Email Blast: 4 Tips to Send Better Email Campaigns

Email blast is bad. There, we said it. Email campaigns should never be unsolicited, but helpful and responsive. They should be careful and resourceful – not lazy and unfocused. Emailing, in general, should never seem aggressive.

Unsolicited B2C cold emailing campaigns are now illegal in Europe (thanks GDPR). And should you even try them, notice your sending reputation drop faster than your eye can blink.

Today, the average customer is sophisticated, and doesn’t only want a personalized experience (although this is still important); they love emails that help them realize their wants and needs.

To help you achieve company objectives, here are some slick up-to-date tips on creating more sophisticated email marketing campaigns that customers want to read and click.

A visual representation of multiple email blasts in Harry Potter
A visual representation of multiple email blasts in Harry Potter


Let’s face it. You’re probably older than 13, not a wizard/witch/made of magic and can relate more to the Dursley’s terror of getting unsolicited (e)mails than Harry’s delight. Evanesco, email blast.

Author’s Note: 

So let me clarify some things up:

Mass email campaigns ≠ Email blast

There is an important distinction to be made. From product announcements to press release emails, mass email campaigns are still important in any well-functioning marketing strategy. There is no denying this.

Most importantly, I don’t consider them as email blasts, specifically because they are not grounded in dodgy sending practices. Mass email campaigns, done well, relies on lists with good hygiene, on good sending practices, on good content and design, etc. Mass email campaigns will always be segmented, even when they’re sent to everyone because this “everyone” excludes opt-outs, inactive emails, and any other person out there that might not be relevant to campaign targets.

The term email blast is getting more associated with irresponsible sending practices, purchased lists that contain dud contacts, and content that triggers spam filters to hell and back. These still happen in places with less robust policies on compliance and email sending. This is the version of the term that email marketers want to distance themselves from, worldwide. And legitimately so.


1. What is an email blast

Email Blast
A Halloween pumpkin rotting at the sight of an email blast


An email blast is one email sent to a lot of people. This email would not target particularly anyone, let alone a segment of people.

This email would be devoid of personality – a flavorless thing. If this email was a type of food, it’d be chicken breast, without the protein. If this was a drink, it’d be water that dehydrates. If this was waste, it’d be plastic trash… you get the picture.

Nowadays, no one likes being the victim of an email blast. So while this is a great piece of email history – and a great trivia to spurt out in email geek parties – email blast is an ancient practice that no efficient email marketer does anymore, because it doesn’t work.

2. Why should you stop sending email blast marketing campaigns

Today, when there are email apps that allow emails to be more personalized and data-driven, sending out an email blast is lazy and outdated, and could indicate that you’re not taking your email marketing seriously.

The ROI on email marketing may be high, but you might lose money if you use an email tactic that lowers your email subscription and deliverability. Your sending reputation is your digital credit. If your IP has bad sending reputation, all your digital actions might be labeled as untrustworthy and spammy. Not good for marketing.

Lisa Simpson talks about email blasts
Lisa Simpson talks about email blasts

3. 4 tips on how to send better and cleaner email campaigns

3.1 Grow your email lists organically

There are many ways to organically grow your email lists. You could use social media, include subscription widgets and pop-ups on your website, include a newsletter opt-in in your emails, create multichannel campaigns that encourage subscription… if you just flex your creativity, the sky’s the limit (unless you hire a skywriting service).

3.2 Segment your email lists

Segmentation divides your contact list into smaller groups based on a set of traits. This can be a great personalization technique to deliver relevant emails that subscribers want to see based on their interests.

At Mailjet, we have advanced segmentation features for data-tracking. These allow you to track the effects of segmenting your contact lists in real-time. To really jumpstart your segmentation, we also have an API integration with Segment so that you can see the effects of creating subgroups that are relevant (or not).

It’s no secret that segmenting your lists can increase email click and open rates. But segmentation needs to be correct in order to work well. Whether this is on gender, age, location, industry, or email behavior, you need to be data-driven but person-led in your segmentation tactics. It pays to know how to segment your lists but you already need to be sending the right emails, with the right content, at the right time(s) in order to be effective. Done well, segmentation can increase not only open rates but actual revenue.

3.3 Send personalized email campaigns

Sending out personalized email campaigns is the bread and butter of modern email marketing. You want to take advantage of the plethora of services that both automate and personalize your email campaigns. Personalized email campaigns perform better in open and click rates than their bland counterparts. And who wouldn’t want to see that you’ve done that extra mile in including their name in your emails?

For example, at Mailjet, we have personalization features that allow you to fill in various types of property information. You can also use our API integration with Zeta to segment your contact lists into relevant subgroups that get the right content on the right time. As we have already covered on our article on great newsletter examples, Really Good Emails simply but elegantly does name personalization quite well.

3.4 Follow email marketing best practices

Adapt a customer-centric email design that highlights your products
While it is always best to design marketing campaigns that customers would love to read and scroll through, they also love to discover. Holistic Marketing has written a great article on the importance of creating emails that are helpful and customer-facing, with great examples.

Add an unsubscribe link
Including an unsubscription button or link to your emails is mandatory in Europe, but it’s also best to do it elsewhere, too. This is because people who don’t want to get your emails anymore will tend to avoid reading your future emails, or, worse, flag you as spam.

Ratio text/images
Sending out well-optimized emails for as many email clients as you can will, well, ensure that everyone receives your emails in the same format. Our friends at Litmus created an excellent guide on optimizing background images. At Mailjet, we agree and like to keep our design responsive.

Create emails that render well across multiple email clients
Arguably, the most important thing in email marketing is ensuring that your emails are sent in the way you intended them to be. Unfortunately, as there are 50+ email clients out there, rendering for each can be a daunting, complicated task. Our MJML templating language simplifies this task by (1) simplifying HTML allowing you to code much more efficiently and (2) getting regular updates that ensure your design and coding remain responsive.

4. Get creative

Of course, there are also tons of other stuff you should be following in order to really improve your email campaigns. You could add inspired .gifs on your emails. You could also add rich media if you know how to code for emails – always a banger. You can also improve your subject lines by adding emojis.

This list is endless.

Tweet us @mailjet if have ideas on doing things other than an email blast.

Contact Management Under GDPR: The Ultimate Set Of Features You Need

Mailjet has been one of the first ESPs (ok THE first) to get onboard with all GDPR requirements.
We know you missed us talking about GDPR, right? 😂

On a more serious note, our customers were very curious about GDPR compliance and are pretty concerned about security and data protection. You know, we are constantly working to make things easier for you. We gathered below all features related to contacts and GDPR available for all Mailjet’s customers.

Refresh your subscription form to add the new GDPR-compliant consent box

For optimal transparency and safety, we advise our users to implement Mailjet’s double opt-in subscription widget to build their contact lists.
Now, in addition to making sure that you have the consent of your recipients, you’ll be able download the proof of consent from each of your contacts. ✍🏽

Widget Mailjet GDPR

How do we do this?

  1. In widget creation, a small checkbox has been added. Tick the box.
  2. Customize the text of the checkbox.
Widget Mailjet GDPR

When a user subscribes to your newsletter, the consent information, including the widget name and consent checkbox text, will be added to their contact profile.
Here is an example of a GDPR-compliant checkbox:

Widget Mailjet GDPR
  1. You are all set!

Please note that if you already have our subscription widget on your website, you will need to re-install it to activate the GDPR checkbox, which will enable the proofs of consent to be stored.
This also means that you won’t be able to download a proof of consent for your old contacts.

No worries, though! If you’re using our widget from the beginning, we are here to cover you in case you encounter any issue with a recipient claiming she/he never consented to receive you information. We’ll be able to provide this information as it is registered in our system 😉.

Have your consent proofs stored and available for download when needed

Another great news is that you can now access and download this proof of consent directly from your Mailjet account, whenever you need it, without contacting our Support team.
Wondering how to download the consent proof of your contacts?

  1. Search for a contact in your Contact lists.
  2. Click on it and you’ll access all the details related to it (we did some re-design here by the way 🎨).
  3. The proof of consent needed can then be downloaded right from here:
Contact Consent proof

Delete a contact in one click

As you know, under and since GDPR, contacts are more aware about what informations they share, and it’s really common that they ask about being deleted from any list and any communication.
So besides unsubscribing, checking statuses and statistics, editing contact properties, removing a contact from a list, it’s now possible to delete a contact…from all your lists, in just one click, straight from the contact overview page:

Delete contact

Important note: statistics generated for all the emails sent to the removed contact will not be altered because of the deletion of the contact. But the contact and its informations will no longer be seen in the database, or available for future sendings.

We hope we helped you become (even more) GDPR-compliant.
Let us know what do you think once you set up the new widget on your website, and your opinion about these news in general!

How Email Can Make Up For Declining Organic Facebook Reach

If you’re like 55% of marketers, you have seen a significant decrease in your Facebook page’s engagement since they changed the algorithm to encourage “more meaningful social interactions with family and friends.” While social media platforms are, of course, an important way to connect with your audience, it’s increasingly become clear that doing so means you are communicating on someone else’s property – not your own. You do not own the relationship, the channel, or the data, and therefore are at the mercy of how other platforms decide to distribute your content.

100K followers on Facebook, Instagram, Twitter, or LinkedIn is not nearly the same as 100K subscribers on your newsletter. Assuming you land in 99% of inboxes, and get a respectable open rate of 20%, you are already well above the rate of Facebook followers that will even have a chance of seeing your post. Way back in 2012, organic reach on Facebook was at an all time high of 16%, this was down to 6.5% in 2014, and since changes to Facebook’s algorithm this year brands are seeing organic reach around 2%.

While social media offers the benefit of personalization and targeting in a way we didn’t know possible only a few years ago, email marketing is right there with them and in fact is doing so in a way that is based on the explicit permission of the audience. Something that is, of course, becoming increasingly important in a new age of Data Privacy and GDPR.

The question then is when do you want to use paid and organic content on social media platforms? Do you want to be paying for one click to your website, or do you want to be paying for the beginning of a warm and recurring relationship with your audience? By growing your email list, and from there building a quality, permission-based, relationship, you are building value in your own property.

To make up for this diminishing impact of organic reach on social media platforms, it’s important to apply what you’ve learned from social media’s personalization and data analysis to your email marketing.


Email Marketing & Personalization

Email offers the unique ability to personalize content to your audience – who they are and what they like. Personalization extends beyond just calling out their [First_Name], allowing marketers to curate content, links, images, and even videos based on any data and metrics you have received from the user. This is especially true for online retailers who benefit more than many other brands with advanced data including buying history, location, and more. Today, however, only 39% of online retailers send personalized product recommendations.

At first, personalization can seem daunting when you think about customizing a message to every single individual in your list, a list that may reach into the millions. Personalization, however, doesn’t need to be about one-to-one relationships, instead it is about personalizing your content to broad categories like interests, behaviours, or any attribute that can be shared by many. If you know from previous email engagement, through your website, or any other data collection method, that an email address is associated with a certain attribute – you can use this to personalize future emails.

For example, did they open a previous email about a shoe sale? Did they click a link about women’s jeans? Did they select a specific dropdown item from a menu?

The Miami Heat captures your favorite player when you sign up for their email list. How do they use this information? In any an infinite amount of ways – they could segment their list so only people who select that player receive the content (more on that below) or they could feature a rotating case of players in their bulk email and personalize who will appear in the email based on the user. If you’re favorite player is Dwayne Wade – guess who’s video interview the Miami Heat include in their email?


Email List Segmentation

As alluded to above, personalization and segmentation are in the same family but are different for a few important reasons. Whereas personalization is about substituting content, images, text, etc. based on data within a mass email, segmentation is about chopping up your contact lists and sending only to certain people…based on data. This could be based on their location, whether they’ve recently opened an email, their level of engagement in your products, who their favourite player is (again), their favorite color, whether they identify as a dolphin or a poodle, whatever you can have fun with and use to serve up content they’d enjoy.

Segmentation is a great way to not only personalize content, but to save money and dramatically increase your ROI. For instance, Mailjet is a volume-based email model meaning our plans are priced on the number of emails you send. If you send an email to every single one of the 100K subscribers of your newsletter, you will be paying for 100K emails.

However, if you segment your list so that only active users receive the email about new product updates, or only US-based subscribers receive your email about an upcoming event in San Francisco, then you not only increase the likelihood of engagement, of return of investment, of the reputation of your domain to inboxes like Gmail – but you also save money. In fact, according to research from Liveclicker, a company that provides personalization services, behavioral targeting delivers an 8 percent increase in email revenue.

Our friends over at Google Cloud Platform know this well. Do you think everyone on their newsletter list received this email? Or only those in the Bay Area?


Email Automation & Integrations

Almost as important as sending the right content to your audience, is sending at the right time. Marketing automation tools, paired with the personalization tips above, allow for you to communicate with your customers at the optimal time based on any number of triggered events or actions such as newsletter signup or purchases. For example, when users make their first purchase on your website, or sign up for your newsletter, you can increase engagement and personalization through a drip campaign customized to their interests and behaviours.



When you first sign up for a weekly newsletter, it may take up to 7 days to actually receive that first newsletter in your inbox, depending on when you signed up. You devoted all of your energy and money in order to (1) identify your target audience, (2) find out how to get their attention, (3) provide value or serve up an ad to get them to sign up for their newsletter, and then after all that you just add them to a long list of other users. They are as hungry for your content as anyone on that list, but you don’t serve them what they want, when they want it.

Automation allows you to send the content they are craving right away so that the weekly bulk newsletter isn’t the first email they receive from you. Perhaps the first one is a welcome email featuring a blog or video you think they will enjoy (ideally based on the data they’ve given you already). Perhaps the second email is something of even more value, like a discount code or a one-time sale. By building trust and offering value right off the bat, you can count on this user continuing to open your emails moving forward.

You can take your automation even further by integrating apps like Shopify, Wufoo, and yes even Facebook.

Many brands use integrations like Shopify to leverage the data they receive from triggers like purchases and abandoned carts to better personalize their campaigns and segment their lists. Doggyloot for instance keeps their customers coming back with e-commerce integrations into their email marketing to not only personalize the content but also target their sending to those they know are already interested in purchasing a product.


Permission-Based Targeting

As organic reach on social media declines, and we move increasingly towards a permission-based marketing world, it doesn’t mean we need to move away from tailored content informed by data. In fact, as opposed to relying on a mysterious algorithm on property you do not own, learn more heavily into your own permission-based data collection tools on property you do own: your email lists.

Are Startups Ready for GDPR? We Look To The Numbers

It’s finally here! After several months of preparation, this week the General Data Protection Regulations (GDPR) finally comes into effect. This new European regulation will affect all companies, wherever their country of origin, and regulate the collection and processing of private data from European citizens.


In order to make startups aware of their obligations under GDPR, Mailjet created a quiz in 2017 to assess their level of compliance with the main requirements of this regulation. While nearly 12,000 start-ups have responded to the quiz since its launch, we analyzed a sample of about 2,000 respondents from France, UK, Spain, Germany and the US who completed the survey within one month of GDPR. The goal? To understand which startups around the world are ready and which still have a bit more work to do!


Key Takeaways

In Europe, France is trailing the pack on data encryption (with only 21% of respondents encrypting their data) and only 40% having proper proof of consent). The United Kingdom is at the top of the list, with 33% of start-ups properly encrypting their data and nearly half have verified their supplier’s compliance with the GDPR. On the other side of the Atlantic, American startups seem to be much more prepared on several key areas… Dig into the full results below!



Now it is your turn!

How well are you prepared for the GDPR? Try the quiz yourself, and get started on the right foot with a GDPR compliant email service provider. Create a Free Mailjet Account Now!

GDPR in the US & Canada: How will it affect your business?

GDPR Webinar Poster

GDPR, the EU’s General Data Protection Regulation, comes into effect in May this year and many North American companies are still asking themselves how this will relate to them, how they can best prepare for these changes, and how to avoid potentially massive fines. Mailjet, a GDPR-compliant email service provider, is hosting a 3-part webinar series entitled GDPR in the US & Canada. The first in the series features Mailjet’s Head of Legal and Data Privacy Officer, Darine Fayed, who covers:

  • What exactly GDPR is, how this new legislation applies to companies in North America, and what will happen if you don’t comply
  • How does GDPR affect North American businesses and marketers, and how does it differ from existing data protection laws (e.g. Safe Harbour, CASL)
  • The 8 key changes that GDPR brings to the data protection playing field
  • What steps you should be taking today to ensure you are ready before May. You are encouraged to also fill out our GDPR Quiz beforehand to know where your company stands in terms of GDPR knowledge.

Be sure to sign up for our second Webinar in the GDPR in the US & Canada series, March 13th at 11am EST.

Watch the Webinar #1 Now

Getting Security And Privacy In Email Right

How many times have we said that email has the highest ROI, or that it’s the most effective marketing channel? It even looks like we have some kind of secret master plan to trick everyone into using email… 🤔

Subtle marketing techniques aside, the truth is email is a quick, cheap and highly customizable way to contact customers. But of course, as a business working with personal data, you know that privacy and security are not things to be taken lightly. Protecting sensitive information and preventing hacks or leaks is key.

That’s why email has to be secure, to ensure all of this data is safe and only available to those with the rights to access it.

“Phishing and spoofing are huge threats in the email world today. It’s incredibly important to ensure you have set all possible protections to prevent spoofing.”
– Lauren Meyer, VP of Delivery & Head of North American Operations at Mailjet

With data protection and data security constantly in the news, and GDPR coming into effect in May, email privacy and security is as crucial as ever.


Mailjet GDPR:ISO Compliant Header


Keeping your email data private and safe

Laws around the world regulate the use of emails. There are obviously the different spam laws, which differ from country to country and that you need to know them and ensure you’re following the ones that apply wherever you’re operating.

But there are also transnational agreements, signed between countries or supranational entities (like the EU), to help companies establish themselves abroad, and comply with local laws. Among the agreements you’ll need to be familiar with, and ensure you comply where appropriate, the key one for those with European contacts is the EU General Data Protection Regulation (or GDPR).

GDPR was passed in 2016. It strengthens the current European regulations regarding data security within the EU members estates. Any company, organization, association and administration, should it be a private or a public one (that is, any structure with access to personal data) will have to comply with GDPR, starting May 25, 2018. European companies, but also non-European companies with EU customers, will have to make sure that only mandatory data that is relevant to their activities is collected.

They will also have to ensure that the physical servers where the data is stored are safe and under protection. Any data transfer out of the EU will be done under strict rules. If a company fails to comply with these new rules, it can be sanctioned with a fine equal to up to 4% of its yearly turnover, or 20 million euros, whichever is higher. Under this new EU rule, all personal data will be subject to the highest security, so consumers can trustfully interact with companies.

But this doesn’t just mean that you have to ensure your own business complies with GDPR, it also means that any third-party solutions you work with have to be GDPR-compliant too. This, obviously, includes your email service provider, so it’s key to choose wisely (spoiler alert: read on to find out why Mailjet is a good choice 😉).

Data security is a big deal in Europe, so before starting your operations on EU soil, be sure to comply with the rules in place, as well as the upcoming ones, and be careful only to choose GDPR-complaint third party solutions, like Mailjet.

Mailjet GDPR Quiz

The technical side of email security

But all these legal – yet important! – considerations aside, how can you ensure that both the emails you send and the ones you receive are really safe?


One of the ways in which we can protect the information contained in emails is through encryption.

When we’re talking about encryption, there are different possibilities. Encryption of messages is probably the most efficient procedure when it comes to email security. Contrary to the popular belief, DKIM does not provide encryption of the messages. However, it adds a layer of authentication that helps you to protect your emails.

To ensure a proper encryption of your email, you can also use these tools, which support the OpenPGP standard: For example, you can try GPGTools, which is natively integrated with Apple Mail and allows you to send encrypted emails (end to end encryption).

Another possibility is encrypting the channel that leads your email to go from server A (your sending server) to server B (your recipient’s server). This is the role of the Transport Layer Security, or TLS. The only issue here is that TLS is still not used by all the ISPs. Meaning that if you send a TLS encrypted message and your recipient’s server doesn’t follow this protocol, the encryption won’t be effective

Security of the data storage servers

You also have to be sure that the servers where the data is stored are safe. If you store this data yourself, complying with the requirements of GDPR is a minimum. Keep your servers under surveillance 24/7, and limit the number of people that have access to them. This is mandatory for your company, and it is crucial to keep your user’s information safe and, ultimately, their trust.

If you rely on a third party to store the data, look for solutions that offer the best guarantees. Redundancies, fire risk prevention, high security levels, energy self-sufficiency… Since you’re not the one directly managing the server, you have to be sure that all of these necessary precautions are followed, to ensure the maximum level of security. If you have European customers, having your servers located in Europe can also be a good idea, since the stricter European laws will apply.

“Organizations collect, process and hold ever-increasing volumes of personal data to enable relevant and timely email communication with their customers. Data security continues to be a huge responsibility and challenge, and they need assurance that their email service provider can deliver this.”– Pierre Puchois, CTO Mailjet.

Email security and privacy at Mailjet

Mailjet makes security a priority, which is why we decided to obtain the ISO 27001 certification, the international standard for best practices of information security process, which requires companies to not only implement company-wide processes pertaining to security policies, data handling and access, but also infrastructure changes.

Our security processes begin with our product development, and the scope, lifecycle and fundamental principles of Mailjet’s security policy are to the highest standard, ensuring all information hosted on the Google Cloud and OVH platforms is secure.

But by choosing Mailjet, you’re not opting for an ESP provider that is ISO-certified, but also for one that has completed all the necessary steps to be GDPR-complaint, including the implementation of privacy frameworks, data protection by design, and the ability for individuals to easily have more control over their personal data.

“These accomplishments in data privacy and security propel Mailjet to another level of service excellence in the competitive email industry. We’re proud of these achievements and what it means not just for our clients, but for the individuals whose data we protect on behalf of our clients.” – Alexis Renard, CEO Mailjet

And you? Are you GDPR-ready? Find out by taking our GDPR quiz, and share your results with us on Twitter

GDPR Journal: The Steps We Took Towards Working With 3rd Party Providers

Welcome to the fourth instalment of the Mailjet (and my personal) GDPR Journal. So far we’ve looked at how I became a DPO, our GDPR compliance roadmap and how I updated our Privacy Policy to be in line with GDPR. It’s been a rollercoaster and the saga is set to continue as the next step was to look at not just our internal processes, but those of our partners and 3rd party providers.

Why am I focusing on this for a whole journal entry? I hear you ask. Well, because one of our biggest challenges in getting through our GDPR compliance roadmap was to perform an audit of our entire privacy framework. In other words, to audit all our existing third-party providers and software applications to ensure that they themselves were also meeting the GDPR requirements on data protection.

Why are we talking about our own providers?

At Mailjet, we collect and process the personal data of our clients (names, email addresses, IP addresses etc.) and under GDPR we must ensure that our entire privacy framework respects the rules GDPR brings into effect. So, that means our own providers as well. Why? Because some of our data flows to these solutions, thus data protection must be compliant on all fronts.

In a post-GDPR era, we are all equally responsible for the protection of data subjects’ personal data. Meaning, not only will our clients (Data Controllers) be responsible, but also the Data Processors (in this case us), our own providers, their providers and so forth.

What kind of providers are we talking about?

Well it could be; CRM solutions used by Sales and Marketing teams (i.e. Salesforce), cloud IT services (i.e. Google, Amazon) social interaction & messaging systems used by Marketing and Support teams (i.e. Slack, Messenger), project management tools used by Product and Development teams, external payroll & HR management solutions used by Administrative teams. I’m sure you probably use some tools like these.

Being a small agile business, each department regularly uses various online solutions and applications to help with their day to day activities. In the past, a member of Team Mailjet would most likely find a free or relatively cheap tool that could help his or her team, then they would quickly sign-up without reading much of the terms and conditions behind the tool.

So, after functioning in this manner for several years, we found ourselves in a position where the company now had subscribed to various applications across its different departments — and all without much control over the access, uses and information collected.

Ok, so where did we start?

The list was grand and the audit task proved quite daunting. Let’s see my action plan… Here are the key steps we took in order to complete the internal audit and analysis:

1. A complete list of all service providers and applications

The list needed to include;

  • The providers and applications used.
  • The exact customer data that was collected and transferred to these specific providers.
  • Why the data was used.
  • Where they stored the data.
  • If there were any data transfers.
  • What it meant to our clients.

We included other useful information in this third-party provider list such as, the user access rights involved and the dates of the last verifications.

To compile this list, we set aside some time with each department head and began. The exercise actually proved to not only be beneficial for GDPR compliance, but also helps immensely with the control of a growing business, such as Mailjet.

This specific step took us several months. So start now if you haven’t already done so, because the 25th of May is creeping up on us quickly!

2. Ask your 3rd party providers some important questions

Next on my list was to contact every provider and ask some tough questions. I’m a big of making light of a big task, so I decided the best approach was to send out a questionnaire asking for details on their information security and data protection measures. The form included questions on;

  • Information security.
  • Risk management policies.
  • Employee training.
  • Physical security.
  • Access control measures.
  • Data protection organization and technical measures.
  • Take a look for yourself at the 12 questions we asked.

3. Assess the level of risk

Depending on the responses I received back, I then had to asses the risks of transferring any of our own clients’ data to their platforms and centers. This essentially meant verifying their measures, ensuring if they were up to par with industry standards, as well as checking if they were on the right track to data protection compliance.

4. Review all contracts in place and introduce new clauses and/or amendments

As part of the risk assessment, I also had to make sure that we put in place specific contractual clauses and amendments to ensure at all times while we are using their services that these data privacy measures were respected.

I then proposed various EU model clauses or data protection agreements with these providers to ensure we had the correct documentation in place. And, in some cases negotiate the limits of liability between our companies in case of a third-party claim.

5. Switch to GDPR compliant providers

In some cases, the responses I received back were vague or elusive, to say the least. In these cases, a quick evaluation was needed of whether we could improve their commitment levels or switch to providers that could ensure they were on the right track. We started this process early, so that we could switch over to another provider should the need arise. So, be sure to give yourself enough time.

6. Review and control: Right to audit and yearly check

Next, I made sure to include in all contracts and amendments the right to audit the provider upon notice. That way we could make sure if at any moment our providers were not just talking the talk, but also walking the walk.

And finally, now that we’ve successfully jumped this massive hurdle, we need to ensure we update it on a yearly basis. This means that we will need to verify that all our third-party providers continue to maintain the same level of technical and organizational measures to ensure their security and data protection. How will we do this?

  • Perform audits.
  • Re-send the third party questionnaire for updates.
  • Continue to ask the tough questions.

So there you have it, six steps to ensure all your third-party providers are GDPR compliant.

Have you reviewed your 3rd party providers? Or are you now thinking you need to? Share your experience with Mailjet on Twitter.

GDPR Journal: Privacy Matters. Really.

As our resident legal expert here at Mailjet, I set aside at least a full day each week to take care of our data privacy issues. I had put together a compliance roadmap of items to be handled before the year-end as part of the GDPR readiness plan. The next item on my to do list was to update our Privacy Policy.

Privacy Matters With GDPR

So what exactly is a Privacy Policy?

You see them on most websites. Privacy Policies drafted in various different ways. But what is it exactly? It’s important to note that, a Privacy Policy is not the same as the Terms and Conditions of Service (or of Use). If you collect and process personal data, you are likely required to provide information accessible for your users that details your data privacy policies.

The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.

So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.

What needs to be included?

I last updated Mailjet’s Privacy Policy in September of last year. At the time, I wanted not only to harmonize all our online policies but also to make them clearer for our customers — and the last update was, to say the least pretty outdated.

And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.

As a summary, the key information to be provided to your clients and users under GDPR is:

  • Identity and contact details of the data controller
  • Contact details of the DPO (when applicable)
  • Processing purposes and the legal basis
  • Where the processing is based
  • Recipients of the personal data, if any
  • Data transfers outside EEA, when applicable
  • Data retention period
  • Rights to access, to rectify and to delete data
  • Right to lodge a complaint with a supervisory authority
  • Existence of any automated decision making (including profiling) and the logic behind it

How exactly to create/update your policy?

In my opinion, the best way to tackle this project was to go through the actual GDPR regulation — article by article — and modify our Privacy Policy accordingly.

I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.

One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.

So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.

After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!

I spent the following few days tweaking the policy to make it just right and coordinating with our marketing team to set up the schedule for its release date. Of course, we needed to give our client’s at least 30 days notice for these updates and create a clear email describing the changes. At the same time, some modifications needed to be made to our Terms of Use, so why not use the same notification to our clients for both? Kill the bird with one stone.

What was updated?

The main items that were incorporated into our new Privacy Policy (which was effective as of September 15th) are:

  • To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
  • To clarify the consent policy (how we obtain our client’s consent)
  • To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
  • To define our legal basis for data processing
  • To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
  • To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
  • To communicate our new minimum password security requirements
  • To share our new DPO contact information (yours truly!)

Take a look at our GDPR compliant Privacy Policy.

In the meantime, are you creating or updating your company’s privacy policy? Share your experience with Mailjet on Twitter.

This post was first published on the Mailjet Medium account.

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

In case you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Get up to speed by reading my first diary entry.

Take your mind back… It’s the end of May – one year before the new EU data regulation comes into effect. Articles are coming out about how to be prepared, published from so-called experts, law firms, compliance firms and other round of the mill companies trying to attract traffic. So there was truly a lot of information out there. But where to begin? How do I prepare our company – an SME based out in Paris – for the GDPR?

The myriad of articles being published on the subject offered much information, but I wasn’t clear as to the source and its accuracy. Being a trained attorney, I couldn’t rely on other people’s information. So it was best that I start from scratch. I needed to outline myself the needed steps to get us from point A to point C (C for Compliance).

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

First Step: Understanding the new regulation and what it meant for us.

I knew I needed to set aside some time to delve into the actual law. I printed out and book-bound 2 hard copies and set myself up on the sofa in an empty conference room – away from phone calls, emails and colleague requests. I gave myself 2 hours and read cover to cover the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (or in English, GDPR). I’m an attorney by trade, so reading the actual law to me is really interesting stuff! (Yes, I’m a bookworm at heart.). I highlighted the sections and paragraphs relevant to my company (considered not a data controller but instead a data processor) and took notes at the same time.

Why 2 copies? (I promise I wasn’t wasting paper) Well, I work in Paris where I speak 2 languages – English & French. So I wanted the law in both of these working languages. I began by reading through the English version and put aside for another day the attack of the French version as it is helpful to learn the terms and phrases used in the actual law.

Second Step: Roadmap Planning

Setting a roadmap sounds simple, right? Not exactly, the challenge began with analyzing the new law and identifying our requirements. I had a short period of time to put in place our key trigger dates. May 2018 is not that far away!

At the same time, I was dealing with demands from all angles: clients, internal sales teams, and company shareholders. Everyone wants us to be compliant today when there is still much road work to lay out before we can put the actual measures in place. I also wanted to ensure that the steps were to be taken out properly, instead of just fast-tracking the process to use the word “compliant” in our communications.

There was also the aspect of inter-departmental collaboration. The implementation had technical constraints. Just because the law stated one aspect did not mean that it could be simply “implemented” in the blink of an eye. The measure needed technical planning, testing and control before any actual implementation. So the roadmap and implementation need to be dealt with hand in hand with the technical and operational teams. I had to also work with our marketing and sales teams to align our message on compliance and the roadmap to be taken.

Third Step: Mailjet’s Roadmap

After several drafts, and internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap.

Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C (remember c for compliance).

Mailjet GDPR Roadmap


  • May – June 2017: Nomination of Data Protection Officer (articles 37-39 of the GDPR)
  • July 2017: Training (articles 7-8 and 12-15). Security and data privacy training sessions to be put in place for all employees and contractors.
  • July 2017: Data breach procedures (articles 33 & 34). Data breach response plan. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach.
  • July – September 2017: Data processing records (article 30). Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
  • July – November 2017: Audit and Analysis of privacy framework (articles 28-30 of the GDPR). An internal audit of all our existing third-party provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control.
  • October 2017: Ensure appropriate technical and organizational measures (article 28). Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices.
  • October 2017: Data portability (article 20). Ensure data subjects’ right to portability (facilitates ability to move/copy/transmit personal data easily – whether to their own systems, the systems of 3rd parties or those of new data controllers).
  • October – November 2017: Reevaluate notice, consent and withdrawal mechanisms (articles 44 – 50). Identify cross-border data flows and review current mechanisms in place. Ensure adequate level of protection with contractual clauses.
  • October – November 2017: Data protection by design and by default (article 25). Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation.
  • November 2017: Security of processing (article 32). Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
  • December 2017: Data protection impact assessment (article 35). Assessment of the impact of processing operations on the protection of personal data with advice of the DPO.

Now off to implement these wonderful concrete steps…. GDPR compliance here we come!

Are you currently in the process of becoming GDPR compliant? Tell us about your compliance journey and the biggest pain points of your experience so far on Twitter.  

This article was first published on Mailjet’s Medium Account.

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

I’m Darine Fayed, (Head of Legal @Mailjet, attorney practicing for more than 14 years) and I write from a personal viewpoint of an in-house lawyer who, along with the rest of EU and international companies, is under the pressure of getting our company ready for GDPR before May 2018. New to GDPR and wondering if it affects you? (Psst – it probably does) Head here to our GDPR resource hub.

GDPR Journal: What I’ve Learned Since Becoming A Data Protection Officer

In getting ready for GDPR (General Data Protection Regulation), and putting in place the measures to make Mailjet 100% compliant, one question I had to ask was: are we required to nominate a DPO?

Firstly, what is a DPO?

For background, a Data Protection Officer (DPO) is an individual – internal or external to the organization – that is involved in all issues which relate to the protection of personal data. Their responsibilities include such things as advising the company of their data protection obligations, monitoring compliance with the rules in place, cooperate with the data authorities, act as the contact point for data protection questions.

So, when do you need a DPO?

While the concept of a DPO was not exactly a new one, the GDPR has now made mandatory its appointment for certain companies. GDPR states that there are 3 cases where the designation of a DPO is mandatory:

  1. The data processing is carried out by a public authority or body.
  2. The core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. The core activities consist of data processing on a large scale of special categories of data or data relating to criminal convictions and offenses.

OK, it’s nice enough to list out these specific 3 cases. But let’s be honest, it’s a bit ambiguous. Being an email service provider (if you didn’t know, Mailjet is a private company that sends millions of emails for clients all over the world) I was pretty sure we didn’t fall into the first or last case. Not the first case because we are not a public entity. Not the last case because we do not process any “special” data. But what about the second one? It wasn’t exactly clear. Large scale data processing? Regular and systematic monitoring? What was the exact definition of these terms? As a side note, and fortunately, the Data Protection Working Party on GDPR released guidelines on DPOs that helped answer these questions. But not to my luck, these guidelines came out after the fact.

Today these guidelines give various examples of large scale processing, that now clarifies the terminologies. Examples they offer include; processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, processing of personal data for behavioral advertising by a search engine.

It’s a good point to know, not all companies are required to nominate a DPO (whether internal or external to the company). For all good measures though, and since we do process data and personal data on a daily basis (personal data includes names, addresses, emails, etc.), some more thought was required.

I decided to investigate further…

I invited an attorney (recommended by our own CTO) specialized in personal data matters (data processing and data protection rights & CNIL declarations and controls) to the office to have a chat on what types of assistance he could provide to us. After over an hour of discussion with him, I realized one thing: the new GDPR regulation is so new, that no one is an expert. We were all in the same boat trying to figure out at the same time what GDPR really means and how we could implement the specific provisions. We were all on the same learning curve.

So after analysis of his proposal, evaluation of the costs involved (not a small chunk of change!), and after discussing internally in our company with our CEO and CTO, I decided against the hiring of an outside DPO. The time and money involved to learn our data systems and processes in place did not pan out.

Of course, if you do not have an in house legal counsel or compliance officer in your organization, you may need to call upon an outside external expert to take your company on the right path towards GDPR compliance.

A new challenge for yours truly

Yes, I already was pushing through as Head of Legal of our company with all the myriad of responsibilities that go along in that respect. I had to now add the task of DPO and GDPR compliance to that list! But since I can never turn down an interesting opportunity… I accepted the exciting challenge! And took on the designation as – Darine Fayed, DPO.  It made the most sense, since I was already dealing with the legal aspects of data privacy on a day to day basis. I was entering into data protection and EU Model agreements regularly, acquiring knowledge cloud processor requirements and rights of recipients daily.

Now to tackle being GDPR compliant and as I do best: setting an ETA way ahead of schedule! End of year is just around the corner!

Are you on a GDPR compliance journey? Have you too taken on the challenge of DPO, tell the Mailjet team about it on Twitter.

This post was first published on the Mailjet Medium account.