Email best practices
GDPR journal: Privacy matters. Really.
Privacy Policies drafted in various different ways. But what is it exactly? GDPR requires that this information be even more clear. Learn more. Go!
Table of content
Table of content
The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.
So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.
What needs to be included?
And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.
As a summary, the key information to be provided to your clients and users under GDPR is:
Identity and contact details of the data controller
Contact details of the DPO (when applicable)
Processing purposes and the legal basis
Where the processing is based
Recipients of the personal data, if any
Data transfers outside EEA, when applicable
Data retention period
Rights to access, to rectify and to delete data
Right to lodge a complaint with a supervisory authority
Existence of any automated decision making (including profiling) and the logic behind it
How exactly to create/update your policy?
I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.
One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.
So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.
After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!
What was updated?
To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
To clarify the consent policy (how we obtain our client’s consent)
To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
To define our legal basis for data processing
To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
To communicate our new minimum password security requirements
To share our new DPO contact information (yours truly!)
Email personalization and data privacy: What marketers need to know
More than ever, people seem to care an awful lot about protecting the privacy of their personal data. Does that mean the days of blindly checking the “Agree” box for terms...
ePrivacy: Everything you need to know about the EU Cookie Law
What do you know about the EU Cookie Law? You’ve no doubt taken efforts to comply with GDPR, but you should also be prepared for the new ePrivacy directive that’s about to take effect. How can you do that? In this article, we have summarized everything you need to...
Marketing calendar 2023: Dates you shouldn’t miss this year
We finally got through 2022 (phew!) and Q1 is just around the corner. It’s time for you to start scribbling down your New Year’s Resolutions to make sure we start the year with a bang. If you’ve found your way here, we’re guessing that’s because creating a winning...