The General Data Protection Regulation (GDPR) has profoundly impacted how businesses handle personal data. If your organization processes the data of EU residents, ensuring GDPR compliance is not merely a recommendation—it’s a legal obligation. A critical area often overlooked is the compliance of your email service provider (ESP). Non-compliance, both for your business and your partners, carries significant risks, including substantial fines.
The Imperative of a GDPR Compliant Email Service Provider
The GDPR, which became enforceable on May 25th, 2018, necessitates comprehensive changes across various aspects of your operations, from updating privacy policies and staff training to implementing stricter security measures. When it comes to third-party providers, especially ESPs, the new GDPR rules demand close attention.
Many companies rely on a myriad of third-party providers, including cloud hosting solutions, CRM systems, marketing automation platforms, chat messaging services, and, of course, email service providers. Under GDPR, your compliance hinges significantly on the compliance of these external partners. If your ESP is not GDPR compliant, both your organization and the provider face considerable legal and financial penalties.
The penalties for non-compliance are severe: fines can reach up to €20 million or 4% of annual global turnover, whichever amount is greater. Beyond financial repercussions, organizations also risk significant legal challenges and reputational damage. There have already been numerous cases of GDPR fines demonstrating the regulation’s enforcement.
But how do you thoroughly vet your ESP and other third-party providers? It begins with a deeper understanding of GDPR itself.
Understanding GDPR: A Quick Refresher
For those unfamiliar, GDPR is a robust regulation implemented by the European Parliament, the Council of the European Union, and the European Commission. Its primary goal is to strengthen and unify data protection for all EU residents. This legal framework replaced the former EU Data Protection Directive, introducing new obligations and expanded rights for data subjects. GDPR applies to individuals and entities of all sizes that process the personal data of EU residents, regardless of their geographical location.
A survey revealed concerning readiness levels among organizations: while 91% of startups collect personal data, less than a third (29%) encrypt it. Furthermore, only 47% of participants reported consistently asking for customer consent before contact, and just 50% made it easy for customers to withdraw consent. These statistics underscore the critical need for businesses to carefully choose their partners.
Vetting Your Email Service Provider for GDPR Compliance
Assessing your email service provider or marketing automation provider for GDPR compliance is a multi-step process. Here’s a breakdown of how to audit any third-party provider, tailored for clarity and action.
Step 1: Conduct a Comprehensive 3rd Party Provider Audit
Make a complete list of all external service providers and applications used across every department of your business. This includes CRM systems, cloud hosting, email providers, and automation tools.
Step 2: Develop a Detailed 3rd Party Provider Inventory List
For each provider on your audit list, create a master inventory. Identify:
- What type of data is concerned
- What data protection measures are currently in place
- Who is responsible for this provider within your company and what their access rights are
Step 3: Map Out Your Data Flow
Using the information from your inventory list, assess:
- Which specific data is being shared with external providers
- How that data is being processed and/or stored by these external providers
This mapping provides invaluable insights, allowing you to formulate more precise questions in the next step and enhance transparency with your clients.
Step 4: Assess Your 3rd Party Providers’ Compliance
Initiate contact with ALL third-party providers to ascertain their level of GDPR compliance. An effective method is to send them a detailed questionnaire. While specific questions may vary depending on the provider type, certain general inquiries are crucial for all partners.
Here are 13 example GDPR questions you can adapt for your questionnaire:
- Where are your data and applications stored?
- Is that data ever moved out of the European Union?
- Do you ever transfer data between data centers outside of the EU?
- Do you always inform me when my data is being transferred?
- Do you have a Data Protection Officer?
- How do you handle data breaches, and do you have a documented process?
- What data controls and risk management processes do you have in place?
- How do you manage the version release process on your platform to ensure an adequate level of data protection?
- Who can access our data, under what circumstances, and what can they see? Is this access tracked?
- Can I audit your security and technical measures on the protection of data?
- Do you have a security breach notification process in place?
- Do you currently adhere to Binding Corporate Rules?
- Do you have measures in place to become GDPR compliant in time for May 2018?
Step 5: Evaluate Provider Risk and Take Action
Carefully evaluate the responses from your third-party providers to determine if they meet the security and privacy regulations stipulated by GDPR.
After completing these steps, you should have a clear understanding of your third-party providers’ GDPR compliance status. If they meet the requirements, consider whether you need to add specific clauses to your contracts, such as additional security measures, restrictions on data transfer, or termination clauses for non-compliance with data protection laws. If a provider does not meet the requirements, it may be time to seek an alternative. Data subjects have the right to retrieve their personal data and port it to other service providers without hindrance.
Critical GDPR Questions for Your Email Service Provider (ESP)
Not all third-party providers handle the same amount or type of personal data. However, an email address is inherently personal data, making ESPs a critical focus for GDPR vetting. A truly GDPR-compliant ESP must be prepared to address questions from email marketers, the businesses they serve, and crucially, the data subjects themselves (your email subscribers). Posing the following questions to your ESP will provide a strong indication of their readiness.
Right to be Forgotten (Article 17)
Article 17 of the GDPR grants data subjects the right to request the deletion of all their personal data. This empowers individuals, including your email subscribers, with greater control over their information.
- How can recipients be removed from a specific contact list?
- How can recipients be removed from all of your databases (across all contact lists)?
- How can users be removed from all of your databases and files?
- How do you handle confidential information?
- Do you have measures in place that allow for data to be anonymized?
- How can sub-accounts be removed from all of your databases?
- Can an employee ask for all of their data to be removed?
Right of Access (Article 15)
Beyond the right to deletion, Article 15 stipulates that data subjects have the right to access and retrieve the personal data they have provided.
- Can a data subject request to access or recover their data?
- How do you facilitate and ease the process of account access and deletion? Is there any specific feature to make it easier?
Right to Rectification (Article 16)
According to Article 16, data subjects have the right to rectify, change, or complete their personal data at any time. For an ESP, this includes the ability to unsubscribe from a mailing list and update other preferences. To safeguard this, you need assurance that these options cannot be intentionally removed from emails.
- Do you allow for an account to be transferred from one user to another?
- Do you allow for the unsubscribe link to be removed from your newsletter templates?
Responsibility of the Controller (Article 24)
Article 24 of the regulation states that service providers must be able to demonstrate that data subjects have consented to the processing of their personal data and that such processing is performed in accordance with GDPR.
- How do you gather and store proof that all contacts in a specific list have been added with the explicit consent of the recipients?
Minors’ Consent (Article 8)
GDPR recognizes children as particularly vulnerable data subjects, as they may not fully grasp the implications of divulging personal data. Article 8 mandates that for individuals below the age of 16, data processing is only lawful when consent has been given or authorized by a parent or guardian.
- How do you protect minors (as clients or recipients) from putting their personal data at risk?
Right to Information (Article 14)
Alongside access to provided data, Article 14 grants data subjects the right to be informed about, and provided with, all data that has been collected from them.
- How can you provide your recipients with a list of clients who have them as recipients?
- How can you provide recipients with details on tracking data collected through your platform?
Thorough answers to these questions are crucial for determining if your Email Service Provider is truly GDPR-ready. Remember, your own compliance is intrinsically linked to that of your ESP. Therefore, selecting a partner that fully supports your journey toward robust data privacy protection is paramount.
Considering In-House Email Systems
If your organization utilizes a custom or in-house email marketing system, it might be an opportune time to consider transitioning to a commercial ESP. Alternatively, you will need to invest in developing and implementing features within your in-house system to meet all the intricate requirements of GDPR.
Navigating GDPR compliance can be complex. By diligently assessing your ESPs and understanding these key rights, you can ensure robust data protection. We encourage you to ask any questions or share insights in the comments to help the community.