GDPR Journal: The Steps We Took Towards Working With 3rd Party Providers

Welcome to the fourth instalment of the Mailjet (and my personal) GDPR Journal. So far we’ve looked at how I became a DPO, our GDPR compliance roadmap and how I updated our Privacy Policy to be in line with GDPR. It’s been a rollercoaster and the saga is set to continue as the next step was to look at not just our internal processes, but those of our partners and 3rd party providers.

Why am I focusing on this for a whole journal entry? I hear you ask. Well, because one of our biggest challenges in getting through our GDPR compliance roadmap was to perform an audit of our entire privacy framework. In other words, to audit all our existing third-party providers and software applications to ensure that they themselves were also meeting the GDPR requirements on data protection.

Why are we talking about our own providers?

At Mailjet, we collect and process the personal data of our clients (names, email addresses, IP addresses etc.) and under GDPR we must ensure that our entire privacy framework respects the rules GDPR brings into effect. So, that means our own providers as well. Why? Because some of our data flows to these solutions, thus data protection must be compliant on all fronts.

In a post-GDPR era, we are all equally responsible for the protection of data subjects’ personal data. Meaning, not only will our clients (Data Controllers) be responsible, but also the Data Processors (in this case us), our own providers, their providers and so forth.

What kind of providers are we talking about?

Well it could be; CRM solutions used by Sales and Marketing teams (i.e. Salesforce), cloud IT services (i.e. Google, Amazon) social interaction & messaging systems used by Marketing and Support teams (i.e. Slack, Messenger), project management tools used by Product and Development teams, external payroll & HR management solutions used by Administrative teams. I’m sure you probably use some tools like these.

Being a small agile business, each department regularly uses various online solutions and applications to help with their day to day activities. In the past, a member of Team Mailjet would most likely find a free or relatively cheap tool that could help his or her team, then they would quickly sign-up without reading much of the terms and conditions behind the tool.

So, after functioning in this manner for several years, we found ourselves in a position where the company now had subscribed to various applications across its different departments — and all without much control over the access, uses and information collected.

Ok, so where did we start?

The list was grand and the audit task proved quite daunting. Let’s see my action plan… Here are the key steps we took in order to complete the internal audit and analysis:

1. A complete list of all service providers and applications

The list needed to include;

  • The providers and applications used.
  • The exact customer data that was collected and transferred to these specific providers.
  • Why the data was used.
  • Where they stored the data.
  • If there were any data transfers.
  • What it meant to our clients.

We included other useful information in this third-party provider list such as, the user access rights involved and the dates of the last verifications.

To compile this list, we set aside some time with each department head and began. The exercise actually proved to not only be beneficial for GDPR compliance, but also helps immensely with the control of a growing business, such as Mailjet.

This specific step took us several months. So start now if you haven’t already done so, because the 25th of May is creeping up on us quickly!

2. Ask your 3rd party providers some important questions

Next on my list was to contact every provider and ask some tough questions. I’m a big of making light of a big task, so I decided the best approach was to send out a questionnaire asking for details on their information security and data protection measures. The form included questions on;

  • Information security.
  • Risk management policies.
  • Employee training.
  • Physical security.
  • Access control measures.
  • Data protection organization and technical measures.
  • Take a look for yourself at the 12 questions we asked.

3. Assess the level of risk

Depending on the responses I received back, I then had to asses the risks of transferring any of our own clients’ data to their platforms and centers. This essentially meant verifying their measures, ensuring if they were up to par with industry standards, as well as checking if they were on the right track to data protection compliance.

4. Review all contracts in place and introduce new clauses and/or amendments

As part of the risk assessment, I also had to make sure that we put in place specific contractual clauses and amendments to ensure at all times while we are using their services that these data privacy measures were respected.

I then proposed various EU model clauses or data protection agreements with these providers to ensure we had the correct documentation in place. And, in some cases negotiate the limits of liability between our companies in case of a third-party claim.

5. Switch to GDPR compliant providers

In some cases, the responses I received back were vague or elusive, to say the least. In these cases, a quick evaluation was needed of whether we could improve their commitment levels or switch to providers that could ensure they were on the right track. We started this process early, so that we could switch over to another provider should the need arise. So, be sure to give yourself enough time.

6. Review and control: Right to audit and yearly check

Next, I made sure to include in all contracts and amendments the right to audit the provider upon notice. That way we could make sure if at any moment our providers were not just talking the talk, but also walking the walk.

And finally, now that we’ve successfully jumped this massive hurdle, we need to ensure we update it on a yearly basis. This means that we will need to verify that all our third-party providers continue to maintain the same level of technical and organizational measures to ensure their security and data protection. How will we do this?

  • Perform audits.
  • Re-send the third party questionnaire for updates.
  • Continue to ask the tough questions.

So there you have it, six steps to ensure all your third-party providers are GDPR compliant.

Have you reviewed your 3rd party providers? Or are you now thinking you need to? Share your experience with Mailjet on Twitter.

GDPR Journal: Privacy Matters. Really.

As our resident legal expert here at Mailjet, I set aside at least a full day each week to take care of our data privacy issues. I had put together a compliance roadmap of items to be handled before the year-end as part of the GDPR readiness plan. The next item on my to do list was to update our Privacy Policy.

Privacy Matters With GDPR

So what exactly is a Privacy Policy?

You see them on most websites. Privacy Policies drafted in various different ways. But what is it exactly? It’s important to note that, a Privacy Policy is not the same as the Terms and Conditions of Service (or of Use). If you collect and process personal data, you are likely required to provide information accessible for your users that details your data privacy policies.

The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.

So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.

What needs to be included?

I last updated Mailjet’s Privacy Policy in September of last year. At the time, I wanted not only to harmonize all our online policies but also to make them clearer for our customers — and the last update was, to say the least pretty outdated.

And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.

As a summary, the key information to be provided to your clients and users under GDPR is:

  • Identity and contact details of the data controller
  • Contact details of the DPO (when applicable)
  • Processing purposes and the legal basis
  • Where the processing is based
  • Recipients of the personal data, if any
  • Data transfers outside EEA, when applicable
  • Data retention period
  • Rights to access, to rectify and to delete data
  • Right to lodge a complaint with a supervisory authority
  • Existence of any automated decision making (including profiling) and the logic behind it

How exactly to create/update your policy?

In my opinion, the best way to tackle this project was to go through the actual GDPR regulation — article by article — and modify our Privacy Policy accordingly.

I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.

One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.

So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.

After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!

I spent the following few days tweaking the policy to make it just right and coordinating with our marketing team to set up the schedule for its release date. Of course, we needed to give our client’s at least 30 days notice for these updates and create a clear email describing the changes. At the same time, some modifications needed to be made to our Terms of Use, so why not use the same notification to our clients for both? Kill the bird with one stone.

What was updated?

The main items that were incorporated into our new Privacy Policy (which was effective as of September 15th) are:

  • To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
  • To clarify the consent policy (how we obtain our client’s consent)
  • To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
  • To define our legal basis for data processing
  • To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
  • To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
  • To communicate our new minimum password security requirements
  • To share our new DPO contact information (yours truly!)

Take a look at our GDPR compliant Privacy Policy.

In the meantime, are you creating or updating your company’s privacy policy? Share your experience with Mailjet on Twitter.

This post was first published on the Mailjet Medium account.

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

In case you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Get up to speed by reading my first diary entry.

Take your mind back… It’s the end of May – one year before the new EU data regulation comes into effect. Articles are coming out about how to be prepared, published from so-called experts, law firms, compliance firms and other round of the mill companies trying to attract traffic. So there was truly a lot of information out there. But where to begin? How do I prepare our company – an SME based out in Paris – for the GDPR?

The myriad of articles being published on the subject offered much information, but I wasn’t clear as to the source and its accuracy. Being a trained attorney, I couldn’t rely on other people’s information. So it was best that I start from scratch. I needed to outline myself the needed steps to get us from point A to point C (C for Compliance).

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

First Step: Understanding the new regulation and what it meant for us.

I knew I needed to set aside some time to delve into the actual law. I printed out and book-bound 2 hard copies and set myself up on the sofa in an empty conference room – away from phone calls, emails and colleague requests. I gave myself 2 hours and read cover to cover the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (or in English, GDPR). I’m an attorney by trade, so reading the actual law to me is really interesting stuff! (Yes, I’m a bookworm at heart.). I highlighted the sections and paragraphs relevant to my company (considered not a data controller but instead a data processor) and took notes at the same time.

Why 2 copies? (I promise I wasn’t wasting paper) Well, I work in Paris where I speak 2 languages – English & French. So I wanted the law in both of these working languages. I began by reading through the English version and put aside for another day the attack of the French version as it is helpful to learn the terms and phrases used in the actual law.

Second Step: Roadmap Planning

Setting a roadmap sounds simple, right? Not exactly, the challenge began with analyzing the new law and identifying our requirements. I had a short period of time to put in place our key trigger dates. May 2018 is not that far away!

At the same time, I was dealing with demands from all angles: clients, internal sales teams, and company shareholders. Everyone wants us to be compliant today when there is still much road work to lay out before we can put the actual measures in place. I also wanted to ensure that the steps were to be taken out properly, instead of just fast-tracking the process to use the word “compliant” in our communications.

There was also the aspect of inter-departmental collaboration. The implementation had technical constraints. Just because the law stated one aspect did not mean that it could be simply “implemented” in the blink of an eye. The measure needed technical planning, testing and control before any actual implementation. So the roadmap and implementation need to be dealt with hand in hand with the technical and operational teams. I had to also work with our marketing and sales teams to align our message on compliance and the roadmap to be taken.

Third Step: Mailjet’s Roadmap

After several drafts, and internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap.

Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C (remember c for compliance).

Mailjet GDPR Roadmap

Summary

  • May – June 2017: Nomination of Data Protection Officer (articles 37-39 of the GDPR)
  • July 2017: Training (articles 7-8 and 12-15). Security and data privacy training sessions to be put in place for all employees and contractors.
  • July 2017: Data breach procedures (articles 33 & 34). Data breach response plan. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach.
  • July – September 2017: Data processing records (article 30). Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
  • July – November 2017: Audit and Analysis of privacy framework (articles 28-30 of the GDPR). An internal audit of all our existing third-party provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control.
  • October 2017: Ensure appropriate technical and organizational measures (article 28). Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices.
  • October 2017: Data portability (article 20). Ensure data subjects’ right to portability (facilitates ability to move/copy/transmit personal data easily – whether to their own systems, the systems of 3rd parties or those of new data controllers).
  • October – November 2017: Reevaluate notice, consent and withdrawal mechanisms (articles 44 – 50). Identify cross-border data flows and review current mechanisms in place. Ensure adequate level of protection with contractual clauses.
  • October – November 2017: Data protection by design and by default (article 25). Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation.
  • November 2017: Security of processing (article 32). Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
  • December 2017: Data protection impact assessment (article 35). Assessment of the impact of processing operations on the protection of personal data with advice of the DPO.

Now off to implement these wonderful concrete steps…. GDPR compliance here we come!

Are you currently in the process of becoming GDPR compliant? Tell us about your compliance journey and the biggest pain points of your experience so far on Twitter.  

This article was first published on Mailjet’s Medium Account.

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

I’m Darine Fayed, (Head of Legal @Mailjet, attorney practicing for more than 14 years) and I write from a personal viewpoint of an in-house lawyer who, along with the rest of EU and international companies, is under the pressure of getting our company ready for GDPR before May 2018. New to GDPR and wondering if it affects you? (Psst – it probably does) Head here to our GDPR resource hub.

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

In getting ready for GDPR (General Data Protection Regulation), and putting in place the measures to make Mailjet 100% compliant, one question I had to ask was: are we required to nominate a DPO?

Firstly, what is a DPO?

For background, a Data Protection Officer (DPO) is an individual – internal or external to the organization – that is involved in all issues which relate to the protection of personal data. Their responsibilities include such things as advising the company of their data protection obligations, monitoring compliance with the rules in place, cooperate with the data authorities, act as the contact point for data protection questions.

So, when do you need a DPO?

While the concept of a DPO was not exactly a new one, the GDPR has now made mandatory its appointment for certain companies. GDPR states that there are 3 cases where the designation of a DPO is mandatory:

  1. The data processing is carried out by a public authority or body.
  2. The core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. The core activities consist of data processing on a large scale of special categories of data or data relating to criminal convictions and offenses.

OK, it’s nice enough to list out these specific 3 cases. But let’s be honest, it’s a bit ambiguous. Being an email service provider (if you didn’t know, Mailjet is a private company that sends millions of emails for clients all over the world) I was pretty sure we didn’t fall into the first or last case. Not the first case because we are not a public entity. Not the last case because we do not process any “special” data. But what about the second one? It wasn’t exactly clear. Large scale data processing? Regular and systematic monitoring? What was the exact definition of these terms? As a side note, and fortunately, the Data Protection Working Party on GDPR released guidelines on DPOs that helped answer these questions. But not to my luck, these guidelines came out after the fact.

Today these guidelines give various examples of large scale processing, that now clarifies the terminologies. Examples they offer include; processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, processing of personal data for behavioral advertising by a search engine.

It’s a good point to know, not all companies are required to nominate a DPO (whether internal or external to the company). For all good measures though, and since we do process data and personal data on a daily basis (personal data includes names, addresses, emails, etc.), some more thought was required.

I decided to investigate further…

I invited an attorney (recommended by our own CTO) specialized in personal data matters (data processing and data protection rights & CNIL declarations and controls) to the office to have a chat on what types of assistance he could provide to us. After over an hour of discussion with him, I realized one thing: the new GDPR regulation is so new, that no one is an expert. We were all in the same boat trying to figure out at the same time what GDPR really means and how we could implement the specific provisions. We were all on the same learning curve.

So after analysis of his proposal, evaluation of the costs involved (not a small chunk of change!), and after discussing internally in our company with our CEO and CTO, I decided against the hiring of an outside DPO. The time and money involved to learn our data systems and processes in place did not pan out.

Of course, if you do not have an in house legal counsel or compliance officer in your organization, you may need to call upon an outside external expert to take your company on the right path towards GDPR compliance.

A new challenge for yours truly

Yes, I already was pushing through as Head of Legal of our company with all the myriad of responsibilities that go along in that respect. I had to now add the task of DPO and GDPR compliance to that list! But since I can never turn down an interesting opportunity… I accepted the exciting challenge! And took on the designation as – Darine Fayed, DPO.  It made the most sense, since I was already dealing with the legal aspects of data privacy on a day to day basis. I was entering into data protection and EU Model agreements regularly, acquiring knowledge cloud processor requirements and rights of recipients daily.

Now to tackle being GDPR compliant and as I do best: setting an ETA way ahead of schedule! End of year is just around the corner!

Are you on a GDPR compliance journey? Have you too taken on the challenge of DPO, tell the Mailjet team about it on Twitter.

This post was first published on the Mailjet Medium account.