In anticipation of the General Data Protection Legislation (GDPR) becoming effective on May 25, 2018, we want to provide you with the information, resources, and confidence to prepare and succeed under the GDPR. In this resource, you’ll find general GDPR background information, FAQs, a comprehensive slide deck, a webcast with our friends from a leading European privacy law firm, Fieldfisher, and a list of helpful resources for more information. We know change isn’t always easy, so we hope these resources help you send with confidence.

Please note: this is for general informational purposes only and is not intended to constitute legal analysis or advice. You should contact a lawyer to find out more about your specific obligations under the GDPR. This information is provided “as is” and may be updated or changed without notice.

What is the GDPR

Effective on May 25, 2018, the GDPR is intended to strengthen individuals’ rights and unify data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies the processing of data subjects’ personal data by any size of EU or non-EU organization that provides goods or services to the EU or monitors EU users’ behavior.

What is Personal Data?

The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.

Personal data can even include data about an individual that has been hashed or encrypted.

For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.

Key Principles of the GDPR

Keep in mind the following principles as you and your team prepare for the upcoming GDPR:

  • Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
  • Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
  • Personal data held needs to be kept up-to-date and accurate. It should be held no longer than necessary to fulfill its purpose.
  • EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
  • All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer (DPO).

Steps to Prepare

  • Data Mapping—Determine (and document) the following:
    • What personal data do you possess or collect?
    • What purpose(s) is the personal data used for?
    • Where did this data come from, and what parties has it been shared with?
    • Where does this data currently reside?
    • How long is the data stored?
    • How will this data be deleted or modified if a data subject submits a request?
  • Rights—Check your current procedures to ensure that you can comply with data subjects’ rights. EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance, in certain circumstances.
  • Consent—When relying on consent as the ground for processing personal data, address how you pursue, obtain, and document consent. For certain (but not all) types of activities, consent should generally be obtained from an individual in order to use their data—for example, when processing special categories of personal data. The GDPR states that consent should be given by a clear affirmative act—silence, pre-ticked boxes, or inactivity will typically not constitute consent. Consent should also be informed. Organizations will have to provide information about why they’re collecting the personal data and what it will be used for. You will also be required to maintain a record of all consent obtained, including who consented, when, and what specific statements they consent to. EU individuals will have the right to withdraw consent at any time.
  • Privacy Policies – Review your current privacy policy and determine if any updates are needed.
  • Product Design – You should build privacy by design into projects and consider how you can minimize the privacy impact of your products. Try to use pseudonymisation, anonymisation, and encryption where appropriate or necessary. More detailed information about privacy by design can be found in Article 25 of the GDPR.
  • Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. The GDPR requires organizations to report a breach to data protection authorities generally within 72 hours of detection, unless the breach is unlikely to result in a risk to the privacy rights of individuals.
  • Data Protection Officer – Determine if you should appoint a data protection officer (DPO). The GDPR states that a DPO must be appointed when the core activities of the organization involve “regular and systematic monitoring of data subjects on a large scale” or where the organization conducts large-scale processing of “special categories of personal data.” The DPO is responsible for overseeing compliance with the GDPR requirements and serves as the point of contact between the organization and supervisory authorities.
  • Third-Party Providers – Make a list of all the third-party solutions you currently use (including website tracking cookies) that have access to or process data subjects’ personal data. You should review all of your contracts with third-party providers. Include confidentiality and data privacy clauses in your contracts which, where necessary, are GDPR compliant. Ask third-party providers that you have determined are in scope whether they are compliant with GDPR regulation.
  • Awareness – Educate your employees about GDPR and its impact on the collection and handling of customers’ personal data.

How Does This Affect Email Marketing?

The GDPR will have an impact on marketing practices. All email marketers concerned with the GDPR need to address how they pursue, obtain, and document consent where it is needed. Marketers will also want to ensure that they can update, delete, restrict, or move an individual’s data if requested.

To ensure compliance with the GDPR, marketers should provide individuals with choices regarding marketing (e.g. obtain opt-ins and maintain a preferences page on their account) and set expectations. Mail filters are getting better and better at detecting what mail is “wanted” by recipients. A major indicator of this is spam complaints (when a user marks a message as spam in their inbox). And, a major contributing factor to getting more spam complaints is when recipients aren’t clear on why they are receiving that message.

Marketers should also remove recipients who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand for a long time. Consent to send messages is not forever. If a recipient agrees to receive messages from you at some point, marketers should still consider stopping sending marketing communications after a certain point, even without blatant requests for an unsubscribe or a spam complaint. This is one of the easiest ways to maintain a good reputation at major mailbox providers.

Marketers will also want to keep a record of consent because the GDPR isn’t just about collecting consent, but also about keeping a record of this consent. The GDPR requires companies to maintain a detailed record of the consents obtained and to give EU individuals the right to ask when and how their consent was given, and withdraw it freely at any time. If the person doesn’t want their email address used, they can ask for it be removed from your email lists.

What’s Else is New Under the GDPR?

  • Online Identifiers: The GDPR expands the definition of personal data to include online identifiers such as device IDs, IP addresses, ad IDs and cookie identifiers.
  • Age Restrictions:  When obtaining consent from a person under the age of 16, parental consent is required, including making “reasonable efforts” to verify that the consent is from the parents, not the child. Additionally, different member states can set a lower requirement of 13.
  • Processing: For the first time, the GDPR imposes direct legal obligations on data processors meant to ensure that processors protect data appropriately, assisting with data subject requests, and providing notice and a right to object to the use of sub-processors.
  • Automated Decision-Making:  Automated decision-making is processing (including profiling) which produces a decision that legally or significantly affects an individual without human intervention. Without explicit consent, individuals must not be subject to automated decision-making.
  • Enforcement: Failure to comply could mean a €20 million fine or 4% of your organization’s global turnover, whichever is greater. Authorities also have the power to carry out audits, obtain access to an organization’s premises, and resolve individual complaints.

What About Privacy Shield?

Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect data abroad. Accepted transfer mechanisms include self-certifying to the Privacy Shield Framework (if a US organization), using the EU Commission’s Standard Contractual Clauses, transferring the data to a country that has been recognized by the European Commission as providing an “adequate” level of data protection, obtaining Binding Corporate Rules approval, as well as other less established mechanisms such as certifications and codes of conduct.

SendGrid and the GDPR

SendGrid believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. SendGrid is committed to ensuring that it is GDPR compliant when the law becomes enforceable on May 25, 2018 and is dedicated to helping our customers become GDPR compliant.

SendGrid’s steps to ensure it is GDPR-ready include:

  • SendGrid is Privacy Shield certified. By complying with the Privacy Shield Principles, we can lawfully collect, receive, and process personal data from the EU and Switzerland in the US and beyond. Additionally, SendGrid’s Security has also been recognized by other third-parties including SSAE 16 (SOC 2 Type 2) certification and PCI-DSS compliance. Our customers’ use of SendGrid’s services will assist with their own GDPR obligations.
  • Making available a GDPR-compliant Customer Data Processing Agreement for SendGrid’s processing of personal data under the GDPR on behalf of its customers. If your use of SendGrid requires SendGrid to process personal data within the scope of the GDPR, SendGrid’s GDPR Data Processing Addendum is available for e-signature here.
  • Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we are reviewing our vendor agreements and putting GDPR-compliant terms in place with vendors and service providers who process GDPR personal data on our behalf.
  • Making behind the scene changes to ensure that the SendGrid platform and services are GDPR compliant and support GDPR rights: Including implementing changes focusing on access controls, account and record deletion, security, storage, and audits. SendGrid is also internally working with our engineering, product, and security teams to ensure that we are able to help our customers to respond to any data subject requests that they may receive and proactively ensuring GDPR compliance for every new product or enhancement.
  • Evaluating our Privacy and Cookie Notices and making any updates as needed.


Can you be a processor of some data and a controller of other data at the same time?

  • Yes. Many companies that are data processors of some personal data are also data controllers of other personal data. The concept of whether you are a controller or processor is based on your processing different categories of personal data, and does not apply to your company as a whole. Your obligations under the GDPR will depend on whether you are acting as a data controller or a data processor in connection with the each category of personal data.

Does the GDPR require EU personal data to stay within the EU?

  • No, the GDPR does not require EU personal data to stay in the EU. However, the GDPR does require that a valid transfer mechanism is in place to protect the data before it leaves the EU.

Does processing EU personal data always require the data subject’s consent?

  • No. Consent is only one of the legal bases that can be used for the processing of personal data. For example, personal data can also be processed:
    • When necessary for the performance of a contract to which the data subject is a party;
    • When an organization has a legal obligation to do so (such as the submission of employee data to a tax authority); and
    • Under an organization’s legitimate interests which may include commercial and marketing goals. The legitimate interest must not, however, override the data subject’s rights and interests.

Will the GDPR fines apply to small and medium-sized enterprises (“SMEs”)?

  • Fines for violations or non-compliance with the GDPR will apply regardless of the size of the company. If you are an SME, you are, in principle, subject to the same level of fines as a large multinational organization.

Will Brexit impact GDPR compliance for UK businesses?

  • No. The GDPR comes into effect before the UK officially leaves the European Union, which the UK government has announced will take place on March, 29th 2019. If you’re based in the UK or process personal data from the UK, this means that you’ll need to become GDPR compliant before May 25, 2018.

Do EU data subjects have an absolute right to have their personal data deleted upon request?

  • A data subject’s right to have his or her data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further  processing to comply with a legal obligation or is processed in the public interest relating to health.

If we have already acquired a list of users, what do we need to do to ensure we are compliant with the GDPR?

  • You will need to ensure that you have clear consent from the contacts on your distribution lists and a clear record of the consents that have been obtained or withdrawn. The new rules will not only apply to email addresses added to your database from May 25, 2018, but will also apply to any data collected before then.

Can we send recipients an email asking them to opt-in to our newsletters and marketing emails?

  • Yes, for EU individuals who are already on your marketing lists, you could contact them by email asking them to confirm their consent. You should do this as soon as possible in order to ensure you remove any contacts that have not opted in before May 25, 2018.

Is “double opt-in” mandatory under the GDPR?

  • No. The GDPR does not specifically require “double-opt-in” consent.”Double-opt-in” is a two-step mechanism whereby a person provides opt-in consent to the use of their contact details for marketing purposes and the person is then sent an email to confirm their agreement before any marketing is sent to them. Instead, the GDPR provides that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data. This could include ticking a box when visiting an internet website, or any other conduct which clearly indicates the data subject’s consent to the processing of their personal data. Silence, pre-ticked boxes or inactivity will typically not constitute consent.

Additional Resources


Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.

See Plans and Pricing
Newsletter Subscription

Sign up for our newsletter to get The Scoop on product and email news.

Please enter a valid email address.