The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the Data Protection Directive 95/46/EC. The GDPR is intended to harmonize the patchwork of data privacy laws across its member states. The objective of GDPR is to protect all EU residents from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to accomplish its objective by providing certain rights and freedoms to EU residents in relation to the processing of their personal data.
The GDPR was adopted by the EU Parliament to:
- Create consistency within all the member states of the EU as to the rules regarding data protection, implementation of the law, and how the rules are enforced
- Modernize the principles laid out in the 1995 Data Protection Directive (Directive 95/46/EC), which was written before the advent of social media, “smart” mobile devices that now can access things like cameras and geolocation information, and the ubiquity of online services and communications
- Reinforce the rights of individuals to control and protect their personal data
- Strengthen the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards
When will GDPR take effect?
The GDPR is effective presently.
Who does GDPR apply to?
The GDPR applies to:
- Organizations located within the EU
- Organizations located outside of the EU if they offer goods or services to (even for free), or monitor the behavior of, EU residents
- Organizations processing and holding personal data of EU residents, regardless of the organization’s location
Step 1: Perform a review of your data practices. Consider the following questions:
- What personal data do you hold?
- Is it secure?
- Who has access to it?
- Where is it transferred to?
- How long is it retained?
Step 2: Determine if your security needs to be upgraded. Also, determine if it’s required to have a Data Protection Officer oversee and monitor internal compliance with GDPR.
Step 3: Have a system in place to monitor for any data breaches, and have the ability to act quickly when a breach is detected.
Step 4: Determine the nature of the personal data consent records you have collected. Consider the following:
- Are there records for each and every data subject’s consent, for each and every purpose for which you use their data?
- Are you able to present your consent records if challenged?
Step 6: Audit third party vendors. Be sure to consider the following:
- Identify all of your third party vendors and be aware of the data collection practices
- Discussing the flow and lifecycle of the personal data you send to them
- Understanding the security and technical measures in place to protect the personal data
- Reviewing your contracts with those providers to determine if any revisions need to be made
Step 7: Make all staff and contractors aware of the regulations and their responsibilities when handling personal data.
Here are a few things to consider regarding how GDPR affects businesses:
Data processor or data controller
A controller is the organization that determines the purposes, conditions, and means of the processing of personal data. A processor is an organization that processes personal data on behalf of the controller. For example, if you’re using SparkPost to send email, you will be the controller and SparkPost will be the processor.
Defining “personal data” under GDPR
GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Under this definition, nearly ALL information about a EU resident is personal data–including, for example, names, ages, Social Security Numbers, email addresses, online identifiers and location data, IP addresses and mobile device IDs, cookies, and also more sensitive personal data such as genetic data and biometric data, including fingerprints, facial recognition and retinal scans.
There are several ways in which GDPR affects email delivery. Here are some common questions.
Can the EU enforce the GDPR against a US-based entity?
It is not clear that the GDPR could be directly enforced in the U.S. The U.S. has not agreed to any treaty in which it has harmonized such law with internal US law – and such harmonization would require radical changes to numerous federal and state laws, as U.S. privacy law is vastly different from EU law. So, a company that operates solely in the US may not directly be required to comply with GDPR (but see discussion about Privacy Shield, it could contractually agree to do so). However, a US company would probably have to comply with the GDPR if they ever wanted to be able to actually do direct business in the EU. Most large companies have already made that decision. Smaller companies that are wholly located in the US will have to consider whether they would want to take the risk of GDPR enforcement, and whether they want to ever expand direct services into the EU. We also note that noncompliance with GDPR could cause issues in a merger or acquisition transaction, if the purchasing entity requires GDPR compliance.
Do I have to retain the email I send to my customers under GDPR?
No, there is no specific data retention requirement under GDPR. In fact, GDPR is more or less intentionally set up to promote the active non-retention of data.
For example, Comment (64) to GDPR states in part that, “A controller should not retain personal data for the sole purpose of being able to react to potential requests”
However, if you have a duty to retain based on some other legal obligation, Comment (65) to GDPR, which deals with the right to be forgotten states that a controller may retain data “where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims.”
How does GDPR generally affect sending email?
Provided the controller has the necessary consent, the actual sending of the email is not really impacted by GDPR. However, GDPR can affect the returned message event data to the extent that such data indirectly or directly identifies a EU data subject. For example, if you are passing metadata, such as a unique identifier, in the transmission then such metadata would appear in the returned message event data.
What is “Privacy Shield” and how is that related to GDPR?
The Privacy Shield, as stated at https://www.privacyshield.gov/welcome is a privacy framework “designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”
It is important for third party data processors in the US to be Privacy Shield compliant. GDPR permits data transfers to countries that have been deemed to have adequate data protection laws. The US’s privacy protection laws generally do not meet the standards; being certified under Privacy Shield is a means for a company to contractually agree to meet applicable privacy regulations. It should be noted that Privacy Shield certified companies like SparkPost will automatically be agreeing to GDPR as of May 25, 2018 through such certification.
In broad terms, how does GDPR change existing obligations regarding email?
Broadly speaking, GDPR requires you to look at all of your data acquisition, tracking and data use systems, and then determine whether they adequately document the consent requirements, permit compliance with transparency requirements, and can be purged when requested by a data subject. Any legacy system that was not designed with these systemic issues in mind may be a real task to re-develop.
In addition, GDPR will require you to look at each and every third party service you are using for tracking, monitoring, and developing your data analytics – and verify whether they are GDPR compliant. After all, it is the whole point of these systems to track users for marketing, service augmentation and customization and experience – and hence by definition, this is data that identifies a data subject. This data is personal data in the EU (whereas it is not personal data with any level of real protection in the US). It is the lowest common denominator third party services that could cause a problem – if even one is non-compliant, the EU regulators will likely view your entire system as non-compliant.
What can a data subject ask me to do under GDPR that I must do?
As discussed briefly above, a data subject can make essentially two requests – an accounting of all uses of the data subject’s personal data, and that the data subject’s personal data be removed from the controller’s or processor’s systems. This is a very general answer, and these rights are not absolute, so it is beyond the scope of this FAQ to explain in detail what information a data subject must have access to and when they can ask that it be deleted.
What are some of the key elements and changes to the law under GDPR?
Some of the key elements or changes under the GDPR are:
- Obtaining consent. Explicit consent by a “clear affirmative act” will be required, as opposed to a soft opt-in. Formerly used methods such as pre-ticked boxes, silence, or inactivity will not constitute consent. Consent records must be maintained so they can be presented if you are challenged. Therefore, systems design changes may be necessary to provide evidence that a person consented to a specific use of their personal data.
- Extra-territorial scope. The rules, at least for now, state they apply to all persons or companies who handle personal data of EU residents, regardless of whether or not they reside in the EU.
- Increased penalties. Fines can be significant. Infringement of certain provisions can result in fines of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the provider’s preceding financial year, whichever is higher.
- Right to be forgotten. The right to be forgotten, previously a right arising from a court decision, is now codified in the GDPR. A data subject has the right to be forgotten, meaning that his/her personal data must be erased upon request, and no longer processed where the personal data is no longer necessary to the purposes for which it was collected. This again may require significant systems changes to be able to “scrub” the data from all locations, apparently including backup locations and other non-production storage. However, it should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
- Right to access. A data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format.
- Data portability. A data subject has the right to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format” and have the right to transmit that data to another controller.
- Privacy by design. The GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. As a result, developers of applications, services or products that will process personal data should take the new regulations into account during the design and development process to ensure that the final product will protect the personal data of its users. Privacy has to be by design, not an afterthought bolt on.
- Breach notification. Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
As a commitment to our customers, SparkPost fulfilled all GDPR compliance requirements before GDPR went into effect on May 25, 2018.
Is SparkPost GDPR compliant?
Yes. Wherever SparkPost processes or stores personal data of EU residents on behalf of its customers, it is compliant. In fact, SparkPost has undergone a comprehensive service review by an industry-leading privacy consulting firm to ensure it meets all GDPR requirements.
Has SparkPost certified under Privacy Shield?
Yes, SparkPost has self-certified under EU-US Privacy Shield. Our certification can be verified at https://www.privacyshield.gov/list by searching for SparkPost.
Does SparkPost retain the content of the email I send? Is this compliant with GDPR?
No, SparkPost does not retain the content of the emails you send, except only in short term cache or in cases of message delivery failure, for a defined period of time while it retries the sending of the email. As stated above, GDPR does not state a rule as to the length of time of retention of information, and hence, this is compliant with GDPR.
Disclaimer: The above FAQ is meant as a general set of questions and answers and is not advice and cannot be relied upon for any legal purpose. You must consult your own professional advisors for your specific facts and circumstances before taking, or refraining from taking, any particular course of conduct. The above FAQ is not an amendment or supplement to any agreement between SparkPost and you.
- The GDPR, in its entirety: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
- Overview of the GDPR: http://www.eugdpr.org/
- The Information Commissioner’s Office (ICO) guide entitled Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- European Commission Fact Sheet: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
- Privacy Shield: https://www.privacyshield.gov