Email

General Data Protection Regulation (GDPR): Why should you care?

GDPR compliance and data privacy: everything you need to know to comply with the EU data laws.

Data is gold, and with this new gold rush, European lawmakers have implemented the General Data Protection Regulation (GDPR) to advocate for more personal data protection. 

Are you unsure of how to tackle GDPR compliance in your email practices? Fear not! Below, we’ll demystify this data privacy law and tell you more about what Mailgun is doing to help you stay compliant.

What’s GDPR compliance?

The GDPR is a 2018 European Union (EU) data privacy and security law that regulates the processing of personal data to give consumers more transparency and control over their personal data.

In a nutshell, the GDPR details a series of regulations that companies must follow when collecting and processing the personal data of individuals living in the EU, whether or not they are EU citizens. Under the GDPR, people have the right of access to request a copy of their collected personal data. The GDPR also seeks to hold businesses accountable for how they use consumer data. 

Even if your business isn’t based in Europe, you have a legal obligation to be GDPR compliant if you interact with data from persons in the EU. For example, let’s say you’re an American company with email subscribers in Denmark. Since your company interacts with the personal data of an EU resident, you’re required to be GDPR compliant. 

Non-compliance results in hefty fines. Penalties go up to either 20 million euros or 4% of your global annual revenue – whichever is higher. In addition, individuals whose data you’ve collected or processed have the right to seek compensation for damages.

With so much at stake, let’s dig into the GDPR requirements to make sure you get this right. Below, we’ll walk through a brief history of the GDPR, go over some key terms and definitions, discuss how you can meet GDPR compliance, and what Mailgun is doing to stay GDPR compliant as well. 

What’s the history of the GDPR?

Data breaches and misuse have spread like wildfire in the past decade. High-profile social media cases like the Cambridge Analytica scandal have raised large-scale public interest in cybersecurity and data privacy.

Though the 1995 EU Data Protection Directive laid the groundwork for data privacy, EU lawmakers continued to negotiate for uniform rules across all member states to safeguard personal data protection. The European Parliament successfully passed the GDPR in 2016, and as of May 25, 2018, the regulations have been actively enforced.

Since then, the GDPR has inspired similar data protection principles and information security regulations in many countries outside of the EU, including Argentina, Brazil, Chile, Japan, Mauritius, South Africa, South Korea, and Turkey. In addition, the United Kingdom’s Data Protection Act and the California Consumer Privacy Act (CCPA) share many similarities with the GDPR.

The GDPR and similar laws are becoming the new gold standard for consumer data protection.

What are some criticisms of the GDPR?

Even though the GDPR has raised the bar for data security, it’s faced the following criticisms since its adoption:

  • The GDPR is vague and difficult to interpret.

  • The GDPR isn’t  uniformly enforced. As a regulation, the interpretation and enforcement of the GDPR are left to EU member states.

  • Older data protection regulations in EU member states produce contradictory standards which are difficult for international businesses to follow.

  • The GDPR lacks guidance and uncertainty for international data flows.

We know that these setbacks make it even more confusing to be GDPR compliant across EU borders. That’s why we’ll start with some key terms and definitions to understand the GDPR below.

What are some key concepts in the GDPR?

The GDPR is 88 pages long and filled with legalese. Let’s start by looking at some key concepts to understand GDPR compliance.

What is a natural person?

A natural person is any individual human being. In legal speak, “natural person” is used to distinguish from a “legal person,” which can be a private organization such as a company or public organization like the government. A legal person is not a human being. For instance, you, your subscribers, and your users are all natural persons. The GDPR seeks to protect the rights of natural persons.

What is personally identifiable information (PII)?

The GDPR centers around the protection of personally identifiable information (PII). PII is any personal data that can be used to identify a natural person. In your business practices, you might interact with some types of PII, including names, email addresses, location information, IP addresses, biometric data, genetic data, political opinions, religious beliefs, and gender.

What is data processing?

Data processing is any action that is performed on data. These actions include data collection, recording, organization, structuring, storing, erasure, or usage. The GDPR regulates data processing to ensure that companies provide more transparency about how they collect and use consumer PII.

What is a data subject?

The GDPR defines a data subject as a natural person whose PII is processed. If your subscribers and users provide you with their PII, such as names and email addresses, they are your data subjects.

What is a data controller?

A data controller is the decision-maker for why and how PII is processed; you’re considered a data controller if you interact with unique details about your users.

What is a data processor?

A data processor is a third party, like Mailgun, that conducts data processing activities on behalf of a data controller. Sometimes, data processors can’t process personal data independently and rely on sub-processors to do the heavy lifting. The same GDPR compliance principles bind sub-processors as the main data processor. At Mailgun, we use sub-processors such as Amazon Web Services, Rackspace, Google Cloud Platform, and Softlayer. These entities provide the underlying infrastructure on which we host Mailgun and also must be GDPR compliant.

As you can see, the GDPR impacts your business practices since you collect and process data as part of your email campaigns. Let’s take a look at the data protection principles laid out in the GDPR so you can remain compliant.

What are the data protection principles in the GDPR?

The GDPR lays out seven data protection and data accountability principles that data controllers and data processors must follow to be GDPR compliant:

  1. Lawfulness, fairness, and transparency: You must process data in a lawful, fair, and transparent way to the data subject.

  2. Purpose limitation: You must process data for legitimate interests for conducting your business. When you collect their PII, you must explicitly specify these purposes to the data subject.

  3. Data minimization: You should minimize the amount of data you collect and process for your legitimate interests.

  4. Accuracy: You must keep PII accurate and up to date.

  5. Storage limitation: You may only store PII as long as it is necessary for the specified purpose.

  6. Integrity and confidentiality: You must securely process PII to ensure its integrity and confidentiality. For instance, you can use end-to-end encryption.

  7. Accountability: Data controllers and data processors are responsible for demonstrating GDPR compliance with all of these principles.

In addition to these data protection principles, the GDPR also lays out specific rights for data subjects.

What rights do data subjects have under the GDPR?

As a data controller or data processor, it’s essential to be aware of the rights of data subjects from whom you collect personal data. The GDPR lists the following rights, which give data subjects more control over the personal data that they loan to service providers:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights concerning automated decision-making and profiling

Keeping these rights in mind, we’ll go through some best practices to meet GDPR compliance as a data controller.

What does the GDPR mean for data controllers?

In the GDPR jargon, anyone that collects PII is considered a data controller. Do you save unique details about your contacts like their location, home address, phone number, or email? If so, you’re a data controller.

As a data controller, you must follow the data protection principles above. You have two primary responsibilities: full disclosure and transparency.

What are some best practices to provide full disclosure?

You need to fully disclose that you’re collecting PII every time you ask your users or subscribers to provide their personal data. In addition, you must let your users know why you need the personal data that they provide. We know that data and analytics superpower your business, but if you can’t specify why you need a particular piece of personal data, it’s probably best not to ask for it.

In some cases, you can use pseudonymization techniques that make it harder to identify a person from their individual contact attributes. Pseudonymization masks values in your database to hide the data subject's identity, focusing instead on values that are easy to find from other sources. 

Keep in mind, pseudonymization isn’t sufficient on its own. However, you can pair it with other security measures, like end-to-end encryption. Even with these extra measures, there’s still the risk that someone can work backward from the PII to identify the data subject. As such, proper disclosure to your data subjects is necessary for GDPR compliance.

What are some best practices to maintain transparency?

As a data controller, you also must maintain transparency. You need to make sure that data subjects knowingly consent to have their personal data collected and processed. You can use double opt-in measures to be sure that your users want to receive emails from you. After receiving this explicit consent, follow up with clear consent statements for each interaction with your user.

Lastly, make sure to provide data subjects with an obvious and readily available option to remove their consent for further data collection or processing. In other words, you must provide an unsubscribe option in your emails.

Confirming consent with existing users and properly securing their personal data might seem overwhelming, but what matters at the end of the day is keeping your users informed of what you’re doing with their personal data. It’s good to keep a clear paper trail to prove this for possible compliance audits.

By following GDPR principles, you play your part as a data controller who safeguards your users’ personal data. 

Now that you’ve got the tools to do your part as a data controller, let’s walk through the changes we’ve made at Mailgun to meet GDPR compliance as a data processor.

What does the GDPR mean for data processors like Mailgun?

Data controllers aren’t the only ones expected to protect incoming data. Data processors, like Mailgun, are also required to have these data protection measures in place. We also must be prepared to explain what personal data is collected and how it’s being processed legally. In short, Mailgun will only process data based on explicit instructions, such as the API and SMTP requests we receive from our customers.

We’ve been hard at work preparing our platform with features to help our customers self-serve and review the personal data stored on our platform. This way, if Mailgun customers wish to have personal data removed or corrected, they can initiate the process directly with our team.

Check out the table below to see how long we store personal data:

Following the GDPR, we process customer data within a finite time period.

We know that running email campaigns inevitably involves personal data, but at Mailgun, we’re committed to giving you the best tools to be GDPR compliant. We take consumer data privacy seriously, and we’ve updated our data processing agreements to be GDPR compliant.

Next Steps

Complying with data protection principles and respecting the rights of data subjects might seem a daunting task, but we know you’ve got this. At Mailgun, we’re committed to user data protection, and now you also have the tools and best practices to be GDPR compliant.

Learn more about how we’re meeting GDPR compliance.

Disclaimer: EU data protection laws, including the GDPR, are complex. This blog post shouldn’t be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your specific business case.

Related readings

Privacy matters at Mailgun: Your data is safe with us

On July 16, 2020, the European Commission Court of Justice (CJEU) invalidated the adequacy of the EU-US Data Privacy Shield’s protection. Here's all you need to know about the invalidation and how it affects your email sending.

Read more

Explicit consent and the GDPR

Consent is one lawful basis for data processing in the GDPR, but what is changing? Well, it's now explicit and dynamic because it can change at any time.

Read more

HIPAA compliance and email: What you need to know

HIPAA compliance isn’t easy. It involves understanding the law and knowing how it applies to you. To avoid potential data breaches that could result in costly fines, here’s how to safely email patient health information.

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
Milgun-Icon