General Data Protection Regulation (GDPR): Why should you care?
GDPR compliance and data privacy: everything you need to know to comply with the EU data laws.
Data is gold, and with this new gold rush, European lawmakers have implemented the General Data Protection Regulation (GDPR) to advocate for more personal data protection.
Are you unsure of how to tackle GDPR compliance in your email practices? Fear not! Below, we’ll demystify this data privacy law and tell you more about what Mailgun is doing to help you stay compliant.
The GDPR is a 2018 European Union (EU) data privacy and security law that regulates the processing of personal data to give consumers more transparency and control over their personal data.
In a nutshell, the GDPR details a series of regulations that companies must follow when collecting and processing the personal data of individuals living in the EU, whether or not they are EU citizens. Under the GDPR, people have the right of access to request a copy of their collected personal data. The GDPR also seeks to hold businesses accountable for how they use consumer data.
Even if your business isn’t based in Europe, you have a legal obligation to be GDPR compliant if you interact with data from persons in the EU. For example, let’s say you’re an American company with email subscribers in Denmark. Since your company interacts with the personal data of an EU resident, you’re required to be GDPR compliant.
Non-compliance results in hefty fines. Penalties go up to either 20 million euros or 4% of your global annual revenue – whichever is higher. In addition, individuals whose data you’ve collected or processed have the right to seek compensation for damages.
With so much at stake, let’s dig into the GDPR requirements to make sure you get this right. Below, we’ll walk through a brief history of the GDPR, go over some key terms and definitions, discuss how you can meet GDPR compliance, and what Mailgun is doing to stay GDPR compliant as well.
Data breaches and misuse have spread like wildfire in the past decade. High-profile social media cases like the Cambridge Analytica scandal have raised large-scale public interest in cybersecurity and data privacy.
Though the 1995 EU Data Protection Directive laid the groundwork for data privacy, EU lawmakers continued to negotiate for uniform rules across all member states to safeguard personal data protection. The European Parliament successfully passed the GDPR in 2016, and as of May 25, 2018, the regulations have been actively enforced.
Since then, the GDPR has inspired similar data protection principles and information security regulations in many countries outside of the EU, including Argentina, Brazil, Chile, Japan, Mauritius, South Africa, South Korea, and Turkey. In addition, the United Kingdom’s Data Protection Act and the California Consumer Privacy Act (CCPA) share many similarities with the GDPR.
The GDPR and similar laws are becoming the new gold standard for consumer data protection.
Even though the GDPR has raised the bar for data security, it’s faced the following criticisms since its adoption:
We know that these setbacks make it even more confusing to be GDPR compliant across EU borders. That’s why we’ll start with some key terms and definitions to understand the GDPR below.
The GDPR is 88 pages long and filled with legalese. Let’s start by looking at some key concepts to understand GDPR compliance.
A natural person is any individual human being. In legal speak, “natural person” is used to distinguish from a “legal person,” which can be a private organization such as a company or public organization like the government. A legal person is not a human being. For instance, you, your subscribers, and your users are all natural persons. The GDPR seeks to protect the rights of natural persons.
The GDPR centers around the protection of personally identifiable information (PII). PII is any personal data that can be used to identify a natural person. In your business practices, you might interact with some types of PII, including names, email addresses, location information, IP addresses, biometric data, genetic data, political opinions, religious beliefs, and gender.
Data processing is any action that is performed on data. These actions include data collection, recording, organization, structuring, storing, erasure, or usage. The GDPR regulates data processing to ensure that companies provide more transparency about how they collect and use consumer PII.
The GDPR defines a data subject as a natural person whose PII is processed. If your subscribers and users provide you with their PII, such as names and email addresses, they are your data subjects.
A data controller is the decision-maker for why and how PII is processed; you’re considered a data controller if you interact with unique details about your users.
A data processor is a third party, like Mailgun, that conducts data processing activities on behalf of a data controller. Sometimes, data processors can’t process personal data independently and rely on sub-processors to do the heavy lifting. The same GDPR compliance principles bind sub-processors as the main data processor. At Mailgun, we use sub-processors such as Amazon Web Services, Rackspace, Google Cloud Platform, and Softlayer. These entities provide the underlying infrastructure on which we host Mailgun and also must be GDPR compliant.
As you can see, the GDPR impacts your business practices since you collect and process data as part of your email campaigns. Let’s take a look at the data protection principles laid out in the GDPR so you can remain compliant.
The GDPR lays out seven data protection and data accountability principles that data controllers and data processors must follow to be GDPR compliant:
In addition to these data protection principles, the GDPR also lays out specific rights for data subjects.
As a data controller or data processor, it’s essential to be aware of the rights of data subjects from whom you collect personal data. The GDPR lists the following rights, which give data subjects more control over the personal data that they loan to service providers:
Keeping these rights in mind, we’ll go through some best practices to meet GDPR compliance as a data controller.
In the GDPR jargon, anyone that collects PII is considered a data controller. Do you save unique details about your contacts like their location, home address, phone number, or email? If so, you’re a data controller.
As a data controller, you must follow the data protection principles above. You have two primary responsibilities: full disclosure and transparency.
You need to fully disclose that you’re collecting PII every time you ask your users or subscribers to provide their personal data. In addition, you must let your users know why you need the personal data that they provide. We know that data and analytics superpower your business, but if you can’t specify why you need a particular piece of personal data, it’s probably best not to ask for it.
In some cases, you can use pseudonymization techniques that make it harder to identify a person from their individual contact attributes. Pseudonymization masks values in your database to hide the data subject’s identity, focusing instead on values that are easy to find from other sources.
Keep in mind, pseudonymization isn’t sufficient on its own. However, you can pair it with other security measures, like end-to-end encryption. Even with these extra measures, there’s still the risk that someone can work backward from the PII to identify the data subject. As such, proper disclosure to your data subjects is necessary for GDPR compliance.
As a data controller, you also must maintain transparency. You need to make sure that data subjects knowingly consent to have their personal data collected and processed. You can use double opt-in measures to be sure that your users want to receive emails from you. After receiving this explicit consent, follow up with clear consent statements for each interaction with your user.
Lastly, make sure to provide data subjects with an obvious and readily available option to remove their consent for further data collection or processing. In other words, you must provide an unsubscribe option in your emails.
Confirming consent with existing users and properly securing their personal data might seem overwhelming, but what matters at the end of the day is keeping your users informed of what you’re doing with their personal data. It’s good to keep a clear paper trail to prove this for possible compliance audits.
By following GDPR principles, you play your part as a data controller who safeguards your users’ personal data.
Now that you’ve got the tools to do your part as a data controller, let’s walk through the changes we’ve made at Mailgun to meet GDPR compliance as a data processor.
Data controllers aren’t the only ones expected to protect incoming data. Data processors, like Mailgun, are also required to have these data protection measures in place. We also must be prepared to explain what personal data is collected and how it’s being processed legally. In short, Mailgun will only process data based on explicit instructions, such as the API and SMTP requests we receive from our customers.
We’ve been hard at work preparing our platform with features to help our customers self-serve and review the personal data stored on our platform. This way, if Mailgun customers wish to have personal data removed or corrected, they can initiate the process directly with our team.
Check out the table below to see how long we store personal data:
Following the GDPR, we process customer data within a finite time period.
We know that running email campaigns inevitably involves personal data, but at Mailgun, we’re committed to giving you the best tools to be GDPR compliant. We take consumer data privacy seriously, and we’ve updated our data processing agreements to be GDPR compliant.
Complying with data protection principles and respecting the rights of data subjects might seem a daunting task, but we know you’ve got this. At Mailgun, we’re committed to user data protection, and now you also have the tools and best practices to be GDPR compliant.
Learn more about how we’re meeting GDPR compliance.
Disclaimer: EU data protection laws, including the GDPR, are complex. This blog post shouldn’t be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your specific business case.
