Here's what we're doing to help you comply:
- Introduction to GDPR
- Sendible’s Commitment
- How is Sendible preparing for GDPR?
- What does this mean for our customers?
- What are we doing to be GDPR-ready?
- FAQ - Frequently asked questions
Introduction to GDPR
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.
At Sendible, our entire organization is hard at work ensuring that our own practices are GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own. In full transparency, while the existing product can be used in a way that helps to comply with the GDPR, in some cases it can be difficult and may involve complex workarounds. Between now and May 25th (and beyond), we are fully committed to enhancing the Sendible platform to enable easier compliance with the GDPR. We’ve created this page to serve as your one-stop shop for GDPR-related product updates between now and May 25th.
How is Sendible preparing for GDPR?
As both a data controller and a data processor, Sendible understands its obligation to help customers get ready for this new regulation. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Some of our ongoing initiatives are:
- Identifying personal data - We have already taken steps to understand and document what constitutes personal data within our systems. For customers, this data is limited to contact information and private social media messages. However, we will continue to map out, define and document our customer data flows leading up to 25 May to ensure that nothing is missed.
- Providing visibility and transparency - The most important aspect of GDPR is how the collected data is used. As both a data controller and processor, Sendible's key role is to provide our customers (the data controllers) with the access to effectively manage and protect their own data as well as the data of their users and clients. Sendible is exploring ways to make optimal product enhancements without compromising on performance so that we can provide better transparency to our customers.
- Enhancing data integrity and security - Data privacy and data security are two sides of the same coin. While we already secure the transfer of our customers’ data over SSL and encrypt sensitive data on our servers, we're investigating strategies for implementing IT policies and procedures that provide tighter end-to-end security.
- Portability and transferability of data - GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. With this new right in mind, Sendible is working on further enhancing its data exporting capabilities to enable export functionality down to the individual level. We are also investigating ways that users can more easily import their data from other controllers while recording consent.
What does this mean for our customers?
We understand that meeting the GDPR requirements will take a significant amount of time and effort. And as your partner, we want to help you make the process as seamless as possible so that you don't have to worry about compliance and can stay focused on running your business. Some of our product enhancements are about to make it easier for you to:
- Improve access controls
- Encrypt, anonymize or delete personal identifiable user data
- Perform data audits or assessments using data processing logs
- Improve systems to assist with automated detection of data breaches
- Create provisions for data subjects rights
- Enhance security for user data
What are we doing to be GDPR-ready?
- Reviewing current security and privacy processes, revising our contracts with third parties and customers to meet the requirements of the GDPR.
- Identifying the Personally Identifiable Information (PII)/Personal data that is being collected.
- Analyzing how this information is being processed, stored, retained and deleted.
- Assessing the third parties with whom we disclose data.
- Establishing procedures to respond to data subjects when they exercise their rights.
- Establishing and conducting Privacy Impact Assessment (PIA).
- Creating processes for data breach notification activities.
- Implementing Data Protection Policies for continuous employee awareness to ensure continual compliance to the GDPR.
- What information we collect about you
- How we use the information we collect
- How we share information we collect
- How we store and secure the information we collect
- How to access and control your information
- How we transfer information we collect internationally
- How we integrate our products: We're always improving our products to give you a frictionless and customized experience. The updates to our policy will describe the tools we’ve built to make our products smarter.
- More control over your information: We intend to make it easier for you to control the information you provide to us. Our policy will explain how you can make choices about your information, and the measures we’ve put in place to keep your information secure.
- Using our products for clients: Many users have access to our services through an agency, who controls their accounts or use of our services. The updated policy will clarify our relationship to these users and explain the tools available to administrators of these users.
FAQ - Frequently asked questions
What is GDPR?
EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.
Does the GDPR apply to me?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers. This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
Who are the key stakeholders?
- Data subject - A natural person residing in the EU who is the subject of the data
- Data controller - Determines the purpose and means of processing the data
- Data processor - Processes data on the instructions of the controller
- Supervisory authorities - Public authorities who monitor the application of the regulation
What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
What are the key changes from the previous regulations?
- New and enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
- Explicit consent: Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
- Right to access: At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
- Right to be forgotten: The data subject can request the controller to remove their personal information from the controller's systems.
- Data portability: The controller must be able to provide data subjects with a copy of their personal data in machine-readable format. If possible, they must be able to transfer the data to another controller.
- Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
- Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
- Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
- Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Where is my data located?
The data of Sendible.com customers will reside in AWS’s US data centers.
What Personally Identifiable Information do you store?
The personal information we store is limited to Names, Email addresses, Usage data, IP addresses. We also store private social media messages from accounts you’ve authorized within our platform. We do not store any financial information.
Will Sendible comply with the right to erasure (right to be forgotten)?
Yes. When one of your contacts (i.e. data subjects) asks you to delete them from your records, you'll have the ability to do so quickly and easily. By May 25th, you'll be able to execute a GDPR-compliant delete, which will remove every trace of the contact from your system, permanently. Similarly, if you manage social media for clients using Sendible, when you delete a client record from your Sendible account, by May 25th, you’ll be executing a GDPR-compliant delete.
I have contacts and users in my Sendible account that I don't have specific opt-in records for. Do I need to delete them by May 25th?
Ultimately, that decision is up to you and your legal team. One point to consider is that just because you don't have the record of opt-in doesn't mean you don't have a lawful basis to process a contact record. Lawful basis comes in multiple forms:
- Necessary for the performance of a contract. Example: if Bob buys products from you, you can send her emails related to onboarding and billing.
- Legitimate interest. In the above example, you could email Bob about related products or services.
- Consent (with notice). Freely given, affirmative, opt-in consent accompanied with a transparent explanation of your purpose for acquiring/using the data.
If you’ve lost track of the opt-in status of your contacts or never confirmed opt-in, you can request permission for opt-in by sending a new email campaign from Sendible and directing your opt-in link to a lead capture form on your website. Those contacts who opt-in via your capture form will then be added to a new mailing list. You can then contact us via email@example.com to remove all other contacts for you and keep the opt-in list.
Will double-opt-in be mandatory?
For the avoidance of ambiguity, "double-opt-in" is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR does not require double-opt-in (though certain countries may make this mandatory).