GDPR Journal: On The GDPR Track, Our Compliance Roadmap

In case you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Get up to speed by reading my first diary entry.

Take your mind back… It’s the end of May – one year before the new EU data regulation comes into effect. Articles are coming out about how to be prepared, published from so-called experts, law firms, compliance firms and other round of the mill companies trying to attract traffic. So there was truly a lot of information out there. But where to begin? How do I prepare our company – an SME based out in Paris – for the GDPR?

The myriad of articles being published on the subject offered much information, but I wasn’t clear as to the source and its accuracy. Being a trained attorney, I couldn’t rely on other people’s information. So it was best that I start from scratch. I needed to outline myself the needed steps to get us from point A to point C (C for Compliance).

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

First Step: Understanding the new regulation and what it meant for us.

I knew I needed to set aside some time to delve into the actual law. I printed out and book-bound 2 hard copies and set myself up on the sofa in an empty conference room – away from phone calls, emails and colleague requests. I gave myself 2 hours and read cover to cover the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (or in English, GDPR). I’m an attorney by trade, so reading the actual law to me is really interesting stuff! (Yes, I’m a bookworm at heart.). I highlighted the sections and paragraphs relevant to my company (considered not a data controller but instead a data processor) and took notes at the same time.

Why 2 copies? (I promise I wasn’t wasting paper) Well, I work in Paris where I speak 2 languages – English & French. So I wanted the law in both of these working languages. I began by reading through the English version and put aside for another day the attack of the French version as it is helpful to learn the terms and phrases used in the actual law.

Second Step: Roadmap Planning

Setting a roadmap sounds simple, right? Not exactly, the challenge began with analyzing the new law and identifying our requirements. I had a short period of time to put in place our key trigger dates. May 2018 is not that far away!

At the same time, I was dealing with demands from all angles: clients, internal sales teams, and company shareholders. Everyone wants us to be compliant today when there is still much road work to lay out before we can put the actual measures in place. I also wanted to ensure that the steps were to be taken out properly, instead of just fast-tracking the process to use the word “compliant” in our communications.

There was also the aspect of inter-departmental collaboration. The implementation had technical constraints. Just because the law stated one aspect did not mean that it could be simply “implemented” in the blink of an eye. The measure needed technical planning, testing and control before any actual implementation. So the roadmap and implementation need to be dealt with hand in hand with the technical and operational teams. I had to also work with our marketing and sales teams to align our message on compliance and the roadmap to be taken.

Third Step: Mailjet’s Roadmap

After several drafts, and internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap.

Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C (remember c for compliance).

Mailjet GDPR Roadmap

Summary

  • May – June 2017: Nomination of Data Protection Officer (articles 37-39 of the GDPR)
  • July 2017: Training (articles 7-8 and 12-15). Security and data privacy training sessions to be put in place for all employees and contractors.
  • July 2017: Data breach procedures (articles 33 & 34). Data breach response plan. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach.
  • July – September 2017: Data processing records (article 30). Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
  • July – November 2017: Audit and Analysis of privacy framework (articles 28-30 of the GDPR). An internal audit of all our existing third-party provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control.
  • October 2017: Ensure appropriate technical and organizational measures (article 28). Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices.
  • October 2017: Data portability (article 20). Ensure data subjects’ right to portability (facilitates ability to move/copy/transmit personal data easily – whether to their own systems, the systems of 3rd parties or those of new data controllers).
  • October – November 2017: Reevaluate notice, consent and withdrawal mechanisms (articles 44 – 50). Identify cross-border data flows and review current mechanisms in place. Ensure adequate level of protection with contractual clauses.
  • October – November 2017: Data protection by design and by default (article 25). Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation.
  • November 2017: Security of processing (article 32). Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
  • December 2017: Data protection impact assessment (article 35). Assessment of the impact of processing operations on the protection of personal data with advice of the DPO.

Now off to implement these wonderful concrete steps…. GDPR compliance here we come!

Are you currently in the process of becoming GDPR compliant? Tell us about your compliance journey and the biggest pain points of your experience so far on Twitter.  

This article was first published on Mailjet’s Medium Account.

Send API 3.1 Reaches General Availability

We gave you a sneak peek a couple of months ago, but now we’re finally here. The time has come to say goodbye to our beloved Send API version 3, and unveil our most improved version,  v3.1!

Over the past three years, our Send API has been doing a great job at routing all your transactional emails, and thanks to your valuable feedback, we’re now ready to introduce its latest version, which is here to make your sending experience even better.

Ladies and gentlemen, after months of hard work and many valuable lessons learned from our developers community during its beta, Send API 3.1 is ready to become our official and stable version. Cue applause.

Don’t worry, we’ll continue to support Send API 3.0, but we’re sure you’re going to love v3.1!

 

So, why did we decide it was time for a new version?

Let’s be honest, no matter how much we enjoy finding hacks and workarounds, there’s not a developer out there that wouldn’t prefer a pain-free experience while at work. And yes, we know how painful API calls can get, especially when you combine little to no documentation with erratic behaviors, obscure input, response payloads…

So, to make your life easier and your work more manageable, we decided to focus on providing our users with a seamless Send API onboarding journey. We provide you with a complete documentation made by developers for developers, and meaningful payloads to offer a smooth experience.

And to make this new version even more advanced, with a real focus on performance and scalability, we decided to rebuild it entirely from scratch, moving away from our previous code in Free Pascal and opting for a new tech stack based on Golang, Cassandra and Kafka, to name a few. Sounds good, right?

 

Awesome! Show me the code, please?

The first thing you’ll notice is how much the onboarding user experience has improved in this new version. Want to see it in action? Check them out here:

Sending messages

Whether you’re sending one or more messages, it will be as simple as making a single HTTP call on the /v3.1/send endpoint. Send API will accept a JSON payload with a single Messages array property containing up to 100 messages. Clear and easy, isn’t it?

New detailed error and success payloads

Thanks to the feedback we received from our community, we decided it was time for a drastic improvement on our response payloads. We now perform strict checks on all your input payload, which means you’ll receive synchronous feedback about what went wrong, in order to cut down your debugging time. On our side, this also means a reduced number of malformed emails entering our system. Check out this example of an error payload.

Something worth noting is that these errors are generated for each message independently, and only the sending process of the failing messages will be blocked.

Our success reporting is also more detailed than it used to be. Success payloads provide, for instance, a MessageHref property, a URL that points to the API endpoint on which to retrieve the message metadata. Tracking your emails straight from the sending has never been easier.

Both success and error payloads are now sent together, in the same order followed by the input payload messages, to make checking the fail or pass status of your messages much easier.

URL Tagging

Sending emails fast, at scale is one side of the business, but being able to monitor how much they perform is critical. Our mission is to offer you all the tools you need to be able to achieve this. Thanks to Send API v3.1, you can now provide us with the proper tracking markers and we’ll make sure all the links your emails contain are properly tagged and report back to you.

 

Sandbox mode

Sending emails for development purposes comes with a cost (yeah, they still count towards your plan’s email quota), and you’re never fully protected from delivering undesired emails to your customers. Whether you’re experimenting with the API for the first time or just checking your code, there might be times when you’d like to test an email payload without having to send a real email. To make your life easier as a developer, we’ve incorporated a brand new sandbox mode. In your input payload, set SandboxMode to true. This will tell the Send API to process your messages as if you wanted to send them, without actually sending them, so you can properly test and troubleshoot your message easily!

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

I’m Darine Fayed, (Head of Legal @Mailjet, attorney practicing for more than 14 years) and I write from a personal viewpoint of an in-house lawyer who, along with the rest of EU and international companies, is under the pressure of getting our company ready for GDPR before May 2018. New to GDPR and wondering if it affects you? (Psst – it probably does) Head here to our GDPR resource hub.

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

In getting ready for GDPR (General Data Protection Regulation), and putting in place the measures to make Mailjet 100% compliant, one question I had to ask was: are we required to nominate a DPO?

Firstly, what is a DPO?

For background, a Data Protection Officer (DPO) is an individual – internal or external to the organization – that is involved in all issues which relate to the protection of personal data. Their responsibilities include such things as advising the company of their data protection obligations, monitoring compliance with the rules in place, cooperate with the data authorities, act as the contact point for data protection questions.

So, when do you need a DPO?

While the concept of a DPO was not exactly a new one, the GDPR has now made mandatory its appointment for certain companies. GDPR states that there are 3 cases where the designation of a DPO is mandatory:

  1. The data processing is carried out by a public authority or body.
  2. The core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. The core activities consist of data processing on a large scale of special categories of data or data relating to criminal convictions and offenses.

OK, it’s nice enough to list out these specific 3 cases. But let’s be honest, it’s a bit ambiguous. Being an email service provider (if you didn’t know, Mailjet is a private company that sends millions of emails for clients all over the world) I was pretty sure we didn’t fall into the first or last case. Not the first case because we are not a public entity. Not the last case because we do not process any “special” data. But what about the second one? It wasn’t exactly clear. Large scale data processing? Regular and systematic monitoring? What was the exact definition of these terms? As a side note, and fortunately, the Data Protection Working Party on GDPR released guidelines on DPOs that helped answer these questions. But not to my luck, these guidelines came out after the fact.

Today these guidelines give various examples of large scale processing, that now clarifies the terminologies. Examples they offer include; processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, processing of personal data for behavioral advertising by a search engine.

It’s a good point to know, not all companies are required to nominate a DPO (whether internal or external to the company). For all good measures though, and since we do process data and personal data on a daily basis (personal data includes names, addresses, emails, etc.), some more thought was required.

I decided to investigate further…

I invited an attorney (recommended by our own CTO) specialized in personal data matters (data processing and data protection rights & CNIL declarations and controls) to the office to have a chat on what types of assistance he could provide to us. After over an hour of discussion with him, I realized one thing: the new GDPR regulation is so new, that no one is an expert. We were all in the same boat trying to figure out at the same time what GDPR really means and how we could implement the specific provisions. We were all on the same learning curve.

So after analysis of his proposal, evaluation of the costs involved (not a small chunk of change!), and after discussing internally in our company with our CEO and CTO, I decided against the hiring of an outside DPO. The time and money involved to learn our data systems and processes in place did not pan out.

Of course, if you do not have an in house legal counsel or compliance officer in your organization, you may need to call upon an outside external expert to take your company on the right path towards GDPR compliance.

A new challenge for yours truly

Yes, I already was pushing through as Head of Legal of our company with all the myriad of responsibilities that go along in that respect. I had to now add the task of DPO and GDPR compliance to that list! But since I can never turn down an interesting opportunity… I accepted the exciting challenge! And took on the designation as – Darine Fayed, DPO.  It made the most sense, since I was already dealing with the legal aspects of data privacy on a day to day basis. I was entering into data protection and EU Model agreements regularly, acquiring knowledge cloud processor requirements and rights of recipients daily.

Now to tackle being GDPR compliant and as I do best: setting an ETA way ahead of schedule! End of year is just around the corner!

Are you on a GDPR compliance journey? Have you too taken on the challenge of DPO, tell the Mailjet team about it on Twitter.

This post was first published on the Mailjet Medium account.