GDPR for SaaS Product Teams

The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It recognizes and codifies EU residents’ broad rights and freedoms in relation to the processing of their personal data. A primary goal of the regulation is to preserve individuals’ right to privacy and to protect them from the data breaches that have become increasingly prevalent in our data-driven world.

Even if a business is located outside the EU, GDPR applies to the company if they offer goods or services (even for free) to, or monitor the behavior of, EU residents, or if they process and hold those residents’ personal data. While the 28 EU member states already have data privacy laws, the GDPR’s goal is to create one consistent set of rules across those countries.

We’ve written before about GDPR’s impact on email senders. But GDPR has major implications for any SaaS (Software as a Service) provider that has users in the EU—or more precisely, users who are EU citizens (regardless of where they live) and/or users who are residents of the EU (citizens or not).

Given the global nature of today’s economy and the Internet, GDPR is something few SaaS businesses can ignore. It’s a complex topic, but here are five things every product team should know.

1. GDPR defines personal data in very broad terms

Just about every piece of information you collect about your users is considered personal data under GDPR. The regulation broadly defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s a mouthful, but it means that, beyond obvious things like names, ages, email addresses, and identifiers like driver’s license or other ID numbers, you also need to consider location data, IP addresses, mobile device IDs, web browser cookies, and even genetic and biometric data, such as fingerprints, facial recognition, and retinal scans. For example, if your app allows someone to use their fingerprint, rather than an access code, to access their account, you should understand how you’re handling that fingerprint data.

2. SaaS teams must take care in how they obtain consent to process users’ data

Consent has long been an important part of how SaaS businesses obtain and handle data from users, but GDPR is very clear about five aspects of consent that you must adhere to if you want to be compliant with the new law. Consent must be:

  • Freely given: Users must be able to give consent without feeling intimidated or misled. For example, you can’t require that users provide specific information before they can use a service, as long as that information isn’t required to perform the service.
  • Specific: GDPR frowns on blanket consent agreements that are meant to cover everything a business may want to do, now or in the future, with their users’ data.
  • Informed: Users need to understand who they’re giving consent to, which information they’re giving consent to use, and how it will be processed. The agreement must also stand alone, instead of being enclosed in a terms and conditions agreement, so that the user can more easily read and understand it.
  • Unambiguous: The method for obtaining consent should not leave any doubt about the intentions of the user nor the company. It’s also vital that businesses keep records of their users’ consent agreements so they can be presented for verification.
  • Indicated by a statement or clear affirmative action: Users can give consent verbally, in writing, or by clicking a box. Silence or a pre-clicked box do not equate with consent. GDPR prefers that users be able to withdraw consent as easily as they give it.

3. SaaS users have broad and specific rights about the use of their data

GDPR explicitly states that personal data as belonging to the user, not the company. In fact, it defines the right to privacy and control of this personal data as a fundamental human right. GDPR lists several ways in which individuals have control over how, where, when, and why their data is used, including, but not limited to:

  • Right of access: Users can ask why and where their data is being processed, who their data is shared with, how long their data is being stored, and other information. Access requests must be fulfilled free of charge within one month.
  • Right to be forgotten: Users can withdraw the consent they’ve previously given, in which case their data must be erased, rather than disabled in case the user decides to reactivate their account. There are exceptions, but the business’s reason for not complying must fall under one of the lawful purposes described by GDPR.
  • Right to rectification: Users can insist that companies fix any errors with their data.
  • Right to restrict processing: Users can restrict the processing of their data while errors are being fixed, and they can also do so instead of demanding erasure of their information, among other reasons.
  • Right of data portability: Users can ask for a copy of their data in a readily accessible format (for example, as a CSV file) and may ask for their data to be transferred from one company to another.
  • Right of third party notification: If data is shared with third parties, those companies must also be informed if a user asks to be forgotten, for mistakes to be fixed, or for restricted processing of their information. Users are also entitled to ask about the identities of those third parties.

4. SaaS businesses must act swiftly in the event of a data breach

If you suffer a data breach, you have 72 hours to notify the relevant authorities. Failure to do so can result in a penalty of up to 2% of your company’s annual worldwide revenue or €10 million, whichever is more.
If the data breach is likely to affect the rights and freedoms of your users, you must also inform them “without undue delay.” There are exceptions to that, such as:

  • The data has been encrypted or otherwise made unintelligible.
  • The breach is unlikely to affect your users.
  • Notifying your users would require “disproportionate effort,” in which case you can make a public announcement.

5. SaaS teams probably need a Data Protection Officer and documentation of collected data

GDPR requires the designation of a Data Protection Officer (DPO) if your business conducts “large scale” monitoring of your users in a regular and systematic way. The law says that the DPO should be someone well-versed in the subject matter, as opposed to, for example, asking someone in marketing to take on the responsibility in name only.

While the DPO requirement is aimed at larger companies, with the goal of giving that function a seat at the C-suite table, it’s a good idea to have a DPO even if your employee count is in the single digits.

In addition, if your company has more than 250 employees, you need to keep documentation regarding:

  • Why you’re collecting and processing people’s data
  • A description of what data you retain (remember that while you don’t need to worry about emails you send, you should be careful about unique identifiers that appear in returned message data)
  • How long you retain data
  • What security measures you have in place to protect against breaches

And one more thing…

The penalty for violating GDPR can be steep: up to 4% of your company’s annual worldwide revenue or €20 million, whichever is more. If you’re based in the U.S. and handle the data of users in the EU, you should look into being certified under Privacy Shield, a framework designed by the US Dept. of Commerce, the European Commission, and the Swiss Administration.

These five points are just a quick look at some of GDPR’s ramifications for SaaS products. It’s a complex topic that most product teams will want to discuss with their business and legal counterparts.

Want to learn more?

On April 26th, SparkPost’s own Data Protection Officer and GDPR expert, Jason Soni, will be joined by 250ok’s Director of Privacy & Industry Relations, Matthew Vernhout, in a webinar discussing GDPR’s worldwide impact on email. I highly recommend product managers check it out. Until then, these additional resources are worth bookmarking:


It’s Marketing 101: getting the right message to the right customer at the right time. As marketers, we think about that in display advertising, we think about it in media placements, and of course we should think about it in email marketing, too.

international email

When it comes to marketing in different international markets, that rule applies doubly. But, let’s face it, for a lot of us, sending email outside of the U.S. and Canada is an intimidating prospect. Too many email marketers try to guess at the privacy regulations, ISP rules, language preferences, and even time zones of their customers. And some email marketers don’t even try. They either avoid international marketing like the plague or—even worse—they ride roughshod over these important issues.

Let’s make this real for a moment. Imagine living in China, and getting email alerts at all hours of the night because marketers in North America either overlook or don’t care about the fact that you’re trying to get some sleep. Would you really want to keep engaging with that company? No! In fact, this very issue has become such a problem that many Chinese ISPs have begun to limit the amount of messages they accept at certain times to avoid their customers being woken up by late-night emails.

So what are email marketers to do? A great place to start is “Your Passport to Global Email Marketing Success,” a recent webinar SparkPost hosted with Dennis Dayman of Return Path and our own Len Shneyder. Dennis and Len shared tried-and-true best practices and forward-looking ideas for sending email outside of North America. The webinar was chock full of great information, and I definitely encourage you to check it out.

I personally was struck by a few questions from the audience that came up during the webinar Q&A. Here’s my take on the what email marketers are asking about sending messages to markets around the world.

1. How do I deal with opt-outs internationally? Is there CAN-SPAM or something similar outside of the U.S.?

Yes. To start, there is CASL, Canada’s ground-breaking anti-spam legislation. You definitely need to read up on that if you are sending email to Canada. (It goes without saying that SparkPost has your back on this one. We recently hosted a fantastic webinar about the ins-and-outs of CASL.) CASL is significant, but many other countries have their own privacy regulations that also require opt-out, such like the EU Data protection directive. Long story short, do your research before you send!

2. How much time can pass between an opt-out request and when it should take effect?

In the world of relevant and modern marketing tools, opt-outs should take effect immediately. There is no reason for delay, and every email you send after a customer has opted out could be a serious black mark on the recipient’s view of your brand. Having said that, you are afforded a grace period of 10 days or so in many national email regulations (though details may vary).

3. What’s the best time of day and day of week to send emails? Does it vary country to country?

Test! Test! Test! We can’t emphasize this enough. There’s no such thing as the perfect time of day—your recipients change, demographics change, who’s receiving it changes, and the importance they attach to it changes. All these things change and are testable!

4. Do I really need to use double opt-in for an international email list?

Yes. Email best practices dictate that double opt-in or confirmed opt-in is the right thing to do. Remember that in many markets, both customer expectations and regulatory policies require much more diligence than the relatively laissez-faire approach to opt-in and list buying that some marketers have taken in the past.

5. How do I keep on top of the changes taking place around the world and different worldwide email regulations?

Several organizations are great resources for staying on top of email marketing best practices around the world. Every email marketer should start following their social media feeds or newsletters—or even consider joining them as a formal member.

Though sending email outside of North America takes care and awareness of audience expectations and international regulatory issues, with the right information, it can be done! Check out the resources I highlighted in this post, and you’ll have a great start to planning a successful international email marketing strategy.

What’s been your experience with international email marketing? I’d love to hear from you. And do check out our “Your Passport to Global Email Marketing Success” webinar. I think you’ll enjoy it as much as I did.

privacy-policyIn this day and age, every company or organization that collects any personal information (pretty much all of them!) needs a privacy policy. Since larger organizations are likely to already have privacy policies in place, I’m going to speak here to the needs of smaller organizations. Here are 3 reasons your smaller organization should create a privacy policy:


With data breaches and identity theft constantly in the news, people are more concerned than ever about what’s happening with their personal information. They are very aware that their information is being collected, and they want to know what’s happening with it. Without a privacy policy, people may wonder what information you’re collecting about them and what you’re doing with it, and may choose not to work with you when they can’t easily find out by reading your policy clearly linked on your website.


As your organization grows, your data collection practices may change. It’s easy to get caught up in the whirlwind of new technology and not realize how your collection of personal information is changing. As new people join your team, they may have new ideas about what information is needed, and how best to make use of it. As things change, it’s good to have a policy as a touchstone.

Setting a privacy policy gives you a guiding light on how your organization thinks about personal information and interacts with customers. It will keep you from making drastic changes without consideration. Having a privacy policy will ensure that your team seeks to fully understand new technologies that collect information before deploying them. In the event of any legal complaints, having a privacy policy in place that your organization follows will protect you from charges that you are working outside the expectations of your customers.


It all comes down to trust. If I don’t know what you’re doing with my personal information, I am less likely to give you my personal information in the first place. If I’m not sure you’ll notify me if you change your practices or think changes through, I am not likely to want to do business with your organization. People do business with organizations they trust, and they trust organizations that are transparent and consistent with their use of personal information. Having a privacy policy in place shows all your potential customers that you take their concerns seriously, and that you can be trusted with their information.

Need help to create a good policy? The Better Business Bureau has a great sample policy here.

Coming Soon: Why You Need to Adhere to Your Privacy Policy

In the next installment in this series, we’ll take a look at what can go wrong when companies put in place solid data privacy policies, but then fail to follow them.

The Online Trust Authority celebrated Data Privacy Day 2014 by holding a series of town hall events across the country last week. My colleague Sarah Jenan and I were fortunate enough to be able to attend the San Francisco event at the Union Square Marriot on Thursday. A highlight of the morning was the session titled Security by Design: What Businesses Should Know to Help Them From Becoming a Statistic.

Moderated by Tim Rohrbaugh, chief information security officer at Intersections, the panel brought together special agents from the FBI and Secret Service (who will remain anonymous), along with representatives from two consumer privacy advocacy groups: Neal O’Farrell, the executive director of the Identity Theft Council, and Beth Givens, director of the Privacy Rights Clearinghouse.

The consensus on the panel was that the kind of massive data breaches we’ve seen recently at Target, Neiman Marcus and, most recently, Michaels stores, is a trend that is not likely to go away anytime soon. Law enforcement is seeing a huge array of network intrusions both here in the U.S. and globally. Educating the business community on how to better secure IT resources to deter attacks is a key focus of law enforcement, but both government representatives stressed that increasingly they’re placing an emphasis on helping IT professionals understand best practices for when a breach does occur. What kind of information can victimized companies provide to aid in remediation, investigation and getting a positive outcome – here is where the experts believe progress can be made in successfully tracking and stopping malicious hackers.

Continuing in this vein, several panelists made the point that it’s a very good idea for IT and data security professionals to reach out to and establish contacts with law enforcement proactively. Having a computer incident response plan in place, and sharing it with counterparts within the law enforcement community, is proving to be the most effective way to mitigate damage from attacks and recover from them quickly. Moderator Rohrbaugh pointed out that his organization invites in cybersquad law enforcement when running through incident response training precisely because the FBI and Secret Service will need to be involved if a real-life breach incident were to occur. Knowing who in law enforcement you’ll be dealing with in case something goes wrong – having that relationship established up front is very valuable.

Education may well be the key to saving companies from data breaches – here’s an eBook about DMARC email authentication to keep your emails safe and secure!

How DMARC Is Saving Email

Email marketing is without doubt, one of the most important channels for lead nurturing as evinced by a number of studies and research reports in recent times. It has also been argued that it serves as an important channel for lead acquisition although the jury is still out on that point. When it comes to continued business development, or maximizing customer lifetime value, email marketing appears to be the foremost channel that is tapped. It is essential for every business looking to service their customer base as well.

So what governs the final decision when it comes to a choice of email marketing technology?

In our first post on unlocking the potential of email marketing, we focused on the three email marketing metrics that one should measure, set certain targets for and try to achieve with their email marketing technology. To sum up, these were:

  • Customer Lifetime Value
  • Contribution to Corporate Revenue
  • Deliverability and Average Monthly Revenue

For the second part in this series, we’re going to look at the reasons why email marketers choose in-house email solutions or on-premise email marketing technology over outsourced email marketing technology as highlighted in The Relevancy Group’s survey of 400 email marketing professionals.

Reason #1 & #2: Cost & Effectiveness


Email marketers are generally concerned with cost (45%) and email deliverability (37%).  That’s understandable. Everyone wants to get the best value out of their selected solutions for a reasonable price. This is not something that applies specifically to email technology but to almost every purchase decision that is being made (luxury items being excluded from the conversation). These considerations tie in nicely with the top three benefits marketers cite when using on-premise or in-house email solutions.


55% of marketers found that they could deploy campaigns more rapidly, 41% experienced an increase in targeting and relevance and 36% had a lower cost of ownership.

Upon reaching a certain organizational size, using outsourced solutions can simply become too expensive for many organizations – that’s probably the case in most industries, simply because that is the business model on which most outsourced services are based. For smaller organizations, outsourced solutions are cheaper and easy to adopt – it works for a small database of customers and a fledgling email marketing campaign. However, outsourced solutions may simply become too expensive once an organization scales and starts looking into sending a few million email messages a day. When that happens, these businesses are looking at a whole new tier when it comes to payment – and ultimately, a bigger bill.  This is the time when businesses that turn to an in-house email solution begin to see economies of scale on an investment in an on-premise email technology.

Reason #3: Control

Aside from effectiveness and cost, marketers are turning to in-house email solutions due to the increased ability to maintain control over production and integration with other applications and platforms, as well as security.


While a small percentage, it is interesting to note that 7% of businesses are opting for on-premise solutions out of compliance with government regulations. Security has often been cited as a reason why businesses choose to use on-premise solutions. Having data stored in a business’ email servers rather than in the cloud increases control and protection of that data. The European Union’s Data Protection Directive mandates that personal data can only be transferred across borders if the third party country is able to adequately protect such data. With many outsourced providers operating through cloud services, geographical location and ownership of data becomes a grey area for many companies seeking compliance with government regulation. In this scenario, using an on-premise or in-house email solution is thus equivalent with adhering to industry best practices in terms of data protection.

Do you agree with the survey findings? What are some of the other reasons why marketers might turn to in-house email solutions?