The European Union’s new General Data Protection Regulation (GDPR) is the world’s most significant piece of data protection legislation. The law goes into force on May 25, 2018, but it’s already having deep impact on companies around the world.

And if your business involves sending email, it’s probably an issue for you too. At a recent event, I was talking with some of our customers who were interested in hearing our perspective on how GDPR would affect them as email senders. Those conversations inspired me to write this post. (And after reading this, I also recommend you check out SparkPost’s detailed GDPR FAQ and resources page.)

What Is GDPR?

GDPR harmonizes the patchwork of existing data privacy laws in EU member states. Its primary goal is to protect the rights and freedoms of EU citizens and residents in relation to the processing of their personal data.

Because GDPR defines data privacy as a basic right, the law extends the scope of EU regulation to any organization—whether European or not—that processes personal data of EU citizens and residents. Every modern business now faces stringent obligations for better data management, as well as potential fines for breaches of this regulation—of up to the greater of €20 million or 4% of a firm’s global revenue.

What Does GDPR Require?

That’s a question too complex to answer fully here. But in brief, GDPR imposes privacy by design, data security, data access, data portability, data minimization, breach notification, and consent requirements on businesses who collect, process, or store EU residents’ personal data.

Just as significantly, GDPR defines a “right to be forgotten,” which means that any EU resident can request that their personal data be deleted and no longer processed by a company.

But I’m Not European!

If your product or service has users in the EU, or if your organization processes or holds the personal data of EU residents and citizens, irrespective of whether payment is involved, assume GDPR will affect you. (Although it’s not clear at this time how or if GDPR might be enforced in the US or elsewhere—that’s a discussion for you and your lawyer.)

Is Email Affected by GDPR?

GDPR is a complex issue that potentially will affect any organization providing an app, SaaS product, or other service that processes information about individual users. That almost certainly includes companies that send and process email.

The regulation defines “personal data” broadly and leaves much detail about what constitutes that personal data up to the interpretation of regulators and courts. However, it is certain to include a broad range of information including names, phone numbers, residential addresses, government ID numbers, financial and purchase histories, age, sex, genetic and biometric data, and much more.

Of particular interest to email senders, information such as customer names, email addresses, IP addresses, engagement-tracking data, and other similar data is likely to be included in the definition of personal data.

Start by Asking Questions

Again, GDPR is an extremely complex topic. But a good place to begin is with a review of your current data handling practices—not just email, but all the means by which data passes through your company’s networks—and ask questions like these:

  • What personal data do you hold?
  • Where does personal data come from?
  • Is that personal data secure?
  • Who can access the personal data?
  • Where is the personal data stored? (Consider all locations, such as the laptops of employees who may travel to the EU on business.)
  • How long is the personal data retained?
  • If you’re asked, can you confirm to someone if you’re processing their personal data, where it’s processed, and for what reason?
  • If someone wants to see their personal data held by you, can you provide it in a commonly used and machine-readable format?
  • How do you obtain consent to gather personal data?

You should also look at the personal data consent records that you have collected and consider these questions:

  • Are there records for each data subject’s consent, for each and every purpose for which you use their personal data?
  • Have you received clear affirmative consent for each data subject? The GDPR states that consent buried in a privacy policy, terms of service, or a soft opt-in method are inadequate. You will want to revise notices such as these to comply with the new law.
  • Can you present your consent records if challenged?

Working with Service Providers

How you work with third-party service providers is also affected by GDPR. So be sure to ask them about their GDPR readiness.

  • Who are those providers and have they started the process of GDPR compliance?
  • What’s the flow and lifecycle of personal data you send to them?
  • What security and technical measures are in place to protect that personal data when it’s transmitted between the two companies?
  • Do your contracts with those providers need to be revised to ensure GDPR compliance?
  • Have they appointed a Data Protection Officer?

SparkPost and GDPR

As a business and a service provider, SparkPost takes GDPR very seriously. We’ve been working since January 2017 to ensure the SparkPost service is ready for GDPR’s requirements and allows our customers to easily comply.

The SparkPost email delivery service will be GDPR-compliant before the law’s effective date of May 25, 2018. And in regards to personal data transfer between the EU and US, we’re already certified under the joint EU-US Privacy Shield framework.

Privacy Shield

Provided you have the necessary lawful consent, the actual sending of the email is not really impacted by GDPR. However, GDPR does affect whether you are able to collect, store and handle various engagement tracking (including the information SparkPost calls Message Event data), to the extent it directly or indirectly identifies an EU resident. For example, metadata you choose to pass through, such as a unique identifier or segment identifier, would appear in the returned message event data and thus could be considered personal data subject to GDPR’s requirements, including the consent to process that personal data.

If you receive a data subject access request from a customer or user, you must respond within one month. In compiling the customer’s personal data, you can query the SparkPost Message Event data via the web UI or the API and search for them by their email address. That will allow you to see any Message Event data retained by SparkPost for that customer. If for some reason you can’t comply with the data request, SparkPost will assist you, but keep in mind we only retain Message Event data for 10 days. Since there is no specific data retention requirement under the GDPR (and in fact the regulation encourages data minimization), our policy is in compliance with the law.

Note that SparkPost does not retain the content of the emails you send, except for in a short-term cache or while it retries delivery in case of failed delivery attempts. You’re not required to retain the emails you send, but if you have a duty to do so because of another legal obligation, GDPR allows you to do so.

By the way, unlike some other email delivery providers, SparkPost offers our customers who require maximum confidence in GDPR compliance the option of operating in EU-based data centers.

GDPR: Ask Us Anything!

Want to learn more? SparkPost’s detailed GDPR FAQ and resources page is a great next step. And don’t hesitate to get in touch if you’d like to discuss how your business can ensure that your email is ready for GDPR.