Welcome to Mailjet’s GDPR checklist for email marketing and working with third-party providers. Follow the steps to make sure your providers are GDPR compliant. Failing to do so could result in financial and business risks, as well as your own email activities being non-compliant.
Conduct a 3rd-party provider audit
Make a list of all external service providers and applications you use across all departments of your business. Example: CRM systems, cloud hosting, email marketing providers, transactional email solutions, automation tools.
Develop a 3rd-party provider inventory list
Create your master inventory list. For each provider identify;
What type of data is concerned.
What data protection measures are in place.
Who is responsible in your company and what their access rights are.
Map Out The Path Your Email Data Takes
Using the information in your inventory list, assess (1) which data is being shared with external providers (2) how that data is being processed and/or stored by external providers. This allows you to ask better questions in the next step and also be more transparent with your clients.
Find out how compliant your 3rd-party providers are
Get in contact with ALL 3rd Party Providers to determine their level of GDPR compliance. An efficient way to do this is by sending them a questionnaire (sample questions here).
Decide how risky each provider is and take action
Evaluate the responses given by your 3rd-Party Providers with the purpose of identifying whether they meet the security and privacy regulations set out by GDPR. Will they make your email activity non-compliant?
If they MEET the requirements
Still identify if you need additional components in your contact with them. Example: limitation of liability clauses, additional security measures, termination of the contract for non-respect of data protection laws.
If they DON’T MEET the requirements
It’s time to switch. Use of a non-GDPR compliant 3rd Party Provider leaves you potentially facing liability for any data rights breach, including financial and reputational risks. As well as offering a non-GDPR compliant email experience.