Note: This is for general informational purposes only and is not intended to constitute legal analysis or legal advice. You should contact a lawyer to find out more about your particular obligations under the GDPR.

If you are part of an organization that does business with European Union citizens, then you may have heard of the upcoming changes involving the General Data Protection Regulation (GDPR). GDPR is a European Union law intended to strengthen and unify data protection rules and rights for the benefit of EU citizens. GDPR applies to EU organizations and to non-EU organizations (of any size) that provide goods and services to the EU or that utilize tracking technologies (like cookies or tracking pixels) to monitor EU users’ behavior.

GDPR will be enforced starting May 25th, 2018.

At that time, any organizations that are non-compliant may be subject to fines and other regulatory sanctions. For an overview of GDPR, this article is a great place to start.

Key Principles of GDPR

Keep in mind the following principles as you and your team prepare for the upcoming GDPR:

  • Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
  • Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
  • Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
  • EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hinderance.
  • All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.

What is Personal Data?

The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.

Personal data can even include data about an individual that has been hashed or encrypted.

For a comprehensive list of what GDPR considers personal data, please read Article 4(1) of the GDPR.

Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.

Steps to Prepare for GDPR

Data Mapping – Determine (and document) the following:

  • What personal data do you possess or collect?
  • What purposes is the personal data used for?
  • Where did this data come from, and what parties has it been shared with?
  • Where does this data currently reside?
  • How long is the data stored?
  • How will this data be deleted or modified if a data subject submits a request?

Rights – Check your current procedures to ensure that you can comply with data subjects’ rights. EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance, in certain circumstances.

Consent – When relying on consent as the ground for processing personal data, address how you pursue, obtain, and document consent. For certain (but not all) types of activities, consent should generally be obtained from an individual in order to use their data – for example, when processing special categories of personal data. The GDPR states that consent should be given by a clear affirmative act—silence, pre-ticked boxes, or inactivity will typically not constitute consent. Consent should also be informed.

Organizations will have to provide information about why they’re collecting the personal data and what it will be used for.

You will also be required to maintain a record of all consent obtained, including who consented, when, and what specific statements they consent to. EU individuals will have the right to withdraw consent at any time.

Privacy Policies – Review your current privacy policy and determine if any updates are needed.

Product Design – You should build privacy by design into projects and consider how you can minimize the privacy impact of your products. Try to use pseudonymisation, anonymisation, and encryption where appropriate or necessary. More detailed information about privacy by design can be found in Article 25 of the GDPR.

Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. GDPR requires organizations to report a breach to data protection authorities generally within 72 hours of detection, unless the breach is unlikely to result in a risk to the privacy rights of individuals.

Data Protection Officer – Determine if you should appoint a data protection officer (DPO). GDPR states that a DPO must be appointed when the core activities of the organization involve “regular and systematic monitoring of data subjects on a large scale” or where the organization conducts large-scale processing of “special categories of personal data.” The DPO is responsible for overseeing compliance with GDPR requirements and serves as the point of contact between the organization and supervisory authorities.

Third-Party Providers – Make a list of all the third-party solutions you currently use (including website tracking cookies) that have access to or process data subjects’ personal data. You should review all of your contracts with third-party providers. Include confidentiality and data privacy clauses in your contracts which, where necessary, are GDPR compliant. Ask third-party providers that you have determined are in scope whether they are compliant with GDPR regulation.

Awareness – Educate your employees about GDPR and its impact on the collection and handling of customers’ personal data.

What About Privacy Shield?

The GDPR has specific requirements regarding the transfer of personal data outside of the EU.

For example, the data transfer must only happen to countries that have been determined to have adequate data protection laws or where you have put in place appropriate data export mechanisms.

The EU does not consider the US to have adequate data protection laws – however, the Privacy Shield is a voluntary self-certification program that US organizations can participate in to show that they have adequate data protection practices in place to meet this requirement of the GDPR.

SendGrid is Privacy Shield certified and also offers Standard Contractual Clauses to customers as an alternative data export mechanism.

How Does This Affect Email?

GDPR will have an impact on marketing practices. All email marketers concerned with GDPR need to address how they pursue, obtain, and document consent where it is needed. Marketers will also want to ensure that they can update, delete, restrict, or move an individual’s data if requested. By complying with GDPR and removing unwanted subjects’ email addresses from your lists, you can improve your deliverability!

What Next?

If you believe that your organization will be affected by GDPR, please contact a lawyer to find out more about your particular obligations under the GDPR. The purpose of this post is to highlight some of the changes that may occur for organizations as a result of the GDPR. The complete text of the GDPR is available here. You can also find more information related to cookie usage, the E-Privacy Regulation and how it relates to the GDPR here.

Krista Southworth is a Security Compliance Analyst at SendGrid, and regulatory compliance is part of her daily practice. When she is not securing the Grid, she enjoys yoga and exploring Colorado with her dogs.