General Data Protection Regulation

General Data Protection Regulation

Chapter 1: Introduction

As the General Data Protection Legislation (GDPR) came into force on May 25, 2018, we want to continue to provide you with the information, resources, and confidence to ensure continued success under the GDPR. In this resource, you’ll find general GDPR background information, FAQs, a comprehensive slide deck, a webcast with our friends from a leading European law firm, Fieldfisher, and a list of helpful resources for more information. We know change isn’t always easy, so we hope these resources help you to continue to send with confidence.

Please note: this is for general informational purposes only and is not intended to constitute legal analysis or advice. You should contact a lawyer to find out more about your specific obligations under the GDPR. This information is provided “as is” and may be updated or changed without notice.

Chapter 2: What is the GDPR?

Effective May 25, 2018, the GDPR strengthens individuals’ rights and unifies data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies to the processing of data subjects’ personal data by any size of EU or non-EU organizations that provides goods or services to the EU or monitors the behavior of EU users.

Chapter 3: What is Personal Data?

The definition of personal data, as provided for by the GDPR, includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like addresses or device IDs.

For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race and ethnicity, religion, political opinions, health data, etc.

Chapter 4: Key Principles of the GDPR

Keep in mind the following principles as you and your team ensure compliance with the GDPR:

• Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
• Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
• Personal data held needs to be kept up-to-date and accurate. It should be held no longer than necessary to fulfill its purpose.
• EU citizens have the right to access their own personal data. They can also request a copy of their personal data, and that their personal data be updated, deleted, restricted, or moved to another organization without hindrance.
• All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a Data Protection Officer (DPO).

Chapter 5: Steps to Comply

• Data Mapping—Determine (and keep a record of) the following:
  • What personal data do you possess or collect?
  • What purpose(s) is the personal data used for?
  • Where did the personal data come from, and what parties has it been shared with?
  • Where does the personal data currently reside?
  • How long is the personal data stored?
  • How will the personal data be deleted or modified if a data subject submits a request?
• Rights—Check the procedures within your organization to ensure that you are complying with data subjects’ rights. EU citizens have the right to access their own personal data. They can also request a copy of their personal data, and that their personal data be updated, deleted, restricted, or moved to another organization without hindrance, in certain circumstances.
• Consent—When relying on consent as the grounds for processing personal data, address how you pursue, obtain, and document consent. For certain (but not all) types of activities, consent should generally be obtained from an individual in order to use their personal data—for example, when processing special categories of personal data. Consent should also be informed. Organizations must provide information about why they’re collecting the personal data and what it will be used for. You are also required to maintain a record of all consent obtained, including who consented, when, and what specific statements they consented to. EU individuals will have the right to withdraw prior consent at any time.

• Privacy Notices– Ensure your Privacy Notice has been updated to comply with the requirements of the GDPR.
• Product Design – You should build privacy by design into projects and consider how you can minimize the privacy impact of your products. Try to use pseudonymisation, anonymisation, or encryption where appropriate or necessary. More detailed information about privacy by design can be found in Article 25 of the GDPR.
• Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. The GDPR requires organizations to report a breach to data protection authorities generally within 72 hours of detection, unless the breach is unlikely to result in a risk to the privacy rights of individuals.
• Data Protection Officer – The GDPR states that a DPO must be appointed when the core activities of an organization involve “regular and systematic monitoring of data subjects on a large scale” or where the organization conducts large-scale processing of “special categories of personal data.” The DPO is responsible for overseeing compliance with the GDPR requirements and serves as the point of contact between the organization and supervisory authorities.
• Third-Party Providers – Keep your list of all the third-party solutions you currently use (including website tracking cookies) that have access to or process data subjects’ personal data up-to-date. Your contracts with third-party providers require specific terms under the GDPR, including confidentiality and data privacy clauses. Ensure that the third-party providers that you have determined are in scope are compliant with the GDPR.
• Awareness – Educate your employees about GDPR and its impact on the collection and handling of customers’ personal data.

Chapter 6: How Does This Affect Email Marketing?

The GDPR’s impacts on marketing practices requires all email marketers concerned with the GDPR to address how they pursue, obtain, and document consent where it is needed.

To ensure compliance with the GDPR, marketers should provide individuals with choices regarding marketing (e.g. obtain opt-ins and maintain a preferences page on their account) and set expectations.

Mail filters are getting better and better at detecting what mail is “wanted” by recipients. A major indicator of this is spam complaints (when a user marks a message as spam in their inbox). And, a major contributing factor to getting more spam complaints is when recipients aren’t clear on why they are receiving that message.

Marketers should also remove recipients who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand for a long time.

Marketers will also want to keep a record of consent because the GDPR isn’t just about collecting consent, but also about keeping an up-to-date record of this consent. The GDPR requires companies to maintain a detailed record of the consents obtained and to give EU individuals the right to ask when and how their consent was given, and also the ability to withdraw it freely at any time. If the person doesn’t want their email address used, they can ask for it be removed from your email lists.

GDPR Legislation - What Senders Need to Know from SendGrid

Chapter 7: What Else Changed Under the GDPR?

• Online Identifiers: The GDPR broadens the definition of personal data to include online identifiers such as device IDs, IP addresses, ad IDs and cookie identifiers.
• Age Restrictions:  When obtaining consent from a person under the age of 16, parental consent is required, including making “reasonable efforts” to verify that the consent is from the parents, not the child. Additionally, different EU Member States lowered the requirement to the age of 13.
• Processing: The GDPR imposes direct legal obligations on data processors meant to ensure that processors protect personal data appropriately, assisting with data subject requests, and providing notice and a right to object to the use of sub-processors.
• Automated Decision-Making:  Automated decision-making is processing personal data (including profiling) which produces a decision that legally or significantly affects an individual without human intervention. Without explicit consent, individuals must not be subject to automated decision-making.
• Enforcement: Failure to comply could mean a €20 million fine or 4% of your organization’s global turnover, whichever is greater. Authorities also have the power to carry out audits, obtain access to an organization’s premises, and resolve individual complaints.

Chapter 8: What About Privacy Shield?

UPDATE: Please note on July 16, 2020, the European Court of Justice ruled that the US-EU Privacy Shield is no longer a valid cross-border data transfer mechanism. However, the same ruling upheld Standard Contractual Clauses as a valid cross-border data transfer mechanism. Customers aren’t required to do anything in order to be covered by the Standard Contractual Clauses as they are already part of the Data Protection Addendum which covers all SendGrid and Twilio services by default. Please see our blog post if you’d like to learn more.

Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect personal data abroad. Accepted transfer mechanisms include self-certifying to the Privacy Shield Framework (if a US organization), using the EU Commission’s Standard Contractual Clauses, transferring the data to a country that has been recognized by the European Commission as providing an “adequate” level of data protection, obtaining Binding Corporate Rules approval, as well as other less established mechanisms such as certifications and codes of conduct.

Chapter 9: SendGrid and the GDPR

SendGrid believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. SendGrid is committed to ensuring that it is GDPR compliant and is dedicated to assisting our customers’ GDPR compliance efforts.

SendGrid’s steps to ensure it is GDPR compliant include:

• Making available a GDPR-compliant Customer Data Processing Agreement for SendGrid’s processing of personal data under the GDPR on behalf of its customers. You can read our Data Protection Addendum here. As of January 1, 2020, Twilio’s DPA is incorporated into our Terms of Service and automatically covers your SendGrid account. It addresses Twilio’s GDPR obligations and includes our cross-border data transfer mechanisms, as well as other jurisdiction-specific terms, such as the CCPA written agreement for service providers.
• Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we modified our vendor agreements to put GDPR-compliant terms in place with vendors and service providers who process personal data on our behalf.
• Behind the scene changes to the SendGrid platform and services to ensure they are GDPR compliant and support GDPR rights: Including changes focused on access controls, account and record deletion, security, storage, and audits. SendGrid is also continuously working internally with our engineering, product, and security teams to ensure that we are able to help our customers to respond to any data subject requests that they may receive and proactively ensuring GDPR compliance for every new product or enhancement.
• Continuously evaluating Our Privacy and Cookie Notices and making any updates when needed.
• And Much Much More! Additional information and answers to frequently asked questions about SendGrid’s privacy and security is available here.

Chapter 10: FAQs

Can you be a processor of some data and a controller of other data at the same time?

• Yes. Many companies that are data processors of some personal data are also data controllers of other personal data. The concept of whether you are a controller or processor is based on your processing different categories of personal data, and does not apply to your company as a whole. Your obligations under the GDPR depend on whether you are acting as a data controller or a data processor in connection with the each category of personal data.

Does the GDPR require EU personal data to stay within the EU?

• No, the GDPR does not require EU personal data to stay in the EU. However, the GDPR does require that a valid transfer mechanism is in place to protect the data before it leaves the EU.

Does processing EU personal data always require the data subject’s consent?

• No. Consent is only one of the legal bases that can be used for the processing of personal data. For example, personal data can also be processed:
  • When necessary for the performance of a contract to which the data subject is a party;
  • When an organization has a legal obligation to do so (such as the submission of employee data to a tax authority); and
  • Under an organization’s legitimate interests which may include commercial and marketing goals. The legitimate interest must not, however, override the data subject’s rights and interests.

Do the GDPR fines apply to small and medium-sized enterprises (“SMEs”)?

• Fines for violations or non-compliance with the GDPR will apply regardless of the size of the company. If you are an SME, you are, in principle, subject to the equivalent level of fines as a large multinational organization.

Will Brexit impact GDPR compliance for UK businesses?

• No. The GDPR came into effect before the UK officially leaves the European Union, which the UK government has announced will take place on March, 29th 2019. If you’re based in the UK or process personal data from the UK, this means that you need to be GDPR compliant.

Do EU data subjects have an absolute right to have their personal data deleted upon request?

• A data subject’s right to have his or her data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further  processing to comply with a legal obligation or is processed in the public interest relating to health.

If we have already acquired a list of users, what do we need to do to ensure we are compliant with the GDPR?

• If you are relying on consent under the GDPR, you will need to ensure that you have clear consent from the contacts on your distribution lists and a clear record of the consents that have been obtained or withdrawn. The GDPR will not only apply to email addresses added to your database from May 25, 2018, but will also apply to any personal data collected before then.

Can we send recipients an email asking them to opt-in to our newsletters and marketing emails?

• Yes, for EU individuals who are already on your marketing lists, you may need to contact them by email asking them to confirm their consent. You should do this as soon as possible and ensure any contacts that did not opt in before May 25, 2018 are removed.

Is “double opt-in” mandatory under the GDPR?

• No. The GDPR does not specifically require “double-opt-in” consent. “Double-opt-in” is a two-step mechanism whereby a person provides opt-in consent to the use of their contact details for marketing purposes and the person is then sent an email to confirm their agreement before any marketing is sent to them. Instead, the GDPR provides that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data. This could include ticking a box when visiting an internet website, or any other conduct which clearly indicates the data subject’s consent to the processing of their personal data. Silence, pre-ticked boxes or inactivity will typically not constitute consent.

Chapter 11: Additional Resources

• Complete text of the GDPR.
• Information related to cookie usage, the E-Privacy Regulation and how it relates to the GDPR.
• Webcast: GDPR Legislation: What Senders Need to Know
• Blog post: The GDPR is Coming: How to Prepare
• Blog post: GDPR: How New Law Benefits Email Marketers
• Blog post: General Data Protection Regulation (GDPR): What Senders Need to Know