GDPR. These four letters, now all too familiar in the business world, have become a major hot-button issue for companies handling the personal data of European citizens.
Let’s take a look back to see everything your favorite digital marketing platform SendinBlue has done to become compliant with the General Data Protection Regulation since early 2017.
1 – Reflection and Initial Measures
At the beginning of 2017, the GDPR still seemed like a far-off concern for most. However, SendinBlue was already actively reflecting on the topic and the implications that the new regulation would have once it entered into effect.
We quickly realized that we had a lot of work to do, particularly because we are classified as both a controller and processor of our users’ data under the GDPR.
SendinBlue’s mission has always been to provide SMBs with everything they need to be successful. Thus, in addition to implementing our own compliance measures, we also needed to help our users ensure their own compliance with the new regulations.
The first step in this process was to appoint Amalia Bercot — our Chief Operating Officer — as the coordinator for all of the planning and implementation of our compliance measures. The objective was to ensure that SendinBlue upheld it’s main commitment: providing a platform that allows for SMBs to communicate with clients and prospects while respecting the new regulation.
Amalia quickly sought the expertise of the Keley Data (a consulting firm specializing in data-related matters) to perform an initial audit of the data processing at SendinBlue.
Once completed, the initial audit revealed key features that could help our users be GDPR-compliant, as well as the sensitive areas of internal data processing that needed to be addressed. Armed with this information, the team was able to establish a clear course of action to attain GDPR compliance.
2 – The Compliance Process
Gradually, SendinBlue began implementing the necessary steps to become compliant, addressing the security, legal, technical, organizational, and human aspects of the process in parallel with the help of the proper internal stakeholders.
2.1 – The adaptation of key features
We started by getting together with a sample of our users, our account managers, the product team, the technical team, and our lawyers to identify the key GDPR milestones that SendinBlue needed to meet.
The duty of providing information in the context of accountability
After learning about the impending changes being brought on by the GDPR, many of our users started reaching out as early as the spring of 2017 with highly relevant questions pertaining to GDPR compliance.
In response, we made several informational resources available to our clients on our website and blog regarding their rights under the GDPR and best practices that can be put in place to conform with the law.
These resources are available in the platform to help users be compliant in the key usage steps of our platform:
- Importing contacts
- Building email subscription forms to acquire consent from contacts
- Creating email campaigns to send to subscribers
A GDPR-specific section has been added to the help center, and we continue to organize regular informational webinars on the subject as well.
The right to rectification, portability, and to be forgotten
The rights to rectification, portability, and to be forgotten have been well established for several years. Therefore, we don’t have any operational changes related to these rights. However, as indicated above, we have provided more details on the modalities of exercising these rights.
Until now, all of our transactional email logs have been preserved indefinitely by default.
Starting at the end of May 2018, it will be possible for users to define how long they wish to preserve the logs their transactional emails and the preview of the content contained in each of those messages. This functionality is already available by request through our customer care team.
Email subscription forms
Special attention was given to email subscription forms during the compliance process because it is such an integral part of compliance for our users.
Proof of consent
Once the contact information is collected, proof of consent will be available in the contact profile.
Each contact profile will include the exact moment of subscription, the ID of the form used to subscribe, and their IP address. This information will be exportable to allow SendinBlue users to provide easy proof of consent if necessary.
2.2 – An advanced security review
We know data security is a sensitive issue for many, which is why it has always been one of our top priorities. The GDPR has empowered us to take this priority even further: ensuring airtight data transfers and data storage as well as improving data monitoring and control for easier and more secure access for our users.
The installation of data archiving and traceability systems
To prevent data breaches, it’s necessary to have tight control over the data processing that occurs on our platform.
Using data tracking and log identification, we have enacted a data traceability system across all of the data processing procedures on our platform.
Additionally, we sought to maximize the security of our users’ archived data. This data is now being stored in separate databases and the personal data has been encrypted.
These archives are stored solely for legal purposes. Once the retention period completed, the data is purged from the database.
Network penetration tests
We have begun working with a consulting firm that specializes in cybersecurity and received very positive feedback regarding the difficulty of penetrating our system.
Knowing that we can always do more to ensure our data security, we turned to Bounty Factory. This British platform allows us to crowdsource additional research into our network and data security from a large community of “white hat” or ethical hackers and security researchers.
The program, known as a bug bounty, strongly encourages research into the vulnerabilities of our system, with each vulnerability (or “bug”) that is found being rewarded with a financial bounty.
The compensation system creates a strong incentive for researchers to discover any possible vulnerabilities in the SendinBlue system, minimizing our risk of potential malicious attacks.
2.3 – The management of our partners and processors
One of the main principles introduced by the GDPR is shared accountability. This essentially means that all stakeholders, whether they be the controller (the party who determines the purposes and means of the data processing), or one of the processors further down the chain, carry a portion of legal responsibility since the processing is being performed on personal data.
Carrying the dual role of controller and processor, SendinBlue is required to approach the principle of accountability from both sides.
As a processor, we have established means to guarantee GDPR compliance across our entire chain of data processing with all of our partner software providers.
As a controller, we must also guarantee the compliance of our own processors with the new regulations. Consequently, we contacted processors with specific questions regarding their data processing methods. This has allowed us to ensure that their procedures surrounding the processing of our data is in line with the GDPR and the commitments we have to our customers.
We were forced to cease collaboration with the processors who were not able to provide satisfactory responses to our questions.
Once we were able to receive satisfactory responses from our other processors, we contractualized our requirements with DPAs (Data Processing Agreements).
The DPA is a document specifying the type and methods of data processing being carried out by the processor on behalf of SendinBlue, which makes it possible to ensure a legal framework and data traceability.
For our processors located in the United States, we have also verified their Privacy Shield certification, which is a necessary condition for processing the data of European citizens.
2.4 – Legal documentation
We retained the services of Gide, a leading law firm, to outline our responsibilities and commitments, as well as those of our users, in complete and transparent terms.
A processor clause has been drawn up and appended to our TOCs in order to detail the role and responsibilities of SendinBlue vis-à-vis our users as a third-party service provider.
2.5 – The internal implications of the GDPR on the SendinBlue organization
The GDPR also compelled us to optimize our internal organization and come up with best practices and procedures that support the main principles put forth by the regulation.
Certain individuals in SendinBlue have roles that require privileged access to personal data.
For example, account managers might need to access certain elements of a user account in order to answer a support question.
We have started by expanding the confidentiality clause in the contracts of salaried employees and facilitating training sessions.
The training includes a general overview course on GDPR requirements, as well as specialized training courses designed to build off of the initial training for specific teams that deal with sensitive data on a regular basis.
This provides all personnel with a clear understanding of their obligations with regards to the new regulation.
Internal procedures and controls
In order to ensure a smooth application of our compliance measures, we reviewed all of our internal procedures surrounding the management of employee access to personal data, the handling of requests from individuals seeking to exercise their rights regarding their personal data, and the processes involving the preservation and purging of data.
A control plan has been established to regularly verify the proper application of these procedures and the updating of the corresponding documentation.
The nomination of individuals charged with maintaining proper compliance
The implementation of our compliance measures was managed by our Chief Operating Officer. In parallel, we have appointed Jule Jeanroy as our DPO (Data Protection Officer), who is responsible for ensuring SendinBlue’s continued compliance with the GDPR over time.
It is also the DPO’s responsibility to monitor the application of the different aspects of the regulation and ensure that we respect the main principles of the GDPR, particularly the principle of “Privacy by Design,”which refers to the compliance of a data processing procedure before it’s actually implemented.
Our DPO will be assisted by a SecOps for aspects specifically related to data security and traceability. If you need to get in contact with our DPO, he can be reached directly by email at [email protected].
3 – Current status and next steps
GDPR compliance, in itself, is never truly finished. It’s an ongoing process that requires regular monitoring and confirmation that the principles of the law are being upheld internally with our current data processing, as well as continued evaluation using the criterion of Privacy by Design for each new procedure that involves the processing of personal data.
SendinBlue is proud to have accomplished the first part of the challenge. We will continue to maintain our dedication to compliance in order to remain a trusted third-party software provider for our users.
Undertaking this massive compliance operations has provided SendinBlue with several benefits, including:
- Rallying our entire organization around a common goal and collaborating across different teams in order to achieve it
- Implementing even more rigorous procedures around our data management and processing to continue improving our security
- Quickly achieving compliance with the help external partners
- Performing an innovative assessment of our network security and implementing the necessary corrective measures
- Reinforcing the link between SendinBlue and our users by providing the tools necessary for GDPR compliance in our platform
SendinBlue is an organization comprised of nearly 150 people, and we are all committed to ensuring the security and confidentiality of the personal data entrusted to us. We take this responsibility seriously as part of our core mission to provide an all-in-one digital marketing platform for small and medium-sized businesses to grow and succeed.
We are always happy to respond to any questions or discuss any concerns you might have regarding SendinBlue and the GDPR. Contact us anytime by email at [email protected].