. As part of our service, users can sign up to receive our e-newsletter service, which provides them with the latest jobs to go on the site, and selected sponsored jobs that match their preferences. We never sell our data to 3rd parties; all communications are sent from us. They can opt-out of these updates at any time. We have around 100,000 people who have signed up in the last 12 months to receive these e-newsletters. As the sole reason for signing up on this particular form on the web site is to receive updates from us, we don't provide a checkbox (either opt-in or opt-out) to say "I agree you can please contact me" because why else are they filling out the form? It's not like they're buying a pair of shoes and we're asking them if they'd like to hear from our marketing team about other products. So... Firstly I'd like to know given the nature of the form whether the historical/legacy data we hold (the last 12 months of signups) is GDPR compliant or whether we need to reconfirm each subscription? Secondly, moving forward, in circumstances like ours, do we need to offer double-opt-in (we don't currently), and do we need to have an opt-in checkbox on a form that is only for signing up to receive a newsletter? I'd be grateful to anyone who can point me in the right direction! I'm going around in circles!