GDPR for SaaS Product Teams

The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It recognizes and codifies EU residents’ broad rights and freedoms in relation to the processing of their personal data. A primary goal of the regulation is to preserve individuals’ right to privacy and to protect them from the data breaches that have become increasingly prevalent in our data-driven world.

Even if a business is located outside the EU, GDPR applies to the company if they offer goods or services (even for free) to, or monitor the behavior of, EU residents, or if they process and hold those residents’ personal data. While the 28 EU member states already have data privacy laws, the GDPR’s goal is to create one consistent set of rules across those countries.

We’ve written before about GDPR’s impact on email senders. But GDPR has major implications for any SaaS (Software as a Service) provider that has users in the EU—or more precisely, users who are EU citizens (regardless of where they live) and/or users who are residents of the EU (citizens or not).

Given the global nature of today’s economy and the Internet, GDPR is something few SaaS businesses can ignore. It’s a complex topic, but here are five things every product team should know.

1. GDPR defines personal data in very broad terms

Just about every piece of information you collect about your users is considered personal data under GDPR. The regulation broadly defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s a mouthful, but it means that, beyond obvious things like names, ages, email addresses, and identifiers like driver’s license or other ID numbers, you also need to consider location data, IP addresses, mobile device IDs, web browser cookies, and even genetic and biometric data, such as fingerprints, facial recognition, and retinal scans. For example, if your app allows someone to use their fingerprint, rather than an access code, to access their account, you should understand how you’re handling that fingerprint data.

2. SaaS teams must take care in how they obtain consent to process users’ data

Consent has long been an important part of how SaaS businesses obtain and handle data from users, but GDPR is very clear about five aspects of consent that you must adhere to if you want to be compliant with the new law. Consent must be:

  • Freely given: Users must be able to give consent without feeling intimidated or misled. For example, you can’t require that users provide specific information before they can use a service, as long as that information isn’t required to perform the service.
  • Specific: GDPR frowns on blanket consent agreements that are meant to cover everything a business may want to do, now or in the future, with their users’ data.
  • Informed: Users need to understand who they’re giving consent to, which information they’re giving consent to use, and how it will be processed. The agreement must also stand alone, instead of being enclosed in a terms and conditions agreement, so that the user can more easily read and understand it.
  • Unambiguous: The method for obtaining consent should not leave any doubt about the intentions of the user nor the company. It’s also vital that businesses keep records of their users’ consent agreements so they can be presented for verification.
  • Indicated by a statement or clear affirmative action: Users can give consent verbally, in writing, or by clicking a box. Silence or a pre-clicked box do not equate with consent. GDPR prefers that users be able to withdraw consent as easily as they give it.

3. SaaS users have broad and specific rights about the use of their data

GDPR explicitly states that personal data as belonging to the user, not the company. In fact, it defines the right to privacy and control of this personal data as a fundamental human right. GDPR lists several ways in which individuals have control over how, where, when, and why their data is used, including, but not limited to:

  • Right of access: Users can ask why and where their data is being processed, who their data is shared with, how long their data is being stored, and other information. Access requests must be fulfilled free of charge within one month.
  • Right to be forgotten: Users can withdraw the consent they’ve previously given, in which case their data must be erased, rather than disabled in case the user decides to reactivate their account. There are exceptions, but the business’s reason for not complying must fall under one of the lawful purposes described by GDPR.
  • Right to rectification: Users can insist that companies fix any errors with their data.
  • Right to restrict processing: Users can restrict the processing of their data while errors are being fixed, and they can also do so instead of demanding erasure of their information, among other reasons.
  • Right of data portability: Users can ask for a copy of their data in a readily accessible format (for example, as a CSV file) and may ask for their data to be transferred from one company to another.
  • Right of third party notification: If data is shared with third parties, those companies must also be informed if a user asks to be forgotten, for mistakes to be fixed, or for restricted processing of their information. Users are also entitled to ask about the identities of those third parties.

4. SaaS businesses must act swiftly in the event of a data breach

If you suffer a data breach, you have 72 hours to notify the relevant authorities. Failure to do so can result in a penalty of up to 2% of your company’s annual worldwide revenue or €10 million, whichever is more.
If the data breach is likely to affect the rights and freedoms of your users, you must also inform them “without undue delay.” There are exceptions to that, such as:

  • The data has been encrypted or otherwise made unintelligible.
  • The breach is unlikely to affect your users.
  • Notifying your users would require “disproportionate effort,” in which case you can make a public announcement.

5. SaaS teams probably need a Data Protection Officer and documentation of collected data

GDPR requires the designation of a Data Protection Officer (DPO) if your business conducts “large scale” monitoring of your users in a regular and systematic way. The law says that the DPO should be someone well-versed in the subject matter, as opposed to, for example, asking someone in marketing to take on the responsibility in name only.

While the DPO requirement is aimed at larger companies, with the goal of giving that function a seat at the C-suite table, it’s a good idea to have a DPO even if your employee count is in the single digits.

In addition, if your company has more than 250 employees, you need to keep documentation regarding:

  • Why you’re collecting and processing people’s data
  • A description of what data you retain (remember that while you don’t need to worry about emails you send, you should be careful about unique identifiers that appear in returned message data)
  • How long you retain data
  • What security measures you have in place to protect against breaches

And one more thing…

The penalty for violating GDPR can be steep: up to 4% of your company’s annual worldwide revenue or €20 million, whichever is more. If you’re based in the U.S. and handle the data of users in the EU, you should look into being certified under Privacy Shield, a framework designed by the US Dept. of Commerce, the European Commission, and the Swiss Administration.

These five points are just a quick look at some of GDPR’s ramifications for SaaS products. It’s a complex topic that most product teams will want to discuss with their business and legal counterparts.

Want to learn more?

On April 26th, SparkPost’s own Data Protection Officer and GDPR expert, Jason Soni, will be joined by 250ok’s Director of Privacy & Industry Relations, Matthew Vernhout, in a webinar discussing GDPR’s worldwide impact on email. I highly recommend product managers check it out. Until then, these additional resources are worth bookmarking:


SparkPost EU

At SparkPost we recognize that data, where it resides, and how it’s protected, is of huge importance to European businesses and their customers — as it should be. In response to our customers’ needs, today we are launching SparkPost EU, our email API service located entirely within the European Union. With the launch of SparkPost EU, our European customers can enjoy the same low-latency, high-performance email delivery as SparkPost’s U.S. customers, which include LinkedIn, Pinterest, The New York Times, Twitter, MailChimp, and Zillow.

Unlike other email API vendors who offer services in the EU but process and send the emails from the U.S., SparkPost EU is hosted entirely in Europe, with email processing and delivery originating from European infrastructure. No matter the size of the business or the volume of messages they send, with SparkPost EU our customers can breathe easy knowing their data rests in the EU.

GDPR Compliance

Alongside SparkPost EU, we’re also announcing that we are compliant with the forthcoming EU General Data Protection Regulation (GDPR) both as a data controller and data processor. SparkPost is already certified under the joint EU-U.S. Privacy Shield framework governing personal data transfer between the EU and U.S. Together, SparkPost EU and our GDPR Compliance demonstrate our steadfast commitment to global compliance, data protection, and privacy rights.

We invite you to sign up for a SparkPost EU account. If you’d like to learn more, check out our API documentation and the SparkPost EU pricing.

In addition, you can read the full press release, check out our SparkPost EU FAQs and view our updated Postman collection here.

VP, Product Marketing

One of the cool things I was reminded of at Insight, SparkPost’s annual user conference, is just how diverse the community of email pros really is.

One way that diversity is reflected is in the simple fact that email is a global medium. That globalization is remarkable, but it introduces its own set of challenges: understanding the needs of different markets, deciphering the code of international deliverability, and navigating the legal and regulatory frameworks that govern different jurisdictions.


We recently shared several best practices for sending email outside of North America in a webinar about international email marketing, but the shifting landscape of global email and data privacy regulations is complicated enough to warrant some extra attention. Lucky for us, an expert panel at Insight 2015 shared updates on several significant international email marketing and data privacy rules in Canada, the European Union, Australia, and Russia. Here are some of the highlights.

First off the blocks was Matthew Vernhout of Inbox Marketer, and an expert on Canadian anti-spam laws (CASL). He highlighted several dramatic enforcements of CASL violations, as well as changes to Canada’s Digital Privacy Act. As Matthew pointed out, CASL enforcements are becoming a significant issue in light of a recent, record CAD 30 million fine against the Avis Budget Group for what was judged to be misleading advertising in an email marketing campaign. One facet of the enforcements worth noting is that the Canadian authorities have been making a distinction between willful violations that warrant substantial administrative monetary penalties (AMP) and the inadvertent violations that fall instead under the lesser category of undertakings.

Next, Dennis Dayman of Return Path discussed the implications of a recent court decision invalidating the long-standing “safe harbor” provisions that govern data collected on European citizens, but stored in U.S. data centers. Although Dennis suggested that the sky may not be falling quite yet, he also was very up-front that the the full impact of this ruling remains to be seen, as it has the potential to upend current practices by many American Internet companies who operate in Europe.

James Koons of dotmailer reviewed the sometimes confusing state of affairs in Russia. Russian Federal Law 242 quite explicitly requires all data collected on citizens of the Russian Federation to be stored on servers within the country’s territory. However, James also noted that current penalties described by the law are so small in monetary terms as to suggest that some businesses may be tempted perform a cost-benefit analysis of compliance and fines. Additionally, he noted that there is some ambiguity about the regulations affecting extraterritorial data transfers, because Russia is a signatory to relevant European regulations that do allow transfer of data, as long as certain conditions are met.

Finally, Dean Maidment of Taguchi Digital Marketing covered updates to Australia’s wide-ranging privacy principles. The long and short of these regulations is that Australian citizens now have a far-reaching right to demand a copy of all data that makes an individual “reasonably identifiable,” and the Australian framework may well be interpreted very broadly. His advice to companies doing business in Australia is to be highly proactive about preparing for enforcement of this regulation—and to be ready for even more sweeping interpretations in the future.

With these ongoing changes to privacy and anti-spam laws around the world, it’s clear international email marketing requires careful planning before clicking the send button. The overview from these experts about key regulations that affect email and data collection programs is a great starting point for getting up to speed.

To learn more, be sure to check out our helpful webinars on international email marketing and CASL. And our friends at the Email Experience Council (EEC) have provided detail on several of these global regulations.

What else would you like to learn about topics like CASL and safe harbor? I’d love to hear from you!


Email Security Cloud Blog Footer

It’s Marketing 101: getting the right message to the right customer at the right time. As marketers, we think about that in display advertising, we think about it in media placements, and of course we should think about it in email marketing, too.

international email

When it comes to marketing in different international markets, that rule applies doubly. But, let’s face it, for a lot of us, sending email outside of the U.S. and Canada is an intimidating prospect. Too many email marketers try to guess at the privacy regulations, ISP rules, language preferences, and even time zones of their customers. And some email marketers don’t even try. They either avoid international marketing like the plague or—even worse—they ride roughshod over these important issues.

Let’s make this real for a moment. Imagine living in China, and getting email alerts at all hours of the night because marketers in North America either overlook or don’t care about the fact that you’re trying to get some sleep. Would you really want to keep engaging with that company? No! In fact, this very issue has become such a problem that many Chinese ISPs have begun to limit the amount of messages they accept at certain times to avoid their customers being woken up by late-night emails.

So what are email marketers to do? A great place to start is “Your Passport to Global Email Marketing Success,” a recent webinar SparkPost hosted with Dennis Dayman of Return Path and our own Len Shneyder. Dennis and Len shared tried-and-true best practices and forward-looking ideas for sending email outside of North America. The webinar was chock full of great information, and I definitely encourage you to check it out.

I personally was struck by a few questions from the audience that came up during the webinar Q&A. Here’s my take on the what email marketers are asking about sending messages to markets around the world.

1. How do I deal with opt-outs internationally? Is there CAN-SPAM or something similar outside of the U.S.?

Yes. To start, there is CASL, Canada’s ground-breaking anti-spam legislation. You definitely need to read up on that if you are sending email to Canada. (It goes without saying that SparkPost has your back on this one. We recently hosted a fantastic webinar about the ins-and-outs of CASL.) CASL is significant, but many other countries have their own privacy regulations that also require opt-out, such like the EU Data protection directive. Long story short, do your research before you send!

2. How much time can pass between an opt-out request and when it should take effect?

In the world of relevant and modern marketing tools, opt-outs should take effect immediately. There is no reason for delay, and every email you send after a customer has opted out could be a serious black mark on the recipient’s view of your brand. Having said that, you are afforded a grace period of 10 days or so in many national email regulations (though details may vary).

3. What’s the best time of day and day of week to send emails? Does it vary country to country?

Test! Test! Test! We can’t emphasize this enough. There’s no such thing as the perfect time of day—your recipients change, demographics change, who’s receiving it changes, and the importance they attach to it changes. All these things change and are testable!

4. Do I really need to use double opt-in for an international email list?

Yes. Email best practices dictate that double opt-in or confirmed opt-in is the right thing to do. Remember that in many markets, both customer expectations and regulatory policies require much more diligence than the relatively laissez-faire approach to opt-in and list buying that some marketers have taken in the past.

5. How do I keep on top of the changes taking place around the world and different worldwide email regulations?

Several organizations are great resources for staying on top of email marketing best practices around the world. Every email marketer should start following their social media feeds or newsletters—or even consider joining them as a formal member.

Though sending email outside of North America takes care and awareness of audience expectations and international regulatory issues, with the right information, it can be done! Check out the resources I highlighted in this post, and you’ll have a great start to planning a successful international email marketing strategy.

What’s been your experience with international email marketing? I’d love to hear from you. And do check out our “Your Passport to Global Email Marketing Success” webinar. I think you’ll enjoy it as much as I did.