Interview with GDPR Expert Thiébaut Devergranne on GDPR Compliance

How can you ensure GDPR compliance for your business? According to Thiébaut Devergranne, businesses should first make sure that their third-party software providers and other solutions that they’re using are in compliance with the new law.

Meet the interviewee:
Thiébaut Devergranne is a French legal specialist with a doctorate degree in private law specializing in emerging technology.

He is the author of the book “La propriété informatique,” and worked for six years in the cyber security division (DCSSI) of the Secretariat-General for National Defence and Security for France.

Learn more about Thiébaut on his website: donnéespersonelles.fr

SendinBlue Interview with Thiébaut Devergranne, GDPR expert

Adapted from the original article in French

SendinBlue is actively preparing for the arrival of the GDPR, which enters into effect in May 2018. What major changes do you see in this new legislation in contrast to existing laws?

Essentially, the GDPR is an update from the old laws that includes real consequences.

If you are processing personal data as defined by the new law (a name, a first name, the image of an individual, social security number, etc.) on your computer systems, this new regulation applies to you.

There’s an impression that the law defines broad principles but leaves enterprises in the dark on how to properly comply. How will this law be applied in practice?

That’s actually very normal. In reality, that is the exact purpose of the law. Let’s take an example: the text of the law requires the establishment of adequate security measures when dealing with personal data. But, the law does not define what these measures (antivirus software, strategic defense initiatives) actually should be because that’s not the role of the law.

Therefore, subjects of the law must adapt accordingly to their specific situation. This adaptation normally falls on the in-house lawyers at companies affected by the law, usually with the help of engineers. Their job is to ensure that the proper measures are taken to be in compliance with the law with regard to their particular case.

Concretely, what impact will this law have on small and medium-sized businesses? Isn’t it primarily just providing a legal basis for attacking the large tech companies?

In my personal opinion, large tech companies — like Google, Amazon, Facebook, or Apple — will probably be the least concerned with GDPR compliance. In fact, European companies, and French companies, in particular, will likely be hit the hardest by this legislation.

Contrary to what most believe, these large tech companies have the right culture in place to handle an exercise of compliance at this scale. It’s important to note that the US has 1.3 million practicing lawyers, as opposed to just 50,000 in a European country like France — and unlike in Europe, multi-million dollar fines are relatively common in the US.

So, for these tech giants, GDPR compliance is a normal problem that they’re used to managing.

However, in Europe, the culture is very different — and even more so in France. We are accustomed to being subjected to numerous regulations that ultimately nobody follows — at least until real consequences start arising.

Because of this, many organizations in Europe are taking their time in complying with the new GDPR regulations to wait and see how the penalties will be applied in practice. This is a gross miscalculation that stems from a fundamental misunderstanding of the new law: the GDPR gives multiple actors the power to take legal action (terminated employees, social partners, consumer associations, privacy advocate groups, etc.).

There are sure to be a number of people interested in taking these steps, which is why it’s very important to start working on GDPR compliance now.

The best solution for small and medium-sized businesses is to only use third-party software tools that explicitly state that they are “GDPR compliant,” meaning they have taken the necessary steps to make their tool conform with the new law. This is especially important for email marketing software.

To be in compliance with the GDPR, businesses will be required to keep proof of consent from their customers in order to process their data. What form would this consent likely take? For example, when collecting email addresses, would the logs for an opt-in form suffice as proof of consent in regards to the GDPR?

To answer your question simply, it’s important to understand that proof, in a legal context, does not result from one single element, but rather from a set of concurring elements.

For example, you could create a bailiff’s report stating that users are well informed of their rights at the time of signing up and providing their contact information. But what does this really prove if someone enters their email into your system a day after the report is created? Does this demonstrate that the technical mechanism that ensures proper consent was in place at the time of this user’s action?

It’s always a good idea to take necessary precautions (why not use a bailiff’s report, opt-in logs, consent process, etc.), but the evidence can always be brought before a judge whose role is to determine, in light of the facts presented and discussed, the solution of a dispute such as this.

Software providers can play an important role in this process. For example, they can allow businesses to activate legal notices while keeping records of who saw them. This would let businesses show that they have been showing all new users a legal notice starting from a specific date. This could be used as one element of proof in a legal case.

For businesses who already have a list of opt-in contacts but haven’t kept records of this consent, is it enough to send an email campaign asking for renewed consent from these contacts? How would you be able to show incontestable proof of consent?

This is actually quite complicated.

The regulation (articles 6 and 7) requires that the controller be able to demonstrate that the individual whose data is being processed has consented to this processing. Therefore, you would also have to accumulate elements of proof that demonstrates that the recipient actually consented to this “consent renewal” campaign in the first place.

So I would have to turn the question back to you: what material elements are at your disposal for showing that consent occurred? We have to start from there — but do not strive for incontestable proof, as this does not exist. Instead, you have to collect consistent evidence in as many ways as possible.

What would you recommend to the average business owner or e-commerce merchant who doesn’t have the resources to get help with their GDPR compliance?

I would recommend reaching out to your software providers to make sure they are taking the necessary steps for GDPR compliance because they are more capable of absorbing the costs that come with compliance. Also, only use GDPR compliant solutions (editor’s note: like SendinBlue 😉 ) — that would be a good first step.

As an expert on the subject, are you confident that businesses will be willing and able to comply with this regulation?

I am very confident in the fact that we will see a mass of conflicts arise on the day the laws enters into effect, as there are an enormous amount of actors who have a practical interest in how the law is applied and its ramifications.

But, many companies still don’t understand the gravity and impact of the impending regulation right now.

Looking for an email marketing solution that’s GDPR compliant? Try SendinBlue for free today!

10 thoughts on “Interview with GDPR Expert Thiébaut Devergranne on GDPR Compliance

    1. Hi Susi,

      As long as you are following measures to collect positive opt-in contacts, you can rest assured that they will be stored as such in the SendinBlue database. This means using double opt-in processes for all of your opt-ins and providing clear language in the terms and conditions of your site and opt-in to make clear to the customer what they are signing up for. Over the next few weeks, we will continue to produce tutorials and other content related to GDPR compliance that is specific to our platform so you have all of the information you need by the time the law goes into effect in May. You can take a look at our FAQ page in the meantime to answer some other questions you may have: http://www.sendinblue.com/gdpr/. If you have more concerns about the GDPR, you should also contact an attorney as we are not qualified to give you expert legal advice.

      Best!
      Jeff

  1. Hi, thank you for sharing the interview. I’ve got a couple of questions regarding my SendinBlue account and GDPR.

    – what should be the process to follow with te blacklist? Should we keep it as a proof to show those contacts are not going to receive further notifications from my company or is it better to delete the content of the list, so that data is not stored in any way?

    – are you working on any two factor authentication to access the data in SendinBlue?

    – are you developing any dashboard centre to allow people to update their data or unsubscribe (besides the option in each email we sent to them).

    Thanks a lot.

    1. Hi María — thanks for reaching out.

      I will do my best to answer your questions with the information I have available:

      Your first question is regarding the right to be forgotten –> If one of your contacts wishes to exercise their right to be forgotten, you can simply delete them from your lists in SendinBlue. This will also erase all their personal data. If one of your contacts sends a valid request directly to us, we will inform you and remove their personal data from your account, as well as from any other SendinBlue accounts who have personal data on this contact, when applicable. The right to be forgotten is different than unsubscribing as far as I can tell since the latter would simply be opting out of receiving communication, whereas the former is requesting that all personal data be deleted from your database.

      I have reached out to our Data Protection Officer about your second question regarding two-factor authentication, as I am not sure exactly what measures we are putting in place for our customers’ right to portability. However, I can assure you that we take data privacy very seriously, and we will certainly make sure that your data will not be given to someone who is unauthorized to receive this information.

      I will have to get back to you on your final question.

      1. Hi Jeff,

        Thank you for your answer. The note about the difference between someone just unsubscribing from my newsletter and their right to be forgotten was actually a good clue for me to play with.

        1. Hi Maria,

          Glad I could help! Of course, I am not a lawyer, so if you have more serious concerns, I would recommend asking a lawyer. 🙂

          To respond to your earlier question about two-factor authentication, we will have this ready very soon for our platform.

          As for your last question, we are working on forms now that will be embeddable on your site and allow people to update their data.

  2. Hi,
    a couple of questions:
    – Where can I find any information on your website stating SendInBlue is GDPR compliant ?
    – Do you have any certification in place proving SendInBlue is GDPR compliant?
    – A customer of us asks that any subcontracter signs the same Agreement regarding GDPR as we have done with him. This means that we should ask SendInBlue to sign a GDPR agreement between our company and SendInBlue. Is this possible?
    – Where can I find the coordinates of your DPO ?
    – What practices are in place to securely store any data you receive from your customers (not only opt-in addresses, but also the actual storage of emails and attachments that might contain personal data) ?
    – Where is all that data stored ? Does this data leave the European Community ?
    – Can I, as customer, demand that all data I send to you (emails containt, attachments, email addresses, ….) are ONLY stored in the European Community and not outside?

    1. Hi Stefan,

      Thanks for your comment. Our GDPR FAQ page (https://www.sendinblue.com/gdpr/) should provide answers to many of your questions above. As far as signing an agreement, we have a DPA (Data Processing Agreement) signed by our CEO that is available to all of our users that provides more detail on how SendinBlue will comply with the GDPR. Our customer support team can provide you with a copy of the DPA and answer any other questions you might have after reviewing these resources. Contact them at [email protected].

      Best,
      Jeff

      1. Hi Jeff,

        thx for your anwser! Looking on the https://www.sendinblue.com/gdpr/ page I do have following remarks.

        We send emails via SendInBlue using transactional emails only. Today the to, subject, body and attachements are kept in your system. Have you ever thought about an way that we (as sender) should have the possibility to remove these emails or autmatically (after X hours, days, …) or in our account by simply selecting those emailse ? That should seriously limit the possibility of a data breach.

        I don’t want SendInBlue to forget about our account, but it would be nice that SendInBlue would forget about the content of emails.

        I don’t think this option exists today, so I was wondering how long these emails remains on your system currently ?

        1. Hi Stefan,

          I know this is something that we are looking into. For more information, I would recommend reaching out to our support team. They can provide you a copy of our DPA and answer more specifically than I can here.

Leave a Reply

Your email address will not be published. Required fields are marked *