We are writing this article to let you know about the upcoming GDPR regulations, what we are doing at SocketLabs regarding our own compliance and ways that we may be able to help you with yours. As a trusted email delivery service, we hope to educate you on issues involving the use of our email marketing and email API services and hope you find this article useful. Before we begin however, we must warn you that we are not lawyers, and this article is not legal advice. We strongly suggest that you consult an attorney to learn how GDPR may affect your business.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a new privacy and cybersecurity law which takes effect on May 25th, 2018. As perhaps the world’s most comprehensive data protection law, the GDPR reinforces and improves the privacy rights of EEA residents (that is, residents of the EU, Iceland, Lichtenstein, and Norway). This is accomplished by imposing strict obligations on companies which process personal data of EEA data subjects (the individuals that personal data is about), and potentially imposing steep fines for noncompliance. Generally speaking, personal data is any data that alone, or in connection with other data, can identify a natural person.
How does this apply to my use of email marketing or email delivery services such as SocketLabs?
The GDPR does not only apply to email, however there are important considerations when sending email. For example if you are using our SMTP or HTTP Email API to send email through our delivery platform you will need, among other things, to ensure that you have proper consent and include the appropriate options in your email as applicable for recipients to opt out or set preferences. Now would be a good time to review your address acquisition and unsubscribe practices. Continue reading for more information on the requirements of GDPR.
I am not based in the EU, why should I be concerned?
The GDPR has a worldwide applicability. Even if you are based in the U.S., China, or anywhere else in the world, if you process the personal data of EEA residents, the GDPR likely applies to your company, too. This is particularly true if you target your marketing efforts to any part of the EU.
What are the key changes in the new law?
The GDPR introduces new requirements for companies that process (collect, transmit, change, erase, store, or use in any other way) personal data. Some of the most important requirements are:
- Records of Processing Activities: companies need to keep records of their data processing activities. This includes keeping evidence of the consent the data subject has given (if aplicable – note that consent isn’t always required in every case), purposes for which the personal data are processed/used, categories of data being processed, information about any transfers of personal data to third countries, technical and organizational measures implemented in order to keep the data safe and other similar information;
- Rights of Data Subjects: data subjects need to be informed, using plain and clear language, about the way their personal data are being processed. Companies will also need to provide mechanisms for data subjects to easily, and without charge, update, delete, and access their personal data or object to processing;
- Appointment of an EU Representative and a Data Protection Officer: If you are based outside of the EU, and you process EU personal data, in most cases, you will need to appoint a representative in the EU to represent you in data protection matters. Depending on your circumstances, you may also need to appoint a neutral data protection officer, who will be responsible for cooperation with EU data protection authorities and data subjects. SocketLabs has appointed VeraSafe to serve as our Article 27 Representative in the EU;
- Investigations and Audits: EU supervisory authorities will be able to investigate your business in order to determine if you are processing the data in accordance with the GDPR;
- Fines: breach of these obligations may incur a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
What is SocketLabs doing to prepare for the GDPR
SocketLabs processes personal data on behalf of our customers (who are typically data controllers) when they user our email delivery API, SMTP server, email marketing and other services, and therefore we are data processors under the GDPR. We’re actively working on bringing our policies and contracts up to the level of the GDPR. SocketLabs has engaged a team of privacy experts to ensure our compliance by May 25th, 2018.
SocketLabs is currently preparing a GDPR-level Data Processing Addendum to offer our customers who are affected by the new law. At the same time, we’re upgrading the contracts with our small pool of trusted vendors, to ensure that everyone who processes our customers’ data are implementing and respecting their obligations under the GDPR.
Last but not least, to help our customers comply with the GDPR, we are identifying and developing additional, related product features that our customers might benefit from.
What is the Privacy Shield and how is it connected with the GDPR?
The GDPR and the Privacy Shield are conceptually related, however, they are not the same. While the GDPR aims to regulate the processing of EU personal data anywhere in the world, the Privacy Shield is concerned with one specific thing: the transfer of personal data from the EU (or, more specifically, from the European Economic Area and Switzerland) to the U.S.
Privacy Shield is a self-certification program authorized by the EU for the transfer of personal data from the EU to the U.S. Companies that wish to certify under the Privacy Shield must adhere to the Privacy Shield Principles, which extend European-style privacy rights to the processing of EU personal data in the United States. SocketLabs is in the process of self-certifying under the Privacy Shield, because we want to do our part to help make it easier for our customers to comply with complex EU data protection laws.
If you would like to learn more detailed information about the GDPR, this link may help.