GDPR for SaaS Product Teams

The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It recognizes and codifies EU residents’ broad rights and freedoms in relation to the processing of their personal data. A primary goal of the regulation is to preserve individuals’ right to privacy and to protect them from the data breaches that have become increasingly prevalent in our data-driven world.

Even if a business is located outside the EU, GDPR applies to the company if they offer goods or services (even for free) to, or monitor the behavior of, EU residents, or if they process and hold those residents’ personal data. While the 28 EU member states already have data privacy laws, the GDPR’s goal is to create one consistent set of rules across those countries.

We’ve written before about GDPR’s impact on email senders. But GDPR has major implications for any SaaS (Software as a Service) provider that has users in the EU—or more precisely, users who are EU citizens (regardless of where they live) and/or users who are residents of the EU (citizens or not).

Given the global nature of today’s economy and the Internet, GDPR is something few SaaS businesses can ignore. It’s a complex topic, but here are five things every product team should know.

1. GDPR defines personal data in very broad terms

Just about every piece of information you collect about your users is considered personal data under GDPR. The regulation broadly defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s a mouthful, but it means that, beyond obvious things like names, ages, email addresses, and identifiers like driver’s license or other ID numbers, you also need to consider location data, IP addresses, mobile device IDs, web browser cookies, and even genetic and biometric data, such as fingerprints, facial recognition, and retinal scans. For example, if your app allows someone to use their fingerprint, rather than an access code, to access their account, you should understand how you’re handling that fingerprint data.

2. SaaS teams must take care in how they obtain consent to process users’ data

Consent has long been an important part of how SaaS businesses obtain and handle data from users, but GDPR is very clear about five aspects of consent that you must adhere to if you want to be compliant with the new law. Consent must be:

  • Freely given: Users must be able to give consent without feeling intimidated or misled. For example, you can’t require that users provide specific information before they can use a service, as long as that information isn’t required to perform the service.
  • Specific: GDPR frowns on blanket consent agreements that are meant to cover everything a business may want to do, now or in the future, with their users’ data.
  • Informed: Users need to understand who they’re giving consent to, which information they’re giving consent to use, and how it will be processed. The agreement must also stand alone, instead of being enclosed in a terms and conditions agreement, so that the user can more easily read and understand it.
  • Unambiguous: The method for obtaining consent should not leave any doubt about the intentions of the user nor the company. It’s also vital that businesses keep records of their users’ consent agreements so they can be presented for verification.
  • Indicated by a statement or clear affirmative action: Users can give consent verbally, in writing, or by clicking a box. Silence or a pre-clicked box do not equate with consent. GDPR prefers that users be able to withdraw consent as easily as they give it.

3. SaaS users have broad and specific rights about the use of their data

GDPR explicitly states that personal data as belonging to the user, not the company. In fact, it defines the right to privacy and control of this personal data as a fundamental human right. GDPR lists several ways in which individuals have control over how, where, when, and why their data is used, including, but not limited to:

  • Right of access: Users can ask why and where their data is being processed, who their data is shared with, how long their data is being stored, and other information. Access requests must be fulfilled free of charge within one month.
  • Right to be forgotten: Users can withdraw the consent they’ve previously given, in which case their data must be erased, rather than disabled in case the user decides to reactivate their account. There are exceptions, but the business’s reason for not complying must fall under one of the lawful purposes described by GDPR.
  • Right to rectification: Users can insist that companies fix any errors with their data.
  • Right to restrict processing: Users can restrict the processing of their data while errors are being fixed, and they can also do so instead of demanding erasure of their information, among other reasons.
  • Right of data portability: Users can ask for a copy of their data in a readily accessible format (for example, as a CSV file) and may ask for their data to be transferred from one company to another.
  • Right of third party notification: If data is shared with third parties, those companies must also be informed if a user asks to be forgotten, for mistakes to be fixed, or for restricted processing of their information. Users are also entitled to ask about the identities of those third parties.

4. SaaS businesses must act swiftly in the event of a data breach

If you suffer a data breach, you have 72 hours to notify the relevant authorities. Failure to do so can result in a penalty of up to 2% of your company’s annual worldwide revenue or €10 million, whichever is more.
If the data breach is likely to affect the rights and freedoms of your users, you must also inform them “without undue delay.” There are exceptions to that, such as:

  • The data has been encrypted or otherwise made unintelligible.
  • The breach is unlikely to affect your users.
  • Notifying your users would require “disproportionate effort,” in which case you can make a public announcement.

5. SaaS teams probably need a Data Protection Officer and documentation of collected data

GDPR requires the designation of a Data Protection Officer (DPO) if your business conducts “large scale” monitoring of your users in a regular and systematic way. The law says that the DPO should be someone well-versed in the subject matter, as opposed to, for example, asking someone in marketing to take on the responsibility in name only.

While the DPO requirement is aimed at larger companies, with the goal of giving that function a seat at the C-suite table, it’s a good idea to have a DPO even if your employee count is in the single digits.

In addition, if your company has more than 250 employees, you need to keep documentation regarding:

  • Why you’re collecting and processing people’s data
  • A description of what data you retain (remember that while you don’t need to worry about emails you send, you should be careful about unique identifiers that appear in returned message data)
  • How long you retain data
  • What security measures you have in place to protect against breaches

And one more thing…

The penalty for violating GDPR can be steep: up to 4% of your company’s annual worldwide revenue or €20 million, whichever is more. If you’re based in the U.S. and handle the data of users in the EU, you should look into being certified under Privacy Shield, a framework designed by the US Dept. of Commerce, the European Commission, and the Swiss Administration.

These five points are just a quick look at some of GDPR’s ramifications for SaaS products. It’s a complex topic that most product teams will want to discuss with their business and legal counterparts.

Want to learn more?

On April 26th, SparkPost’s own Data Protection Officer and GDPR expert, Jason Soni, will be joined by 250ok’s Director of Privacy & Industry Relations, Matthew Vernhout, in a webinar discussing GDPR’s worldwide impact on email. I highly recommend product managers check it out. Until then, these additional resources are worth bookmarking:


GDPR’s Impact on Your Business and Email

The General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018. With this impending date around the corner, it’s time to prioritize where to invest resources to achieve compliance and avoid potential enforcement actions. If you think GDPR doesn’t impact your business, think again. It applies to any organization processing personal data of European Union residents and affects previously collected information as well.

So what does GDPR enforce? It sets a high standard for consent of personal data, which enables choice and control for EU residents with regard to how their personal information is collected, stored and managed. That said, these new requirements will most certainly affect email sending practices. But don’t worry, because there are things you can do ahead of time to prepare for the challenges and avoid significant fines for noncompliance.

Join Us

In our upcoming webinar on April 26th, GDPR Affects Email Worldwide, join SparkPost’s Deputy General Counsel & Data Protection Officer, Jason Soni and 250ok’s Director of Privacy & Industry Relations, Matthew Vernhout, as they share practical advice on aligning email sending practices with GDPR requirements, and convey general information on how to ensure that your company is compliant with the new regulation.

During the webinar, we’ll discuss:

  • GDPR overview
  • GDPR vs. 95/46/EC directive, international transfers, and what’s next
  • GDPR’s impact on your organization and email sending

You won’t want to miss this! Register today for GDPR Affects Email Worldwide Webinar on April 26, 2018 at 1 pm ET/10 am PT.

~ Julie

What do you want to see in 2018?

Hi Everyone!

We hope you’ve all thoroughly enjoyed the holidays with friends, family and loved ones. As we ramp up for an incredible 2018, we want to hear from you!

At SparkPost, the goal with each blog that we publish is to be helpful, informative or just plain entertaining. Sometimes we totally nail it, and other times we might miss the mark a bit. That’s why we’d like to hear what you think! What kind of content do you enjoy reading the most on our blog? How-to’s on more technical skills? Features on community members using cool technologies? Thought leadership showcasing trends in the email and messaging industries?

We’ve put together a very short survey so you can let us know what you think – there’s room at the end for comments, suggestions, etc. We appreciate your feedback and promise to incorporate it into our plan for next year. For fun, I’ve listed below our top 5 posts from 2017 – they might help refresh you on what types of content we regularly publish here on the blog:

GDPR: What Email Senders Need to Know

Europe’s GDPR privacy law is an issue for almost every company with an app, SaaS product, or other service. Learn exactly what email senders need to know before the changes go into effect.

How to Use Microservices to Build an API That Lasts

Learn some successful strategies we use to build our microservices architecture and how they allow us to evolve our API during rapid growth.

Community Spotlight: CodeNewbie

Whether you are new to coding, want to brush up on skills or just network, CodeNewbie is an incredible resource. Check out this Q&A with founder Saron Yitbarek, and get excited for some fun upcoming projects we’ve got in store with them in the new year.

RESTful API Versioning Best Practices: Why v1 is #1

Breaking changes can result in frustration and loss of trust between an API provider and their users. API versioning is one way to avoid that frustration.

How To Read Email Headers

Email headers host a treasure trove of information. Learn how to read them and understand more about the mail you’re sending and receiving.

Any industry trends or topics you think were under-represented? Be sure to list that feedback in the survey or tweet us with your thoughts!

Happy New Year!


The European Union’s new General Data Protection Regulation (GDPR) is the world’s most significant piece of data protection legislation. The law goes into force on May 25, 2018, but it’s already having deep impact on companies around the world.

And if your business involves sending email, it’s probably an issue for you too. At a recent event, I was talking with some of our customers who were interested in hearing our perspective on how GDPR would affect them as email senders. Those conversations inspired me to write this post. (And after reading this, I also recommend you check out SparkPost’s detailed GDPR FAQ and resources page.)

What Is GDPR?

GDPR harmonizes the patchwork of existing data privacy laws in EU member states. Its primary goal is to protect the rights and freedoms of EU citizens and residents in relation to the processing of their personal data.

Because GDPR defines data privacy as a basic right, the law extends the scope of EU regulation to any organization—whether European or not—that processes personal data of EU citizens and residents. Every modern business now faces stringent obligations for better data management, as well as potential fines for breaches of this regulation—of up to the greater of €20 million or 4% of a firm’s global revenue.

What Does GDPR Require?

That’s a question too complex to answer fully here. But in brief, GDPR imposes privacy by design, data security, data access, data portability, data minimization, breach notification, and consent requirements on businesses who collect, process, or store EU residents’ personal data.

Just as significantly, GDPR defines a “right to be forgotten,” which means that any EU resident can request that their personal data be deleted and no longer processed by a company.

Flag of the European Union (EU)

But I’m Not European!

If your product or service has users in the EU, or if your organization processes or holds the personal data of EU residents and citizens, irrespective of whether payment is involved, assume GDPR will affect you. (Although it’s not clear at this time how or if GDPR might be enforced in the US or elsewhere—that’s a discussion for you and your lawyer.)

Is Email Affected by GDPR?

GDPR is a complex issue that potentially will affect any organization providing an app, SaaS product, or other service that processes information about individual users. That almost certainly includes companies that send and process email.

The regulation defines “personal data” broadly and leaves much detail about what constitutes that personal data up to the interpretation of regulators and courts. However, it is certain to include a broad range of information including names, phone numbers, residential addresses, government ID numbers, financial and purchase histories, age, sex, genetic and biometric data, and much more.

Of particular interest to email senders, information such as customer names, email addresses, IP addresses, engagement-tracking data, and other similar data is likely to be included in the definition of personal data.

Start by Asking Questions

Again, GDPR is an extremely complex topic. But a good place to begin is with a review of your current data handling practices—not just email, but all the means by which data passes through your company’s networks—and ask questions like these:

  • What personal data do you hold?
  • Where does personal data come from?
  • Is that personal data secure?
  • Who can access the personal data?
  • Where is the personal data stored? (Consider all locations, such as the laptops of employees who may travel to the EU on business.)
  • How long is the personal data retained?
  • If you’re asked, can you confirm to someone if you’re processing their personal data, where it’s processed, and for what reason?
  • If someone wants to see their personal data held by you, can you provide it in a commonly used and machine-readable format?
  • How do you obtain consent to gather personal data?

You should also look at the personal data consent records that you have collected and consider these questions:

  • Are there records for each data subject’s consent, for each and every purpose for which you use their personal data?
  • Have you received clear affirmative consent for each data subject? The GDPR states that consent buried in a privacy policy, terms of service, or a soft opt-in method are inadequate. You will want to revise notices such as these to comply with the new law.
  • Can you present your consent records if challenged?

Working with Service Providers

How you work with third-party service providers is also affected by GDPR. So be sure to ask them about their GDPR readiness.

  • Who are those providers and have they started the process of GDPR compliance?
  • What’s the flow and lifecycle of personal data you send to them?
  • What security and technical measures are in place to protect that personal data when it’s transmitted between the two companies?
  • Do your contracts with those providers need to be revised to ensure GDPR compliance?
  • Have they appointed a Data Protection Officer?

SparkPost and GDPR

As a business and a service provider, SparkPost takes GDPR very seriously. We’ve been working since January 2017 to ensure the SparkPost service is ready for GDPR’s requirements and allows our customers to easily comply.

The SparkPost email delivery service will be GDPR-compliant before the law’s effective date of May 25, 2018. And in regards to personal data transfer between the EU and US, we’re already certified under the joint EU-US Privacy Shield framework.

Privacy Shield

Provided you have the necessary lawful consent, the actual sending of the email is not really impacted by GDPR. However, GDPR does affect whether you are able to collect, store and handle various engagement tracking (including the information SparkPost calls Message Event data), to the extent it directly or indirectly identifies an EU resident. For example, metadata you choose to pass through, such as a unique identifier or segment identifier, would appear in the returned message event data and thus could be considered personal data subject to GDPR’s requirements, including the consent to process that personal data.

If you receive a data subject access request from a customer or user, you must respond within one month. In compiling the customer’s personal data, you can query the SparkPost Message Event data via the web UI or the API and search for them by their email address. That will allow you to see any Message Event data retained by SparkPost for that customer. If for some reason you can’t comply with the data request, SparkPost will assist you, but keep in mind we only retain Message Event data for 10 days. Since there is no specific data retention requirement under the GDPR (and in fact the regulation encourages data minimization), our policy is in compliance with the law.

Note that SparkPost does not retain the content of the emails you send, except for in a short-term cache or while it retries delivery in case of failed delivery attempts. You’re not required to retain the emails you send, but if you have a duty to do so because of another legal obligation, GDPR allows you to do so.

By the way, unlike some other email delivery providers, SparkPost offers our customers who require maximum confidence in GDPR compliance the option of operating in EU-based data centers.

GDPR: Ask Us Anything!

Want to learn more? SparkPost’s detailed GDPR FAQ and resources page is a great next step. And don’t hesitate to get in touch if you’d like to discuss how your business can ensure that your email is ready for GDPR.