General Data Protection Regulation (GDPR)
DISCLAIMER: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.
In April 2016, the GDPR was adopted by the European Union. It’s a joint proposal by the European Commission which provides individuals with even greater control over the collection and use of their personal data. Sendloop is committed to ensuring our customers are able to comply with their requirements under the GDPR by the May 25th, 2018 which is the enforcement date of GDPR. Below, you can find the GDPR compliancy process we are following:
- Documenting all data processing activities which involve the collection, processing and safeguarding of personal data
- Developing features to ensure that we can quickly address any requests from our customers when their subscribers request info/action about their personal data, including;
- Right of access
- Right of rectification
- Right to object
- Right to be forgotten
- Right of portability
- Evaluating our sub-processors to ensure they are also GDPR compliant by the May 25th, 2018.
Consent and Purpose
What is personal data?
Before digging into more details about GDPR and preparations we are making, let’s understand what personal data is:
“[personal data] means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
So, if you are storing data about a person in a usable way and if it relates to some identifier such as device IDs, cookie IDs, email address, etc.), it’s a personal data.
The GDPR enforces that personal data must be processed lawfully, fairly, and in a transparent manner.
For all kind of data covered by the definition written above, you need to justify that you are processing the data lawfully. Consent is a big step towards GDPR compliancy, however you need to get collect data explicit, purpose based. This is the highest standard for data collection and use policies.
This means that there is no ambiguity as to the activities consented to or the organization carrying out those activities.
Consent should be clear and unique to the specific organization. It should clearly describe each reason for processing and storing. For each purpose, a separate subscribe form or unchecked consent check boxes are preferred options. No matter what kind of creative method you use to get consent from personal data owner, it is important to ensure that clarity is not lost in the process. The transparency for your reasons for processing data is a requirement for building explicit consent.
Don’t forget that the personal data must be collected for specified, explicit and legitimate purposes. It should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Lawful Data Processing
No matter which email marketing application you are using, you will on consent as the lawful basis for processing your subscriber’s personal data. While consent is not the only way to lawfully process personal data, at least one of the grounds for lawfully processing personal data must apply:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
While it’s true that for most marketing activities, the industry tends to rely heavily on consent as the lawful ground for processing, it is up to you to analyze your data processing activities and choose the right justification(s). If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with legal counsel to ensure processing activities are properly justified. As always, diligent record keeping is vital to support these justifications.
The GDPR requires protection of personal data using “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” throughout the life cycle of the data.
GDPR- Recital 78 indicates that “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”
The GDPR regulation doesn’t enforce any specific security mechanisms, but rather requires that data controllers and processors take into “account the state of art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” should data be subject to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
What Sendloop is doing about the GDPR?
Here’s a high-level overview of our GDPR compliance roadmap:
- Appoint a Data Protection Officer
COMPLETED – March 19th, 2018
- Thoroughly research the areas of our product and business impacted by GDPR
COMPLETED – March 19th, 2018
COMPLETED – Due: May 14th, 2018
- Perform the necessary changes/improvements to our product based on the requirements
COMPLETED – Due: May 18th, 2018
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR
COMPLETED – Due: May 14th, 2018
- Thoroughly test all of changes to verify & validate compliance with GDPR
COMPLETED – Due: May 24th, 2018
What do Sendloop Customers need to do?
Please take legal advise about GDPR and make sure that all your data collecting processes comply with the GDPR. Make sure that your Terms of Service and Privacy Policies communicate to your users how you are using Sendloop and any other similar services. GDPR can heavily penalize you if you haven’t done this clearly.
For any questions, feel free to reach us via firstname.lastname@example.org