GDPR Guide


We are sure that you've heard a lot about the new law that will be in force soon - the General Data Protection Regulation (GDPR). If your business is based in the European Union or you have customers or contacts there, then this article will help you maintain all things related to this new law.

The General Data Protection Regulation (GDPR) is going into effect on May 25, 2018. This new EU law will set a new standard for privacy compliance and rights. CrowdMail is continuing our efforts to ensure our business processes are compliant, and this article is designed to educate our customers both on what we are doing as the Data Processor as well as what our customers should be doing as the Data Controllers. This article’s purpose is to be an informational guide and should not be considered legal advice. Whether or not the GDPR affects you, and how, is something you should seek counsel for.

What is the GDPR?

The General Data Protection Regulation (GDPR) replaces it’s predecessor Data Protection Directive 95/46/EC. It was designed to harmonize and modernize data privacy laws in the union and to protect all EU citizen’s data privacy. The law was adopted in 2016 and comes into effect May 25, 2018.

Key Changes

  • - Increased Territorial Scope - applies to business worldwide,
  • - Penalties/Fines - greater of up to 4% of annual global turnover or 20 million Euros,
  • - Strengthened Consent - the purpose of data processing attached to the consent,
  • - Data Subject Rights:
    • a) Breach Notification - 72 hours from being aware,
    • b) Right to Access - what data is being used and for what,
    • c) Right to be Forgotten - data subject has more control of what data can be kept,
    • d) Data Portability - access to the data subjects data and ability to move it,
    • e) Privacy by Design - systems are designed with privacy up front,
    • f) Data Protection Officers - assigned person to oversee privacy compliance.

Personal Data

The GDPR defines personal data as any information related to a natural person (Data Subject), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. For CrowdMail customers, it is very likely that most of the information you are collecting about your contacts would be deemed personal data under the GDPR legislation. Obviously, your contact’s email address, name, physical address, phone numbers, etc. would be directly identifiable but indirect information such as behavioral information, consented IP addresses, Geolocation coordinates must also be considered. Sensitive data such as health or racial information generally requires even further protection and should never be used with CrowdMail. CrowdMail supports unlimited Custom Fields, so be sure to review the information you are acquiring and storing about your contacts and ensure you are being compliant.

The GDPR determines you to be processing personal data if you are collecting any personal data of EU citizens. For example, if you email an EU citizen or upload a list of contacts that contain personal data of an EU citizen, you fall into this category. Note that if you are not dealing with any EU personal data, the GDPR is setting the standard for global privacy laws - getting on board now could help you in the future.

PIPEDA VS GDPR

The GDPR addresses the transfer of personal data from EU member states to third-party countries such as Canada and the United States. The European Commission has the power to determine whether a country outside of the EU offers an adequate level of data protection and Canada is one of the recognized countries that does offer an adequate level.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requirements are quite similar to the GDPR and we already have a number of well-defined data management policies in place. We are working with our legal team to fill any gaps identified in order to be fully GDPR compliant by May 25, 2018. Note that the United States requires certification to help bridge this gap and uses the Privacy Shield framework and self-certification for this.

CrowdMail’s data centers are mostly hosted in the EU, and it is possible to ensure that ALL of your data remains physically in the EU. If you are using our free shared pools or have a private IP that is located outside of the EU then your email data would be transferred outside of the EU for up to 48 hours for attempted delivery. We are contacting our EU customers to inform them of this and offering private IP solutions to ensure all personal data remains in the EU if desired.

Do I need to comply?

If you are an organization in the EU or if you are processing EU citizen’s personal data, then you most likely will be affected by the GDPR. Please obtain legal advice for your personal or business situation regarding your scope of GDPR compliance obligations.

Controller vs Processor

The GDPR hasn’t changed the basic definitions of controller and processor, however, it has increased the responsibilities of both.

A controller is an organization or party that determines the purpose and means of processing personal data.

A processor is an organization or party that processes the data on behalf of the controller. Controllers take primary responsibility for data privacy including reporting data breaches to DPA’s (Data Protection Authorities). The GDPR, however, places some direct responsibilities on the processor - so it is important to know what role you are taking with regards to processing personal data. With regards to the CrowdMail services, in general, our customers would be considered the controller and CrowdMail would be considered the processor. CrowdMail is processing the personal data that you have determined to obtain, transfer or store through our services. Know the responsibilities of the controller under the GDPR.

When will CrowdMail be GDPR compliant?

CrowdMail prides itself on world-class security and privacy principles. We have worked hard in past years to be CASL and PIPEDA compliant which gives us a solid foundation to be fully ready for the GDPR by May 25, 2018.

Most of the work we have been doing for GDPR compliance is internal and does not directly impact our customers. We have been consulting with our legal team and reviewing/amending our processes where needed. We believe this is an excellent step for global privacy and fully endorse the GDPR initiative.

Data Subject Rights with CrowdMail

Right to Access/Rectification: As always, you can access and update your CrowdMail account and profile information at any time via our dashboard or through our API. Please review our Privacy Policy for more information of what and how we use the information you provide us.

Right to be Forgotten: At any time you can cancel your CrowdMail account as referenced in our Terms of Service.

Data Portability: As always, you can export your CrowdMail data such as contacts, email logs, campaign statistics, link tracking statistics and survey information from our dashboard or through our API.

Privacy by Design: As CrowdMail iterates and improves, we are continuing to keep personal data in mind as part of our development processes.

Expansion of your Contact’s Rights

Your contacts have the same rights as you do under the GDPR. Detailed information about how each of these rights is addressed within CrowdMail can be found below:

Right to Access/Rectification: Our Privacy Policy details what data we collect and how we use it. Your contacts may contact you or us directly to request information we hold about them. You always have access to your contact’s detailed information that can be updated or corrected upon request from your contacts. Contacts can contact CrowdMail directly to request their information to be updated or corrected.

Right to Object: Delivery Optimization Engine Privacy Setting can be opted out from your profile via our dashboard or our API.

Right to be Forgotten: You have control to delete any of your contacts at any time via our dashboard or our API at your discretion or at the request from the contact. Contacts can contact CrowdMail directly to report spam or request to be deleted from your specific account or any CrowdMail account all together. If we are contacted directly about this, we always correspond with you about the request and the action we have taken.

Data Portability: Our general export functionality has the ability to export individual contact information in the exact same manner as exporting all the information. You can achieve this from our dashboard or through our API.

Privacy by Design: As CrowdMail iterates and improves, we are continuing to keep your contact’s personal data in mind as part of our development processes.

Contacts Consent

Since CrowdMail is compliant with CASL, the GDPR changes around consent should not impact you. CrowdMail’s double opt-in web forms can continue to be used to onboard your customers and be GDPR compliant. When designing your forms, be sure to use specific and clear language on the use of the collected information.

In order to obtain an API Key to send an email via our HTTP or SMTP API, you must agree that you legally have consent to email your recipients.

If you manually upload your lists to CrowdMail via our dashboard, you must also agree that you legally have consent to email your contacts.

If you upload your contacts via our API, you have the option to provide the consented date and IP address for your individual contacts or list as a whole. CrowdMail provides all the tools to track consent of your contacts but the onus is on you, the controller, to ensure you are doing this legally and ensuring GDPR compliance.

Your contacts can easily change their contact preferences by unsubscribing to your email helping you with GDPR compliance. Please see detailed information on unsubscribing in this guide. The merge tag {contactprofile} or {contactprofile:publicformid} creates a clickable link that can easily be included in your emails for your contacts to update the information that you are storing regarding them in CrowdMail.

It is your responsibility to keep accurate details of your contact’s consent for storing personal data, permission to send them email and any other data processing actions. CrowdMail helps you with this obligation by making available tracking features for consent for each of your contacts as discussed above. Specifically for open and link tracking consent CrowdMail has full configurable options to adhere to your contact's preferences. Please see our resource information on tracking opens and clicks. As always, we recommend you obtain legal advice on the matter of consent and your specific business practices and how they would be viewed under the GDPR. If you are using any third party software (integrations/plugins/SMTP sending software, etc.) that transfers contact information to CrowdMail, be sure you are adequately disclosing data processing activities through these channels as well.

Ensure your privacy policies are clear that you are transferring personal data of your customers to CrowdMail for processing. Specifically, it would be good to add CrowdMail as one of your data processors and how you use or intend to use our services for your customers.

Conclusion

The compliance deadline for the GDPR is May 25, 2018.

This guide was created to help you understand your compliance requirements and how these requirements relate to using CrowdMail. If you have any questions about the GDPR please email us at privacy@crowdmail.com or connect with us contact form.

Contact us

If you have questions or concerns about this Privacy Policy, you can contact us at info@crowdmail.com.

Last Modified: February 07, 2016

Signin / Signup
Scroll Up
Facebook
Twitter
Google+
YouTube
Instagram