GDPR Notice: What to Know and How Sailthru Can Help
The General Data Protection Regulation (GDPR) comes into effect in less than a month (May 25th, 2018). Sailthru has been working to put in place tools and processes to help our customers comply with the requirements under the GDPR.
*Since Sailthru cannot provide you legal advice we highly suggest you work with your own legal counsel to provide guidance on how to comply.
If you would like more information and you’re a Sailthru client, please reach out to your Customer Success Manager to set up a time to discuss with our team.
What You Need To Know About The GDPR
Here are some questions you may want to consider:
- Does the GDPR apply to you?
- What personal data do you process?
- Are you transferring personal data from the European Union (EU)?
- What is the legal basis for processing personal data?
- How will you handle data subject access requests?
1. Does the GDPR apply to you?
The GDPR applies to processing carried out by organizations operating within the EU. However, it also applies to organizations outside the EU that “offer goods or services” to individuals in the EU.
2. What personal data do you process?
“Personal data” is broadly defined under the GDPR as “any information relating to an identified or identifiable natural person.” An email address, for example, is clearly personal data under the GDPR. Performing a data mapping exercise is a good way to understand what personal data you are processing.
3. Are you transferring personal data from the EU in accordance with the GDPR?
Chapter V lays out how data controllers may transfer data to countries outside the EEA. One mechanism for doing so lawfully is a transfer based on an adequacy decision, such as the EU-U.S. Privacy Shield Framework. Another is ensuring there are appropriate safeguards, including the standard data protection clauses adopted by the European Commission.
How can Sailthru help: Sailthru has certified that it adheres to the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework and when applicable, Sailthru will enter into a data protection addendum with its customers that incorporate the standard data protection clauses. Please contact your CSM if you want a data protection addendum.
4. What is the legal basis for processing personal data?
Under the GDPR, lawful bases include:
• The consent of the data subject
• Processing necessary for the performance of a contract
• Legitimate interests pursued by controller or a third party
Keep in mind, if your legal basis for processing data is consent, under the GDPR consent is a high standard. Consent must be a “freely given, specific, informed and unambiguous indication of a data subject’s wishes” that the data subject provides “by a statement or by a clear affirmative action”. Therefore pre-checked boxes or terms buried in a separate terms and conditions will not constitute consent under the GDPR.
Legitimate interests, another legal basis for processing personal data, per Recital 47 of the GDPR include the processing of personal data for direct marketing purposes. Note that legitimate interests of the controller may be overridden by “the interests or fundamental rights and freedoms of the data subject.”
How can Sailthru help:
• Double opt in emails — where users are required to confirm their email address before being added to an email list and receive email communications from you.
• Confirmed opt in — some controllers are choosing to have users re-opt in, in order to obtain fresh consent that fully complies with the new requirements.
To get started with double opt in emails or confirmed opt in emails, please reach out to Support for guidance.
5. How will you handle data subject access requests?
The GDPR expands existing data subject rights as well as introduces new rights, including the right to erasure in certain circumstances.
How can Sailthru help: We will work with our customers to assist with data subject requests, these requests can be submitted via a custom designed form in Sailthru’s support portal, Zendesk.
For any further assistance preparing for the GDPR, please reach out to your Customer Success representative. If you’re not yet a Sailthru customer but are looking to switch to a provider with an in-house, world-class deliverability team, get in touch.