Sender Score and Email Reputation: What Are They and How to Improve Them

Sender Score and email reputation are two terms very important and relevant to email marketers and deliverability experts.

But to novices and the general public, there is still a lot of confusion surrounding the terms.

So in this article, we will demystify what email sending reputation and Sender Score actually mean and what they each measure.

What is email sending reputation?

Email sending reputation is a complex metric comprised of different reputations to determine email delivery practices. The most important reputations are:

  • IP Reputation
  • Content Reputation
  • Domain Reputation

In 1996, as emailing became mainstream, spam began to turn into a serious issue. To counter this, large internet service providers (ISPs) providing email services began to use IP Reputation to analyze email quality.

IP Reputation indicates how much users want to get email from this IP address by measuring bounces, spam or unwanted bulk mail (UBE). Back then, there weren’t very robust ways to authenticate a domain address, so ISPs had to create complex IP reputation models that differed from each other, but had the similar task of identifying problematic IP addresses.

After a while, IP reputation alone proved inefficient, because it didn’t consider how different IPs could deliver (junk) emails with identical content.

Advances in technology in the 2000s enabled ISPs to develop a new method of measuring the quality of a sender’s emails through content reputation.

Content reputation works on a set of criteria that determine the sender’s quality of their email campaign content. While certain types of content are clear triggers for ISPs’ content filters (e.g. attaching a virus, a string of words asking for bank details, and so on), a sender’s content reputation goes down when their emails keep getting low open rates, flagged, blocked, and unsubscribed.

So IP and content reputation work hand in hand to create an overall picture of a sender’s email practices. IP reputation determines the quality of a sender’s email sending through their emailing history. Content reputation analyzes the type of content a sender’s email has and determines if the sender is trustworthy or not.

But of course as spammers and hackers became even more sophisticated in cheating ISP filters and sending malicious emails, this led to the development of more robust email authentication systems – namely the Sender Policy Framework (SPF) and DomainKeys Identified Email (DKIM) system.

The Sending Policy Framework (SPF) was implemented as a standard in 2014 to check if an email campaign has been sent from an authorized server.

SPF is like an RSVP list of authenticated, valid IP addresses that can send emails on behalf of that domain.

SPF prevents spammers from falsifying the ‘from email address to send spoofing emails’. But the SPF record, by itself, is not enough and can be susceptible to human error and snowshoe spamming (i.e spam propagated across different IPs and domains to weaken reputation and pass through ISP filters).

If a sender indicates the wrong IP domains, then the wrong ones will be able to send emails on behalf of your domain. ISPs have no way of realizing otherwise, and they penalize the sender’s domain for spam.

Therefore, SPF has to go with a DomainKeys Identified Mail system (DKIM), which allows recipients to confirm that the mail comes from the authenticated owner of that domain.

The email itself contains a signature in the header called a DKIM signature or a hash value that allows this authentication. A DKIM signature means that the email has not been tampered or hijacked upon delivery and comes from a valid sender.

As these authentication systems became more robust, ISPs have developed domain reputation, which measures the quality of a domain’s authenticated emails.

Domain and IPs can be different, after all. For example, Mailjet customers could be using shared IPs that we provide and send emails through their domains.

Email sending reputation is a complex metric of other different reputations to determine email delivery practices developed essentially through a constant game of chase and catch between hackers who send malicious spam and the ISPs that are constantly creating new ways to catch them in the act.

Great email sending practices do not end in the way you create the content and design of your emails, but also following strict security protocols that help ISPs identify you as a trustworthy sender.

What is Sender Score?

Using a range that starts at 0 and ends at 100, Return Path’s Sender Score is compiled from non-personal data of over 60 million inboxes from different ISPs, spam filtering, and security companies to create a picture of a sender’s email sending practices.

Sender Scores are normally calculated on a rolling 30-day average.

Sender Score may be also indicative of a sender’s email reputation, but they are not the same. If a sender has a high Sender Score, this could indicate that most of the sender’s transactional and marketing emails land in the inbox.

If a sender has a really low score, then there is a high chance that their email campaigns often have high bounce rates, high block rates and low open rates.

It is important to realize that the Sender Score is ultimately on data that Return Path receives. This score is relevant for ISPs that pay attention to it.

Ultimately, ISPs decide whether you send good emails or not through their own datasets, not on Return Path’s Sender Score.

So while this score might be a good indication of email sending practices, fixing it from low to high does not automatically guarantee that all email campaigns will land in the inbox.

The best way to fix email sending is to look at the source and focus on deliverability (the rate at which a sender’s email campaigns land into the inbox, as opposed to the spam folder), because this is what the Sender Score ultimately attempts to quantify.

 

YOUR IMAGE ALT-TEXT

How to check your Sender Score

Checking Return Path’s Sender Score is quite easy. Follow these steps:

  1. Go to https://www.senderscore.org/
  2. Register and create an account using your professional email.
  3. You should receive this confirmation email. Click on the CTA Activate Your Account.
    Activate your Sender Score
    Activate your Sender Score
  4. As soon as you log in, you should be redirected to this page.
    Know your Sender Score
    Know your Sender Score
  5. Here, you can look at the Sender Score of either an IP address, or a domain (e.g. mailjet.com).
    Mailjet’s Sender Score
    Mailjet’s Sender Score
  6. Searching by domain name leads you to a page listing IPs sending mail from this domain, an indication of their email sending volume, and, finally, their Sender Score.

These scores could indicate whether this domain has been sending good emails or spammy ones in the rolling 30 days prior to your search.

What is a good Sender Score

According to Return Path’s 2018 benchmark on Sender Score, their Sender Score reveals important data on the following:

  1. Complaint rate – the rate at which users complain about your emails as junk.
  2. Unknown user rate – the number of invalid users in your subscription lists
  3. Spam traps triggered – spam traps are email addresses that don’t belong to anyone and have the primary task of catching spammers and senders with poor list hygiene practices.

Pristine spam traps are email accounts never owned by anyone and have been created to catch bad senders. Recycled spam traps are abandoned email accounts that have now been recycled into spam traps.

As such, domains with Sender Scores of 90 and above have below a 1% complaint rate, ~1% unknown user rate and an average of 0.36% spam trap hits.

Conversely, those with very poor Sender Scores of 10 or below had a 7.4% complaint rate, 7% unknown user rate and an average of 7.53% spam trap hits.

Having a good Sender Score and having emails sent to the inbox is good for the business, but it’s not the end-all to great email sending. More on this on the next section.

YOUR IMAGE ALT-TEXT

When Sender Score won’t save you

A high Sender Score does not mean an end to your email worries.

Like any other aggregate, Sender Score misses out on other very important factors that influence overall email sending.

After all, this proprietary system comes from Return Path and not from ISPs. Hence, ISPs may have slightly different ways of measuring your email reputation and include other variables that determine whether this campaign should be sent or not.

Return Path suggests:

A high Sender Score on its own doesn’t translate to higher inbox placement rates. Subscriber engagement, a mailbox provider’s own reputation calculations, and the content in the incoming message—none of which are included in Sender Score calculations—all factor into each mailbox provider’s final filtering determinations.

Email deliverability experts agree on this, including Word to the Wise founder Laura Atkins:

Basically, just because you have a great SenderScore doesn’t mean you’re going to have good delivery. Likewise, having a poor SenderScore doesn’t mean your mail is destined to be undelivered.

Sender Score is not the end-all be-all to determining if your email campaigns are great in all areas.

Ultimately, the Sender Score does not measure content creativity, which is crucial to creating email campaigns with high open rates.

Therefore, it is best to focus on your deliverability, as this is the best indicator of whether your emails get delivered to the inbox and not spam folder, or altogether remain undelivered.

It is also a good idea to invest in other email reputation indicators that might be better suited to your email sending.

An email marketer in his Medium article, for example, lamented on areas ignored by the Sender Score. Some 90+ scores scored low on Google Postmasters, which analyzes and measures email sending practices loosely based on Gmail’s complex filtration system. Therefore, Google Postmaster Tools may be a great alternative for you if most emails in your lists are Gmail users, but less so if they are from other ISPs.

In fact, it’s best to understand that ISPs might not only measure email reputation differently, but they might also have different acceptable standards for various metrics altogether.

This is the main reason why, for example, an email campaign might get great deliverability results for Gmail, with most emails landing into their inboxes, but less stellar results in Outlook.

In any case, ISPs have different filtration systems and they modify them often in order to get a step above malicious spammers. If every ISP filter worked the same, then each one would be easy to hack.

So, really, the best way to improve your email sending is to simply improve your email sending practices. Sometimes, the best changes are the most obvious ones.

How to improve your Sender Score and email reputation

As discussed, sender reputation comprises of other reputations based on your email sending:

  1. IP reputation that is tallied by how much people want to see emails from this IP address.
  2. Content reputation that measures how good or spammy your email content consistently is.
  3. Domain reputation that checks the email sending from your domain as a whole, validated through authentication methods.

It becomes a matter of ensuring that your sending practices are great across the board. So here we will compile a guide to ensure that you are sending emails in the best possible way.

Authenticate your SPF and DKIM

Authenticating your account ensures that only a specific list of IPs can send emails using your domain.

This keeps spammers from falsely delivering emails through your domain.

Think of DKIM as the signature you include in every email campaign. The DKIM is a powerful proof that the recipient’s ISP can use to check if these emails they have received are domain-authenticated and valid.

If the signature matches, then the email goes into the inbox – other things equal.

If it does not match, then it’ll go into the spam folder (or gets a hard bounce).

DKIM Process
DKIM Process

SPF meanwhile is a list of the authenticated IP addresses within that domain.

DKIM and SPF work together to ensure that you do not become the victim of a spoofing attack (i.e. where a sender masquerades as another domain to send spam).

Read more:

Authenticating domains with SPF and DKIM

How to set-up DKIM in 3 simple steps

Create sub accounts for your different email needs

Separating your marketing and your transactional emails by creating sub-accounts is good for organizing different types of email sending.

By separating these two types of emails, marketers can better keep track of various metrics, such as:

  1. Scheduled sending of marketing emails.
  2. How often users trigger transactional emails
  3. Different types of transactional emails getting triggered
  4. Different types of marketing emails being sent

Separating both also ensures that deliverability rate issues on marketing emails do not get passed on towards transactional emails and vice-versa.

Imagine if ticket people got their transactional ticket confirmation emails into the spam folder, because an ISPs filtering system identified the sender as a spammer through their marketing emails. This could get email marketers and their companies in a whole lot of trouble.

Deliverability Matters
Deliverability Matters

Read More:

Email Deliverability: A How-to Guide To Get Into The Inbox

Email Marketing Deliverability 101 Guide

What are sub-accounts and how does it help me?

Take charge of your engagement data.

Email engagement is comprised of data on how engaged your users are with your email campaigns. These include:

  1. Open rates – the rate of users opening email campaigns.
  2. Click rates – the rate of users clicking on links and CTAs within these campaigns.
  3. Complaint rates – the rate of users complaining about receiving specific email campaigns.
  4. Engagement time – the amount of time they spend on reading specific email campaigns.
  5. Unsubscribe rate – the rate at which users unsubscribe after receiving your email campaigns.
Mailjet Dashboard
Mailjet Dashboard

The image above shows some of these metrics in action on Mailjet’s dashboard.

Of course, these stats can take a long time and creative effort to improve.

Sending emails with great engagement rates can’t be done overnight. After all, brand loyalty can only be fully nurtured above and beyond email marketing.

But senders can already tweak some things, such as making emails more responsive, and getting some email content and design inspirations online.

Users prefer to engage with beautifully-designed emails as opposed to suspicious plain text ones.

Other than design, of course, the frequency and time of email campaigns also matter.

ISPs consider engagement rate very highly in their content filtering algorithms.

Read more:

Email Campaign Statistics: What Do They Tell You?

Can Email Marketing Still Drive High Engagement?

Segment, A/B and Personalize

Segmentation involves dividing your email contact lists based on a set of criteria. Each segment can be, for example, based on region, gender, or interests, among others.

A/B Testing is when marketers send multiple versions of the same campaign and analyze which one(s) perform the best.

These techniques can allow marketers to create more specific and personalized email campaigns that users will want to open.

Of course, A/B testing, segmentation and personalization are all related to improving on email engagement rate.

A/B Testing Dashboard” width=
A/B Testing Dashboard

Above are some A/B testing stats on our dashboard. Version A has

  1. The best Open Rate and Click Rate
  2. The highest Click Rate
  3. The lowest unsubscribed rate
  4. The least amount of Soft and Hard Bounces

These indicate that Version A is the winning version and is an email that people want to open and engage with. You can use this information for future campaigns, or if you had only tested with a small sample size, you can automatically send this email to the remainder of your list.

Read more:

How Email Segmentation Can Increase Your Conversion Rate

How can I segment my contact lists?

How To Align Website Personalization With Your Emailing Strategy

Email Personalization With A Human Touch

Create a checklist for your email campaigns.

A best practices checklist for all your email campaigns is like an accountability log to the senders themselves right before they send their email campaigns. A checklist allows them to make sure that they have not forgotten about anything before sending their email campaigns.

With tactics in improving engagement rate and having enabled authentication systems to securely send email campaigns, the last thing marketers can do before they send their email campaigns is to run them through a checklist that should include

  1. Whether they have written a good subject line.
  2. Included a pre-header.
  3. Checked all links are accurate and include UTM tags if necessary.
  4. Proofread.
  5. Good CTAs
  6. Proofread.
  7. Proofread once more (remember, there’s no undo button)

Now, this checklist can be automated, with a tool that runs through emails campaigns to ensure that they are ready for delivery. But this checklist does not have to be automated. Senders can also check through manually. Things that you can check include:

Read more:

Mailjet’s Ultimate Email Checklist

Clean email lists and have double opt-in

Regularly cleaning your contact lists prevents marketers from sending emails to inactive users, some of which might have been converted into spam traps. Clean lists also have more engaged users, especially when they are well-segmented.

One of our customers, Product Hunt has a great way of cleaning their subscription lists. For inactive users (i.e have not opened Product Hunt newsletters in a while) they send an email stating that they have been automatically removed from the list.

 

Product Hunt’s Unsubscribe email :(
Product Hunt’s Goodbye email :(

Read more:

Email List Cleaning: End Up On Santa’s Nice List, Not His Naughty List

Easily & Securely Stow Your Contact Lists

How to delete a contact?

Create email campaigns that matter

Of course, the most important thing that you can do in your email marketing is to create a strategy that includes processes, workflows, tactics, database of email campaigns, and so on. Devising an email marketing strategy means that you have a solid idea of what to do through the course of your marketing projects.

However, an email strategy is not something that’s rigid and bureaucratic. A great email marketing strategy – like any other marketing strategy – allows marketers to experiment throughout the project, in order to adapt to new trends and key moments that suddenly open unexpectedly.

Read more:

The Ultimate Guide to Email for eCommerce

How To Define A Successful Email Marketing Strategy

Introduction to Email Marketing: The Basics Marketers Should Know

Guide: Email Marketing For The Travel And Tourism Industry

The final frontier

Return Path’s Sender Score and Email Reputation are ways to measure a sender’s email sending practices.

But Sender Score does not directly measure a sender’s email reputation. ISPs have their own proprietary algorithms for the way they measure email reputation.

Ultimately, the path to getting into the inbox is on improving deliverability, and we have highlighted ways to do this.

We hope that you enjoyed reading this comprehensive article. If you have any comments, let us know on Twitter at @mailjet.

 

signup banner

Email Blast: 4 Tips to Send Better Email Campaigns

Email blast is bad. There, we said it. Email campaigns should never be unsolicited, but helpful and responsive. They should be careful and resourceful – not lazy and unfocused. Emailing, in general, should never seem aggressive.

Unsolicited B2C cold emailing campaigns are now illegal in Europe (thanks GDPR). And should you even try them, notice your sending reputation drop faster than your eye can blink.

Today, the average customer is sophisticated, and doesn’t only want a personalized experience (although this is still important); they love emails that help them realize their wants and needs.

To help you achieve company objectives, here are some slick up-to-date tips on creating more sophisticated email marketing campaigns that customers want to read and click.

A visual representation of multiple email blasts in Harry Potter
A visual representation of multiple email blasts in Harry Potter

 

Let’s face it. You’re probably older than 13, not a wizard/witch/made of magic and can relate more to the Dursley’s terror of getting unsolicited (e)mails than Harry’s delight. Evanesco, email blast.

1. What is an email blast

An email blast is one email sent to a lot of people. This email would not target particularly anyone, let alone a segment of people.

This email would be devoid of personality – a flavorless thing. If this email was a type of food, it’d be chicken breast, without the protein. If this was a drink, it’d be water that dehydrates. If this was waste, it’d be plastic trash… you get the picture.

Nowadays, no one likes being the victim of an email blast. So while this is a great piece of email history – and a great trivia to spurt out in email geek parties – email blast is an ancient practice that no efficient email marketer does anymore, because it doesn’t work.

2. Why should you stop sending email blast marketing campaigns

Today, when there are email apps that allow emails to be more personalized and data-driven, sending out an email blast is lazy and outdated, and could indicate that you’re not taking your email marketing seriously.

The ROI on email marketing may be high, but you might lose money if you use an email tactic that lowers your email subscription and deliverability. Your sending reputation is your digital credit. If your IP has bad sending reputation, all your digital actions might be labeled as untrustworthy and spammy. Not good for marketing.

Lisa Simpson talks about email blasts
Lisa Simpson talks about email blasts

3. 4 tips on how to send better and cleaner email campaigns

3.1 Grow your email lists organically

There are many ways to organically grow your email lists. You could use social media, include subscription widgets and pop-ups on your website, include a newsletter opt-in in your emails, create multichannel campaigns that encourage subscription… if you just flex your creativity, the sky’s the limit (unless you hire a skywriting service).

3.2 Segment your email lists

Segmentation divides your contact list into smaller groups based on a set of traits. This can be a great personalization technique to deliver relevant emails that subscribers want to see based on their interests.

At Mailjet, we have advanced segmentation features for data-tracking. These allow you to track the effects of segmenting your contact lists in real-time. To really jumpstart your segmentation, we also have an API integration with Segment so that you can see the effects of creating subgroups that are relevant (or not).

It’s no secret that segmenting your lists can increase email click and open rates. But segmentation needs to be correct in order to work well. Whether this is on gender, age, location, industry, or email behavior, you need to be data-driven but person-led in your segmentation tactics. It pays to know how to segment your lists but you already need to be sending the right emails, with the right content, at the right time(s) in order to be effective. Done well, segmentation can increase not only open rates but actual revenue.

3.3 Send personalized email campaigns

Sending out personalized email campaigns is the bread and butter of modern email marketing. You want to take advantage of the plethora of services that both automate and personalize your email campaigns. Personalized email campaigns perform better in open and click rates than their bland counterparts. And who wouldn’t want to see that you’ve done that extra mile in including their name in your emails?

For example, at Mailjet, we have personalization features that allow you to fill in various types of property information. You can also use our API integration with Zeta to segment your contact lists into relevant subgroups that get the right content on the right time. As we have already covered on our article on great newsletter examples, Really Good Emails simply but elegantly does name personalization quite well.

3.4 Follow email marketing best practices

Adapt a customer-centric email design that highlights your products
While it is always best to design marketing campaigns that customers would love to read and scroll through, they also love to discover. Holistic Marketing has written a great article on the importance of creating emails that are helpful and customer-facing, with great examples.

Add an unsubscribe link
Including an unsubscription button or link to your emails is mandatory in Europe, but it’s also best to do it elsewhere, too. This is because people who don’t want to get your emails anymore will tend to avoid reading your future emails, or, worse, flag you as spam.

Ratio text/images
Sending out well-optimized emails for as many email clients as you can will, well, ensure that everyone receives your emails in the same format. Our friends at Litmus created an excellent guide on optimizing background images. At Mailjet, we agree and like to keep our design responsive.

Create emails that render well across multiple email clients
Arguably, the most important thing in email marketing is ensuring that your emails are sent in the way you intended them to be. Unfortunately, as there are 50+ email clients out there, rendering for each can be a daunting, complicated task. Our MJML templating language simplifies this task by (1) simplifying HTML allowing you to code much more efficiently and (2) getting regular updates that ensure your design and coding remain responsive.

4. Get creative

Of course, there are also tons of other stuff you should be following in order to really improve your email campaigns. You could add inspired .gifs on your emails. You could also add rich media if you know how to code for emails – always a banger. You can also improve your subject lines by adding emojis.

This list is endless.

Tweet us @mailjet if have ideas on doing things other than an email blast.

Contact Management Under GDPR: The Ultimate Set Of Features You Need

Mailjet has been one of the first ESPs (ok THE first) to get onboard with all GDPR requirements.
We know you missed us talking about GDPR, right? 😂

On a more serious note, our customers were very curious about GDPR compliance and are pretty concerned about security and data protection. You know, we are constantly working to make things easier for you. We gathered below all features related to contacts and GDPR available for all Mailjet’s customers.

Refresh your subscription form to add the new GDPR-compliant consent box

For optimal transparency and safety, we advise our users to implement Mailjet’s double opt-in subscription widget to build their contact lists.
Now, in addition to making sure that you have the consent of your recipients, you’ll be able download the proof of consent from each of your contacts. ✍🏽

Widget Mailjet GDPR

How do we do this?

  1. In widget creation, a small checkbox has been added. Tick the box.
  2. Customize the text of the checkbox.
Widget Mailjet GDPR

When a user subscribes to your newsletter, the consent information, including the widget name and consent checkbox text, will be added to their contact profile.
Here is an example of a GDPR-compliant checkbox:

Widget Mailjet GDPR
  1. You are all set!

Please note that if you already have our subscription widget on your website, you will need to re-install it to activate the GDPR checkbox, which will enable the proofs of consent to be stored.
This also means that you won’t be able to download a proof of consent for your old contacts.

No worries, though! If you’re using our widget from the beginning, we are here to cover you in case you encounter any issue with a recipient claiming she/he never consented to receive you information. We’ll be able to provide this information as it is registered in our system 😉.

Have your consent proofs stored and available for download when needed

Another great news is that you can now access and download this proof of consent directly from your Mailjet account, whenever you need it, without contacting our Support team.
Wondering how to download the consent proof of your contacts?

  1. Search for a contact in your Contact lists.
  2. Click on it and you’ll access all the details related to it (we did some re-design here by the way 🎨).
  3. The proof of consent needed can then be downloaded right from here:
Contact Consent proof

Delete a contact in one click

As you know, under and since GDPR, contacts are more aware about what informations they share, and it’s really common that they ask about being deleted from any list and any communication.
So besides unsubscribing, checking statuses and statistics, editing contact properties, removing a contact from a list, it’s now possible to delete a contact…from all your lists, in just one click, straight from the contact overview page:

Delete contact

Important note: statistics generated for all the emails sent to the removed contact will not be altered because of the deletion of the contact. But the contact and its informations will no longer be seen in the database, or available for future sendings.

We hope we helped you become (even more) GDPR-compliant.
Let us know what do you think once you set up the new widget on your website, and your opinion about these news in general!

How Email Can Make Up For Declining Organic Facebook Reach

If you’re like 55% of marketers, you have seen a significant decrease in your Facebook page’s engagement since they changed the algorithm to encourage “more meaningful social interactions with family and friends.” While social media platforms are, of course, an important way to connect with your audience, it’s increasingly become clear that doing so means you are communicating on someone else’s property – not your own. You do not own the relationship, the channel, or the data, and therefore are at the mercy of how other platforms decide to distribute your content.

100K followers on Facebook, Instagram, Twitter, or LinkedIn is not nearly the same as 100K subscribers on your newsletter. Assuming you land in 99% of inboxes, and get a respectable open rate of 20%, you are already well above the rate of Facebook followers that will even have a chance of seeing your post. Way back in 2012, organic reach on Facebook was at an all time high of 16%, this was down to 6.5% in 2014, and since changes to Facebook’s algorithm this year brands are seeing organic reach around 2%.

While social media offers the benefit of personalization and targeting in a way we didn’t know possible only a few years ago, email marketing is right there with them and in fact is doing so in a way that is based on the explicit permission of the audience. Something that is, of course, becoming increasingly important in a new age of Data Privacy and GDPR.

The question then is when do you want to use paid and organic content on social media platforms? Do you want to be paying for one click to your website, or do you want to be paying for the beginning of a warm and recurring relationship with your audience? By growing your email list, and from there building a quality, permission-based, relationship, you are building value in your own property.

To make up for this diminishing impact of organic reach on social media platforms, it’s important to apply what you’ve learned from social media’s personalization and data analysis to your email marketing.

 

Email Marketing & Personalization

Email offers the unique ability to personalize content to your audience – who they are and what they like. Personalization extends beyond just calling out their [First_Name], allowing marketers to curate content, links, images, and even videos based on any data and metrics you have received from the user. This is especially true for online retailers who benefit more than many other brands with advanced data including buying history, location, and more. Today, however, only 39% of online retailers send personalized product recommendations.

At first, personalization can seem daunting when you think about customizing a message to every single individual in your list, a list that may reach into the millions. Personalization, however, doesn’t need to be about one-to-one relationships, instead it is about personalizing your content to broad categories like interests, behaviours, or any attribute that can be shared by many. If you know from previous email engagement, through your website, or any other data collection method, that an email address is associated with a certain attribute – you can use this to personalize future emails.

For example, did they open a previous email about a shoe sale? Did they click a link about women’s jeans? Did they select a specific dropdown item from a menu?

The Miami Heat captures your favorite player when you sign up for their email list. How do they use this information? In any an infinite amount of ways – they could segment their list so only people who select that player receive the content (more on that below) or they could feature a rotating case of players in their bulk email and personalize who will appear in the email based on the user. If you’re favorite player is Dwayne Wade – guess who’s video interview the Miami Heat include in their email?

 

Email List Segmentation

As alluded to above, personalization and segmentation are in the same family but are different for a few important reasons. Whereas personalization is about substituting content, images, text, etc. based on data within a mass email, segmentation is about chopping up your contact lists and sending only to certain people…based on data. This could be based on their location, whether they’ve recently opened an email, their level of engagement in your products, who their favourite player is (again), their favorite color, whether they identify as a dolphin or a poodle, whatever you can have fun with and use to serve up content they’d enjoy.

Segmentation is a great way to not only personalize content, but to save money and dramatically increase your ROI. For instance, Mailjet is a volume-based email model meaning our plans are priced on the number of emails you send. If you send an email to every single one of the 100K subscribers of your newsletter, you will be paying for 100K emails.

However, if you segment your list so that only active users receive the email about new product updates, or only US-based subscribers receive your email about an upcoming event in San Francisco, then you not only increase the likelihood of engagement, of return of investment, of the reputation of your domain to inboxes like Gmail – but you also save money. In fact, according to research from Liveclicker, a company that provides personalization services, behavioral targeting delivers an 8 percent increase in email revenue.

Our friends over at Google Cloud Platform know this well. Do you think everyone on their newsletter list received this email? Or only those in the Bay Area?

 

Email Automation & Integrations

Almost as important as sending the right content to your audience, is sending at the right time. Marketing automation tools, paired with the personalization tips above, allow for you to communicate with your customers at the optimal time based on any number of triggered events or actions such as newsletter signup or purchases. For example, when users make their first purchase on your website, or sign up for your newsletter, you can increase engagement and personalization through a drip campaign customized to their interests and behaviours.

 

 

When you first sign up for a weekly newsletter, it may take up to 7 days to actually receive that first newsletter in your inbox, depending on when you signed up. You devoted all of your energy and money in order to (1) identify your target audience, (2) find out how to get their attention, (3) provide value or serve up an ad to get them to sign up for their newsletter, and then after all that you just add them to a long list of other users. They are as hungry for your content as anyone on that list, but you don’t serve them what they want, when they want it.

Automation allows you to send the content they are craving right away so that the weekly bulk newsletter isn’t the first email they receive from you. Perhaps the first one is a welcome email featuring a blog or video you think they will enjoy (ideally based on the data they’ve given you already). Perhaps the second email is something of even more value, like a discount code or a one-time sale. By building trust and offering value right off the bat, you can count on this user continuing to open your emails moving forward.

You can take your automation even further by integrating apps like Shopify, Wufoo, and yes even Facebook.

Many brands use integrations like Shopify to leverage the data they receive from triggers like purchases and abandoned carts to better personalize their campaigns and segment their lists. Doggyloot for instance keeps their customers coming back with e-commerce integrations into their email marketing to not only personalize the content but also target their sending to those they know are already interested in purchasing a product.

Doggyloot

Permission-Based Targeting

As organic reach on social media declines, and we move increasingly towards a permission-based marketing world, it doesn’t mean we need to move away from tailored content informed by data. In fact, as opposed to relying on a mysterious algorithm on property you do not own, learn more heavily into your own permission-based data collection tools on property you do own: your email lists.

Are Startups Ready for GDPR? We Look To The Numbers

It’s finally here! After several months of preparation, this week the General Data Protection Regulations (GDPR) finally comes into effect. This new European regulation will affect all companies, wherever their country of origin, and regulate the collection and processing of private data from European citizens.

Methodology

In order to make startups aware of their obligations under GDPR, Mailjet created a quiz in 2017 to assess their level of compliance with the main requirements of this regulation. While nearly 12,000 start-ups have responded to the quiz since its launch, we analyzed a sample of about 2,000 respondents from France, UK, Spain, Germany and the US who completed the survey within one month of GDPR. The goal? To understand which startups around the world are ready and which still have a bit more work to do!

 

Key Takeaways

In Europe, France is trailing the pack on data encryption (with only 21% of respondents encrypting their data) and only 40% having proper proof of consent). The United Kingdom is at the top of the list, with 33% of start-ups properly encrypting their data and nearly half have verified their supplier’s compliance with the GDPR. On the other side of the Atlantic, American startups seem to be much more prepared on several key areas… Dig into the full results below!

 

 

Now it is your turn!

How well are you prepared for the GDPR? Try the quiz yourself, and get started on the right foot with a GDPR compliant email service provider. Create a Free Mailjet Account Now!

GDPR in the US & Canada: How will it affect your business?

GDPR Webinar Poster

GDPR, the EU’s General Data Protection Regulation, comes into effect in May this year and many North American companies are still asking themselves how this will relate to them, how they can best prepare for these changes, and how to avoid potentially massive fines. Mailjet, a GDPR-compliant email service provider, is hosting a 3-part webinar series entitled GDPR in the US & Canada. The first in the series features Mailjet’s Head of Legal and Data Privacy Officer, Darine Fayed, who covers:

  • What exactly GDPR is, how this new legislation applies to companies in North America, and what will happen if you don’t comply
  • How does GDPR affect North American businesses and marketers, and how does it differ from existing data protection laws (e.g. Safe Harbour, CASL)
  • The 8 key changes that GDPR brings to the data protection playing field
  • What steps you should be taking today to ensure you are ready before May. You are encouraged to also fill out our GDPR Quiz beforehand to know where your company stands in terms of GDPR knowledge.

Be sure to sign up for our second Webinar in the GDPR in the US & Canada series, March 13th at 11am EST.

Watch the Webinar #1 Now

Getting Security And Privacy In Email Right

How many times have we said that email has the highest ROI, or that it’s the most effective marketing channel? It even looks like we have some kind of secret master plan to trick everyone into using email… 🤔

Subtle marketing techniques aside, the truth is email is a quick, cheap and highly customizable way to contact customers. But of course, as a business working with personal data, you know that privacy and security are not things to be taken lightly. Protecting sensitive information and preventing hacks or leaks is key.

That’s why email has to be secure, to ensure all of this data is safe and only available to those with the rights to access it.

“Phishing and spoofing are huge threats in the email world today. It’s incredibly important to ensure you have set all possible protections to prevent spoofing.”
– Lauren Meyer, VP of Delivery & Head of North American Operations at Mailjet

With data protection and data security constantly in the news, and GDPR coming into effect in May, email privacy and security is as crucial as ever.

 

Mailjet GDPR:ISO Compliant Header

 

Keeping your email data private and safe

Laws around the world regulate the use of emails. There are obviously the different spam laws, which differ from country to country and that you need to know them and ensure you’re following the ones that apply wherever you’re operating.

But there are also transnational agreements, signed between countries or supranational entities (like the EU), to help companies establish themselves abroad, and comply with local laws. Among the agreements you’ll need to be familiar with, and ensure you comply where appropriate, the key one for those with European contacts is the EU General Data Protection Regulation (or GDPR).

GDPR was passed in 2016. It strengthens the current European regulations regarding data security within the EU members estates. Any company, organization, association and administration, should it be a private or a public one (that is, any structure with access to personal data) will have to comply with GDPR, starting May 25, 2018. European companies, but also non-European companies with EU customers, will have to make sure that only mandatory data that is relevant to their activities is collected.

They will also have to ensure that the physical servers where the data is stored are safe and under protection. Any data transfer out of the EU will be done under strict rules. If a company fails to comply with these new rules, it can be sanctioned with a fine equal to up to 4% of its yearly turnover, or 20 million euros, whichever is higher. Under this new EU rule, all personal data will be subject to the highest security, so consumers can trustfully interact with companies.

But this doesn’t just mean that you have to ensure your own business complies with GDPR, it also means that any third-party solutions you work with have to be GDPR-compliant too. This, obviously, includes your email service provider, so it’s key to choose wisely (spoiler alert: read on to find out why Mailjet is a good choice 😉).

Data security is a big deal in Europe, so before starting your operations on EU soil, be sure to comply with the rules in place, as well as the upcoming ones, and be careful only to choose GDPR-complaint third party solutions, like Mailjet.

Mailjet GDPR Quiz

The technical side of email security

But all these legal – yet important! – considerations aside, how can you ensure that both the emails you send and the ones you receive are really safe?

Encryption

One of the ways in which we can protect the information contained in emails is through encryption.

When we’re talking about encryption, there are different possibilities. Encryption of messages is probably the most efficient procedure when it comes to email security. Contrary to the popular belief, DKIM does not provide encryption of the messages. However, it adds a layer of authentication that helps you to protect your emails.

To ensure a proper encryption of your email, you can also use these tools, which support the OpenPGP standard: https://www.openpgp.org/software/. For example, you can try GPGTools, which is natively integrated with Apple Mail and allows you to send encrypted emails (end to end encryption).

Another possibility is encrypting the channel that leads your email to go from server A (your sending server) to server B (your recipient’s server). This is the role of the Transport Layer Security, or TLS. The only issue here is that TLS is still not used by all the ISPs. Meaning that if you send a TLS encrypted message and your recipient’s server doesn’t follow this protocol, the encryption won’t be effective

Security of the data storage servers

You also have to be sure that the servers where the data is stored are safe. If you store this data yourself, complying with the requirements of GDPR is a minimum. Keep your servers under surveillance 24/7, and limit the number of people that have access to them. This is mandatory for your company, and it is crucial to keep your user’s information safe and, ultimately, their trust.

If you rely on a third party to store the data, look for solutions that offer the best guarantees. Redundancies, fire risk prevention, high security levels, energy self-sufficiency… Since you’re not the one directly managing the server, you have to be sure that all of these necessary precautions are followed, to ensure the maximum level of security. If you have European customers, having your servers located in Europe can also be a good idea, since the stricter European laws will apply.

“Organizations collect, process and hold ever-increasing volumes of personal data to enable relevant and timely email communication with their customers. Data security continues to be a huge responsibility and challenge, and they need assurance that their email service provider can deliver this.”– Pierre Puchois, CTO Mailjet.

Email security and privacy at Mailjet

Mailjet makes security a priority, which is why we decided to obtain the ISO 27001 certification, the international standard for best practices of information security process, which requires companies to not only implement company-wide processes pertaining to security policies, data handling and access, but also infrastructure changes.

Our security processes begin with our product development, and the scope, lifecycle and fundamental principles of Mailjet’s security policy are to the highest standard, ensuring all information hosted on the Google Cloud and OVH platforms is secure.

But by choosing Mailjet, you’re not opting for an ESP provider that is ISO-certified, but also for one that has completed all the necessary steps to be GDPR-complaint, including the implementation of privacy frameworks, data protection by design, and the ability for individuals to easily have more control over their personal data.

“These accomplishments in data privacy and security propel Mailjet to another level of service excellence in the competitive email industry. We’re proud of these achievements and what it means not just for our clients, but for the individuals whose data we protect on behalf of our clients.” – Alexis Renard, CEO Mailjet

And you? Are you GDPR-ready? Find out by taking our GDPR quiz, and share your results with us on Twitter

GDPR Journal: The Steps We Took Towards Working With 3rd Party Providers

Welcome to the fourth instalment of the Mailjet (and my personal) GDPR Journal. So far we’ve looked at how I became a DPO, our GDPR compliance roadmap and how I updated our Privacy Policy to be in line with GDPR. It’s been a rollercoaster and the saga is set to continue as the next step was to look at not just our internal processes, but those of our partners and 3rd party providers.

Why am I focusing on this for a whole journal entry? I hear you ask. Well, because one of our biggest challenges in getting through our GDPR compliance roadmap was to perform an audit of our entire privacy framework. In other words, to audit all our existing third-party providers and software applications to ensure that they themselves were also meeting the GDPR requirements on data protection.

Why are we talking about our own providers?

At Mailjet, we collect and process the personal data of our clients (names, email addresses, IP addresses etc.) and under GDPR we must ensure that our entire privacy framework respects the rules GDPR brings into effect. So, that means our own providers as well. Why? Because some of our data flows to these solutions, thus data protection must be compliant on all fronts.

In a post-GDPR era, we are all equally responsible for the protection of data subjects’ personal data. Meaning, not only will our clients (Data Controllers) be responsible, but also the Data Processors (in this case us), our own providers, their providers and so forth.

What kind of providers are we talking about?

Well it could be; CRM solutions used by Sales and Marketing teams (i.e. Salesforce), cloud IT services (i.e. Google, Amazon) social interaction & messaging systems used by Marketing and Support teams (i.e. Slack, Messenger), project management tools used by Product and Development teams, external payroll & HR management solutions used by Administrative teams. I’m sure you probably use some tools like these.

Being a small agile business, each department regularly uses various online solutions and applications to help with their day to day activities. In the past, a member of Team Mailjet would most likely find a free or relatively cheap tool that could help his or her team, then they would quickly sign-up without reading much of the terms and conditions behind the tool.

So, after functioning in this manner for several years, we found ourselves in a position where the company now had subscribed to various applications across its different departments — and all without much control over the access, uses and information collected.

Ok, so where did we start?

The list was grand and the audit task proved quite daunting. Let’s see my action plan… Here are the key steps we took in order to complete the internal audit and analysis:

1. A complete list of all service providers and applications

The list needed to include;

  • The providers and applications used.
  • The exact customer data that was collected and transferred to these specific providers.
  • Why the data was used.
  • Where they stored the data.
  • If there were any data transfers.
  • What it meant to our clients.

We included other useful information in this third-party provider list such as, the user access rights involved and the dates of the last verifications.

To compile this list, we set aside some time with each department head and began. The exercise actually proved to not only be beneficial for GDPR compliance, but also helps immensely with the control of a growing business, such as Mailjet.

This specific step took us several months. So start now if you haven’t already done so, because the 25th of May is creeping up on us quickly!

2. Ask your 3rd party providers some important questions

Next on my list was to contact every provider and ask some tough questions. I’m a big of making light of a big task, so I decided the best approach was to send out a questionnaire asking for details on their information security and data protection measures. The form included questions on;

  • Information security.
  • Risk management policies.
  • Employee training.
  • Physical security.
  • Access control measures.
  • Data protection organization and technical measures.
  • Take a look for yourself at the 12 questions we asked.

3. Assess the level of risk

Depending on the responses I received back, I then had to asses the risks of transferring any of our own clients’ data to their platforms and centers. This essentially meant verifying their measures, ensuring if they were up to par with industry standards, as well as checking if they were on the right track to data protection compliance.

4. Review all contracts in place and introduce new clauses and/or amendments

As part of the risk assessment, I also had to make sure that we put in place specific contractual clauses and amendments to ensure at all times while we are using their services that these data privacy measures were respected.

I then proposed various EU model clauses or data protection agreements with these providers to ensure we had the correct documentation in place. And, in some cases negotiate the limits of liability between our companies in case of a third-party claim.

5. Switch to GDPR compliant providers

In some cases, the responses I received back were vague or elusive, to say the least. In these cases, a quick evaluation was needed of whether we could improve their commitment levels or switch to providers that could ensure they were on the right track. We started this process early, so that we could switch over to another provider should the need arise. So, be sure to give yourself enough time.

6. Review and control: Right to audit and yearly check

Next, I made sure to include in all contracts and amendments the right to audit the provider upon notice. That way we could make sure if at any moment our providers were not just talking the talk, but also walking the walk.

And finally, now that we’ve successfully jumped this massive hurdle, we need to ensure we update it on a yearly basis. This means that we will need to verify that all our third-party providers continue to maintain the same level of technical and organizational measures to ensure their security and data protection. How will we do this?

  • Perform audits.
  • Re-send the third party questionnaire for updates.
  • Continue to ask the tough questions.

So there you have it, six steps to ensure all your third-party providers are GDPR compliant.

Have you reviewed your 3rd party providers? Or are you now thinking you need to? Share your experience with Mailjet on Twitter.

GDPR Journal: Privacy Matters. Really.

As our resident legal expert here at Mailjet, I set aside at least a full day each week to take care of our data privacy issues. I had put together a compliance roadmap of items to be handled before the year-end as part of the GDPR readiness plan. The next item on my to do list was to update our Privacy Policy.

Privacy Matters With GDPR

So what exactly is a Privacy Policy?

You see them on most websites. Privacy Policies drafted in various different ways. But what is it exactly? It’s important to note that, a Privacy Policy is not the same as the Terms and Conditions of Service (or of Use). If you collect and process personal data, you are likely required to provide information accessible for your users that details your data privacy policies.

The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.

So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.

What needs to be included?

I last updated Mailjet’s Privacy Policy in September of last year. At the time, I wanted not only to harmonize all our online policies but also to make them clearer for our customers — and the last update was, to say the least pretty outdated.

And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.

As a summary, the key information to be provided to your clients and users under GDPR is:

  • Identity and contact details of the data controller
  • Contact details of the DPO (when applicable)
  • Processing purposes and the legal basis
  • Where the processing is based
  • Recipients of the personal data, if any
  • Data transfers outside EEA, when applicable
  • Data retention period
  • Rights to access, to rectify and to delete data
  • Right to lodge a complaint with a supervisory authority
  • Existence of any automated decision making (including profiling) and the logic behind it

How exactly to create/update your policy?

In my opinion, the best way to tackle this project was to go through the actual GDPR regulation — article by article — and modify our Privacy Policy accordingly.

I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.

One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.

So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.

After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!

I spent the following few days tweaking the policy to make it just right and coordinating with our marketing team to set up the schedule for its release date. Of course, we needed to give our client’s at least 30 days notice for these updates and create a clear email describing the changes. At the same time, some modifications needed to be made to our Terms of Use, so why not use the same notification to our clients for both? Kill the bird with one stone.

What was updated?

The main items that were incorporated into our new Privacy Policy (which was effective as of September 15th) are:

  • To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
  • To clarify the consent policy (how we obtain our client’s consent)
  • To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
  • To define our legal basis for data processing
  • To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
  • To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
  • To communicate our new minimum password security requirements
  • To share our new DPO contact information (yours truly!)

Take a look at our GDPR compliant Privacy Policy.

In the meantime, are you creating or updating your company’s privacy policy? Share your experience with Mailjet on Twitter.

This post was first published on the Mailjet Medium account.

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

In case you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Get up to speed by reading my first diary entry.

Take your mind back… It’s the end of May – one year before the new EU data regulation comes into effect. Articles are coming out about how to be prepared, published from so-called experts, law firms, compliance firms and other round of the mill companies trying to attract traffic. So there was truly a lot of information out there. But where to begin? How do I prepare our company – an SME based out in Paris – for the GDPR?

The myriad of articles being published on the subject offered much information, but I wasn’t clear as to the source and its accuracy. Being a trained attorney, I couldn’t rely on other people’s information. So it was best that I start from scratch. I needed to outline myself the needed steps to get us from point A to point C (C for Compliance).

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

First Step: Understanding the new regulation and what it meant for us.

I knew I needed to set aside some time to delve into the actual law. I printed out and book-bound 2 hard copies and set myself up on the sofa in an empty conference room – away from phone calls, emails and colleague requests. I gave myself 2 hours and read cover to cover the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (or in English, GDPR). I’m an attorney by trade, so reading the actual law to me is really interesting stuff! (Yes, I’m a bookworm at heart.). I highlighted the sections and paragraphs relevant to my company (considered not a data controller but instead a data processor) and took notes at the same time.

Why 2 copies? (I promise I wasn’t wasting paper) Well, I work in Paris where I speak 2 languages – English & French. So I wanted the law in both of these working languages. I began by reading through the English version and put aside for another day the attack of the French version as it is helpful to learn the terms and phrases used in the actual law.

Second Step: Roadmap Planning

Setting a roadmap sounds simple, right? Not exactly, the challenge began with analyzing the new law and identifying our requirements. I had a short period of time to put in place our key trigger dates. May 2018 is not that far away!

At the same time, I was dealing with demands from all angles: clients, internal sales teams, and company shareholders. Everyone wants us to be compliant today when there is still much road work to lay out before we can put the actual measures in place. I also wanted to ensure that the steps were to be taken out properly, instead of just fast-tracking the process to use the word “compliant” in our communications.

There was also the aspect of inter-departmental collaboration. The implementation had technical constraints. Just because the law stated one aspect did not mean that it could be simply “implemented” in the blink of an eye. The measure needed technical planning, testing and control before any actual implementation. So the roadmap and implementation need to be dealt with hand in hand with the technical and operational teams. I had to also work with our marketing and sales teams to align our message on compliance and the roadmap to be taken.

Third Step: Mailjet’s Roadmap

After several drafts, and internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap.

Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C (remember c for compliance).

Mailjet GDPR Roadmap

Summary

  • May – June 2017: Nomination of Data Protection Officer (articles 37-39 of the GDPR)
  • July 2017: Training (articles 7-8 and 12-15). Security and data privacy training sessions to be put in place for all employees and contractors.
  • July 2017: Data breach procedures (articles 33 & 34). Data breach response plan. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach.
  • July – September 2017: Data processing records (article 30). Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
  • July – November 2017: Audit and Analysis of privacy framework (articles 28-30 of the GDPR). An internal audit of all our existing third-party provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control.
  • October 2017: Ensure appropriate technical and organizational measures (article 28). Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices.
  • October 2017: Data portability (article 20). Ensure data subjects’ right to portability (facilitates ability to move/copy/transmit personal data easily – whether to their own systems, the systems of 3rd parties or those of new data controllers).
  • October – November 2017: Reevaluate notice, consent and withdrawal mechanisms (articles 44 – 50). Identify cross-border data flows and review current mechanisms in place. Ensure adequate level of protection with contractual clauses.
  • October – November 2017: Data protection by design and by default (article 25). Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation.
  • November 2017: Security of processing (article 32). Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
  • December 2017: Data protection impact assessment (article 35). Assessment of the impact of processing operations on the protection of personal data with advice of the DPO.

Now off to implement these wonderful concrete steps…. GDPR compliance here we come!

Are you currently in the process of becoming GDPR compliant? Tell us about your compliance journey and the biggest pain points of your experience so far on Twitter.  

This article was first published on Mailjet’s Medium Account.