GDPR is coming. What are we doing about it?
Since the General Data Protection Regulation (GDPR) made its way into trending topics, the coverage has been thought-provoking at best, and an apocalyptic nightmare at worse. Instead of pandering to doom and gloom, we want to share some useful information about what’s expected under GDPR for anyone that collects or processes personal data. And of course, we want to tell you more about what Mailgun is doing to help you prepare!
The short and ‘sweet’ on GDPR
If you’re not up to speed on GDPR, here’s an abridged version of what’s happened: European Union (EU) lawmakers have been negotiating for years to put in place - and enforce - uniform rules over personal data protection in all 28 countries that are members of the EU. Well, they’ve gone and bloody done it!
Truth is, we exchange data every day to receive benefits, goods, and services across borders. Even if you don’t operate in the EU, if your contacts reside there, you have to care about the way their personal data is treated. This means having clear, traceable processes in place to prove that you’re obtaining contact information in a legitimate way, and that it’s being handled carefully to prevent exposure. Oh yeah...and it has to be before the May 25, 2018 deadline!
What if you’re thinking you’d rather take your chances and see what happens, because it’s flipping expensive to overhaul your processes? Well, hate to tell you this: living dangerously puts you at risk of violating personal data protection law - and could drop a hefty fine on your lap to the tune of 20 million euros or 4% of your global, annual revenue (whichever is greater).
Don’t worry, there are specific measures you as the controller have to take that, if done properly, should keep you in the clear. Unfortunately, crawling under a rock and hiding isn’t one of them.
What GDPR Means for Controllers
In the GDPR jargon, anyone that collects personally identifiable information (PII) is considered a controller. Do you save unique details about your contacts like location, home address, phone number, email, etc.? If so, yeah, you’re considered a controller. What this means for you moving forward is that full disclosure is expected on why you’re asking for specific contact information. Your contacts must know exactly why they are providing their phone number, email, home address...whatever you are using to reach them. If it’s not required, don’t even ask for it.
For some use cases, you can implement pseudonymization techniques that help prevent identification just from looking at individual contact attributes. It basically masks values in your database to hide the identity of the contact, often focusing on those values that are easy to find from other sources. Is this sufficient on its own? No. When used with other security measures - like encryption - it can be powerful, but there’s still the risk of re-identification.
The second component of this controller responsibility, is to make sure the way in which you are collecting information supports this push for transparency. Using measures like double opt-in to be absolutely sure your contacts want to receive stuff from you and supporting this with clear consent statements for each interaction you want to have is a good place to start. And, if your contacts just aren’t feeling it anymore and want to unsubscribe from your communications, it has to be a readily available - and obvious - option in your emails.
Controllers are not the only ones expected to protect incoming data. Processors - like Mailgun - are also required to have these data protection measures in place. They also have to be prepared to explain what information is being held, and how it’s being processed legally. In short: Mailgun will only process data based on the instructions, such as API and SMTP requests we receive from our customers.
We’ve been hard at work preparing our platform with features to help our customers self-serve and review the personal data stored on our platform. This way, if Mailgun customers wish to have personal data removed or corrected, they can initiate the process with our team.
When there is a reason to process customer data with Mailgun through SMTP or API requests, it is done so within a finite period of time. You can check this out below and see when this data will be removed, based on the type of information being processed:
Sometimes, processors can’t process data on their own and look to sub-processors for help. With Mailgun, this refers to entities like Amazon Web Services, Rackspace, and Softlayer that provide the underlying infrastructure on which Mailgun is hosted. The obligation that Mailgun has with the controller to protect incoming data is shared with the sub-processor in this case.
To reflect GDPR compliance, we’ve also updated our data processing agreements. These changes, along with a short FAQ are available on our website.
Prioritizing into actionable pieces is the way to go if you’re trying to get your ducks in a row for GDPR compliance. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt: phone a friend (aka, a lawyer that specializes in data protection). You can tag team to make sure incoming data is being handled correctly and avoid issues down the road.
At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes.
Disclaimer: EU data protection laws, including the GDPR, are complex. This blog post should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your specific business case.