General Data Protection Regulation
What You Need to Know and How to Comply
As the General Data Protection Legislation (GDPR) came into force on May 25, 2018, we want to continue to provide you with the information, resources, and confidence to ensure continued success under the GDPR. In this resource, you’ll find general GDPR background information, FAQs, a comprehensive slide deck, a webcast with our friends from a leading European law firm, Fieldfisher, and a list of helpful resources for more information. We know change isn’t always easy, so we hope these resources help you to continue to send with confidence.
Please note: this is for general informational purposes only and is not intended to constitute legal analysis or advice. You should contact a lawyer to find out more about your specific obligations under the GDPR. This information is provided “as is” and may be updated or changed without notice.
Effective May 25, 2018, the GDPR strengthens individuals’ rights and unifies data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies to the processing of data subjects’ personal data by any size of EU or non-EU organizations that provides goods or services to the EU or monitors the behavior of EU users.
The definition of personal data, as provided for by the GDPR, includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like addresses or device IDs.
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race and ethnicity, religion, political opinions, health data, etc.
Keep in mind the following principles as you and your team ensure compliance with the GDPR:
The GDPR’s impacts on marketing practices requires all email marketers concerned with the GDPR to address how they pursue, obtain, and document consent where it is needed.
To ensure compliance with the GDPR, marketers should provide individuals with choices regarding marketing (e.g. obtain opt-ins and maintain a preferences page on their account) and set expectations.
Mail filters are getting better and better at detecting what mail is “wanted” by recipients. A major indicator of this is spam complaints (when a user marks a message as spam in their inbox). And, a major contributing factor to getting more spam complaints is when recipients aren’t clear on why they are receiving that message.
Marketers should also remove recipients who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand for a long time.
If a recipient agrees to receive messages from you at some point, marketers should still consider stopping sending marketing communications after a certain point, even without blatant requests for an unsubscribe or a spam complaint. This is one of the easiest ways to maintain a good reputation at major mailbox providers.
Marketers will also want to keep a record of consent because the GDPR isn’t just about collecting consent, but also about keeping an up-to-date record of this consent. The GDPR requires companies to maintain a detailed record of the consents obtained and to give EU individuals the right to ask when and how their consent was given, and also the ability to withdraw it freely at any time. If the person doesn’t want their email address used, they can ask for it be removed from your email lists.
UPDATE: Please note on July 16, 2020, the European Court of Justice ruled that the US-EU Privacy Shield is no longer a valid cross-border data transfer mechanism. However, the same ruling upheld Standard Contractual Clauses as a valid cross-border data transfer mechanism. Customers aren’t required to do anything in order to be covered by the Standard Contractual Clauses as they are already part of the Data Protection Addendum which covers all SendGrid and Twilio services by default. Please see our blog post if you’d like to learn more.
Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect personal data abroad. Accepted transfer mechanisms include self-certifying to the Privacy Shield Framework (if a US organization), using the EU Commission’s Standard Contractual Clauses, transferring the data to a country that has been recognized by the European Commission as providing an “adequate” level of data protection, obtaining Binding Corporate Rules approval, as well as other less established mechanisms such as certifications and codes of conduct.
SendGrid believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. SendGrid is committed to ensuring that it is GDPR compliant and is dedicated to assisting our customers’ GDPR compliance efforts.
SendGrid’s steps to ensure it is GDPR compliant include:
SendGrid helps you focus on your business without the cost and complexity of owning and maintaining an email infrastructure. And with a full-featured marketing email service that offers a flexible workflow, powerful list segmentation, and actionable analytics, all of your email needs are met in one simple platform.