DISCLAIMER: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.
In April 2016, the GDPR was adopted by the European Union. It’s a joint proposal by the European Commission which provides individuals with even greater control over the collection and use of their personal data. Sendloop is committed to ensuring our customers are able to comply with their requirements under the GDPR by the May 25th, 2018 which is the enforcement date of GDPR. Below, you can find the GDPR compliancy process we are following:
Before digging into more details about GDPR and preparations we are making, let’s understand what personal data is:
“[personal data] means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
So, if you are storing data about a person in a usable way and if it relates to some identifier such as device IDs, cookie IDs, email address, etc.), it’s a personal data.
The GDPR enforces that personal data must be processed lawfully, fairly, and in a transparent manner.
For all kind of data covered by the definition written above, you need to justify that you are processing the data lawfully. Consent is a big step towards GDPR compliancy, however you need to get collect data explicit, purpose based. This is the highest standard for data collection and use policies.
This means that there is no ambiguity as to the activities consented to or the organization carrying out those activities.
Consent should be clear and unique to the specific organization. It should clearly describe each reason for processing and storing. For each purpose, a separate subscribe form or unchecked consent check boxes are preferred options. No matter what kind of creative method you use to get consent from personal data owner, it is important to ensure that clarity is not lost in the process. The transparency for your reasons for processing data is a requirement for building explicit consent.
Don’t forget that the personal data must be collected for specified, explicit and legitimate purposes. It should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
No matter which email marketing application you are using, you will on consent as the lawful basis for processing your subscriber’s personal data. While consent is not the only way to lawfully process personal data, at least one of the grounds for lawfully processing personal data must apply:
While it’s true that for most marketing activities, the industry tends to rely heavily on consent as the lawful ground for processing, it is up to you to analyze your data processing activities and choose the right justification(s). If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with legal counsel to ensure processing activities are properly justified. As always, diligent record keeping is vital to support these justifications.
The GDPR requires protection of personal data using “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” throughout the life cycle of the data.
GDPR- Recital 78 indicates that “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”
The GDPR regulation doesn’t enforce any specific security mechanisms, but rather requires that data controllers and processors take into “account the state of art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” should data be subject to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
Here’s a high-level overview of our GDPR compliance roadmap:
Please take legal advise about GDPR and make sure that all your data collecting processes comply with the GDPR. Make sure that your Terms of Service and Privacy Policies communicate to your users how you are using Sendloop and any other similar services. GDPR can heavily penalize you if you haven’t done this clearly.
For any questions, feel free to reach us via email@example.com