Elastic Email’s Guide to the GDPR

The General Data Protection Regulation (GDPR) is going into effect on May 25, 2018. This new EU law will set a new standard for privacy compliance and rights. Elastic Email is continuing our efforts to ensure our business processes are compliant, and this article is designed to educate our customers both on what we are doing as the Data Processor as well as what our customers should be doing as the Data Controllers. This article’s purpose is to be an informational guide and should not be considered legal advice. Whether or not the GDPR affects you, and how, is something you should seek counsel for.

What is the GDPR?

The General Data Protection Regulation (GDPR) replaces it’s predecessor Data Protection Directive 95/46/EC. It was designed to harmonize and modernize data privacy laws in the union and to protect all EU citizen’s data privacy. The law was adopted in 2016 and comes into effect May 25, 2018.

Key changes:

• Increased Territorial Scope - applies to business worldwide,
• Penalties/Fines - greater of up to 4% of annual global turnover or 20 million Euros,
• Strengthened Consent - the purpose of data processing attached to the consent,
• Data Subject Rights:

1. Breach Notification - 72 hours from being aware,
2. Right to Access - what data is being used and for what,
3. Right to be Forgotten - data subject has more control of what data can be kept,
4. Data Portability - access to the data subjects data and the ability to move it,
5. Privacy by Design - systems are designed with privacy upfront,
6. Data Protection Officers - assigned person to oversee privacy compliance.

Personal data

The GDPR defines personal data as any information related to a natural person (Data Subject), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. For Elastic Email customers, it is very likely that most of the information you are collecting about your contacts would be deemed personal data under the GDPR legislation.

Obviously, your contact’s email address, name, physical address, phone numbers, etc. would be directly identifiable but indirect information such as behavioral information, consented IP addresses, Geolocation coordinates must also be considered. Sensitive data such as health or racial information generally requires even further protection and should never be used with Elastic Email. Elastic Email supports unlimited Custom Fields, so be sure to review the information you are acquiring and storing about your contacts and ensure you are being compliant.

The GDPR determines you to be processing personal data if you are collecting any personal data of EU citizens. For example, if you email an EU citizen or upload a list of contacts that contain personal data of an EU citizen, you fall into this category. Note that if you are not dealing with any EU personal data, the GDPR is setting the standard for global privacy laws - getting on board now could help you in the future.

PIPEDA vs GDPR

The GDPR addresses the transfer of personal data from EU member states to third-party countries such as Canada and the United States. The European Commission has the power to determine whether a country outside of the EU offers an adequate level of data protection and Canada is one of the recognized countries that does offer an adequate level.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requirements are quite similar to the GDPR and with Elastic Email being a Canadian Corporation we already have a number of well-defined data management policies in place. We are working with our legal team to fill any gaps identified in order to be fully GDPR compliant by May 25, 2018. Note that the United States requires certification to help bridge this gap and uses the Privacy Shield framework and self-certification for this.

Elastic Email’s data centers are mostly hosted in the EU, and it is possible to ensure that ALL of your data remains physically in the EU. If you are using our free shared pools or have a private IP that is located outside of the EU then your email data would be transferred outside of the EU for up to 48 hours for attempted delivery. We are contacting our EU customers to inform them of this and offering private IP solutions to ensure all personal data remains in the EU if desired.

Do I need to comply?

If you are an organization in the EU or if you are processing EU citizen’s personal data, then you most likely will be affected by the GDPR. Please obtain legal advice for your personal or business situation regarding your scope of GDPR compliance obligations.

Controller vs Processor

The GDPR hasn’t changed the basic definitions of controller and processor, however, it has increased the responsibilities of both.

A controller is an organization or party that determines the purpose and means of processing personal data.

A processor is an organization or party that processes the data on behalf of the controller. Controllers take primary responsibility for data privacy including reporting data breaches to DPA’s (Data Protection Authorities). The GDPR, however, places some direct responsibilities on the processor - so it is important to know what role you are taking with regards to processing personal data. With regards to the Elastic Email services, in general, our customers would be considered the controller and Elastic Email would be considered the processor. Elastic Email is processing the personal data that you have determined to obtain, transfer or store through our services. Know the responsibilities of the controller under the GDPR.

When will Elastic Email ensure GDPR email compliance?

As a Canadian Corporation, Elastic Email prides itself on world-class security and privacy principles. We have worked hard in past years to be CASL and PIPEDA compliant which gives us a solid foundation to be fully ready for the GDPR by May 25, 2018, including GDPR email security requirements.

Most of the work we have been doing for GDPR email compliance is internal and does not directly impact our customers. We have been consulting with our legal team and reviewing/amending our processes where needed. We believe this is an excellent step for global privacy and fully endorse the GDPR initiative.

Data subject rights with Elastic Email

Right to Access/Rectification
As always, you can access and update your Elastic Email account and profile information at any time via our dashboard or through Elastic Email API. Please review our Privacy Policy for more information on what and how we use the information you provide us.

Right to be Forgotten
At any time you can cancel your Elastic Email account as referenced in section 7.2 of our Terms of Service.

Data Portability
As always, you can export your Elastic Email data such as contacts, email logs, campaign statistics, link tracking statistics and survey information from our dashboard or through our API.

Privacy by Design
As Elastic Email iterates and improves, we are continuing to keep personal data in mind as part of our development processes.

Data Protection Officers (DPO)
Elastic Email has a Privacy Officer and this role now includes the responsibilities of a DPO. They are accountable for our compliance with our Privacy Policy, and for ensuring that information about our policies and practices relating to the management of personal information is easily accessible. All questions or concerns regarding the GDPR and our compliance with it should be directed to the Privacy Officer in writing and sent by email to privacy@elasticemail.com.

Expansion of your contact’s rights

Your contacts have the same rights as you do under the GDPR. Detailed information about how each of these rights is addressed within Elastic Email can be found below:

Right to Access/Rectification
Our Privacy Policy details what data we collect and how we use it. Your contacts may contact you or us directly to request the information we hold about them. You always have access to your contact’s detailed information that can be updated or corrected upon request from your contacts. Contacts can contact Elastic Email directly to request their information to be updated or corrected.

Right to Object
Delivery Optimization Engine Privacy Setting can be opted out from your profile via our dashboard or our API.

Right to be Forgotten
You have control to delete any of your contacts at any time via our dashboard or our API at your discretion or at the request from the contact. Contacts can contact Elastic Email directly to report spam or request to be deleted from your specific account or any Elastic Email account altogether. If we are contacted directly about this, we always correspond with you about the request and the action we have taken.

Data Portability
Our general export functionality has the ability to export individual contact information in the exact same manner as exporting all the information. You can achieve this from our dashboard or through our API.

Privacy by Design
As Elastic Email iterates and improves, we are continuing to keep your contact’s personal data in mind as part of our development processes.

Contacts and GDPR email consent

Since Elastic Email is compliant with CASL, the GDPR changes around consent should not impact you. Elastic Email’s double opt-in web forms can continue to be used to onboard your customers and be GDPR compliant. When designing your forms, be sure to use specific and clear language on the use of the collected information.

In order to obtain an API Key to send an email via our HTTP or SMTP API, you must agree that you legally have consent to email your recipients.

If you manually upload your lists to Elastic Email via our dashboard, you must also agree that you legally have consent to email your contacts.

If you upload your contacts via our API, you have the option to provide the consented date and IP address for your individual contacts or list as a whole. Elastic Email provides all the tools to track consent of your contacts but the onus is on you, the controller, to ensure you are doing this legally and ensuring GDPR email compliance.

Your contacts can easily change their contact preferences by unsubscribing to your email helping you with GDPR compliance. Please see detailed information on unsubscribing in this guide. The merge tag {contactprofile} or {contactprofile:publicformid} creates a clickable link that can easily be included in your emails for your contacts to update the information that you are storing regarding them in Elastic Email.

It is your responsibility to keep accurate details of your contact’s consent for storing personal data, permission to send them email, and any other data processing actions. Elastic Email helps you with this obligation by making available tracking features for consent for each of your contacts as discussed above. Specifically for open and link tracking consent Elastic Email has full configurable options to adhere to your contact's preferences. Please see our resource information on tracking opens and clicks. As always, we recommend you obtain legal advice on the matter of consent and your specific business practices and how they would be viewed under the GDPR. If you are using any third-party software (integrations/plugins/SMTP sending software, etc.) that transfers contact information to Elastic Email, be sure you are adequately disclosing data processing activities through these channels as well.

Ensure your privacy policies are clear that you are transferring personal data of your customers to Elastic Email for processing. Specifically, it would be good to add Elastic Email as one of your data processors and how you use or intend to use our services for your customers.

Conclusion

The compliance deadline for the GDPR is May 25, 2018.
This guide was created to help you understand your compliance requirements and how these requirements relate to using Elastic Email. If you have any questions about the GDPR please email us at privacy@elasticemail.com or connect with us from one of our contact contact channels.