What are the key changes with GDPR? - Mailjet: Email Delivery Service for Marketing & Developer Teams

What are the key changes with GDPR?

An expanded definition of personal data Anything that contributes or links to identifying an individual will be included, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, a […]

An expanded definition of personal data

Anything that contributes or links to identifying an individual will be included, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, a computer’s IP address and includes both biometric and genetic data.

New and strengthened individual rights and conditions for consent

These include rights of access, to be forgotten, and to data portability. Data Controllers and Data Processors have an obligation to clearly communicate these rights to individuals they collect data from:

How long data will be stored for;
If data will be transferred to other countries;
Information on the right to make a subject access request;
Information on the right to have personal data deleted or rectified in certain instances;
Strengthened conditions for control. Companies will no longer be able to use long illegible T&Cs full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent now must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

More information on GDPR and Consent.

Greater liability

Data Controllers (businesses) and Data Processors (third party solution providers), but particularly for Processors, can now be held accountable and have action taken against them. Controllers will also have the right to audit Processors. Higher fines for non-compliance can be levied – up to 4% of global turnover or €20 million/£17 million, whichever is higher.

More information on how to work with Third Party Solution providers.

Extra-territorial effect

GDPR requirements will apply if you process the personal data of EU citizens regardless of which country you are based in.

Risk based accountability

The requirement to notify appropriate authority of data processing has been removed but risk based accountability now takes an important role. This will impact amongst other things, contracts, privacy notice obligations, risk assessment, record keeping, etc.

Breach notification requirement

A new mandatory breach reporting scheme will take effect. Where there has been a data breach, whether as an accidental or unlawful loss, the data controller will have to notify and provide certain information to the data protection authority, data controllers and sometimes affected data subjects, within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified. The data controllers must maintain an internal breach register. Non-compliance can lead to an administrative fine up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Data Protection Officer requirement

DPO (Data Protection Officer) requirement applies to both controllers and processors of companies, irrespective of their size. The Regulation requires a DPO appointment in three specific cases (more information on How do I prepare for GDPR?). Non-compliance with the DPO obligation can be levied – up to 2% of global turnover or €10 million/£8 million, whichever is higher. If a business chooses not to appoint a DPO, it must maintains records of the reasons behind its decisions which demonstrate that all the relevant factors have been considered.

Stricter technical and organisational measures

Companies should look at existing best practices and recommendations, for example, the guidances of UK’s National Cyber Security Centre or CIS Critical Security Controls. Below some examples of measures recommended:

Organisational measures:

Recruit, train and appoint a DPO or appoint an external DPO – from outside your organisation;
Embed an appropriate Risk Management Regime;
User education and awareness programs and training;
Develop a home and mobile working policy and train staff.

Technical measures:

Secure Configuration of all systems (security patches, system inventory and baseline build for all devices);
Network Security (monitor and test security controls);
User Privileges Management (least privileges and user activity monitoring);
Continuous Monitoring and Control of all systems and networks;
Encryption;
Tokenization;
Anonymisation;
Pseudonymisation (separation of data from direct identifiers so that linkage to an identity is impossible without additional information that is held separately);
Resilience of systems and services processing;
Allow business to restore the availability and access of the data in the event of breach;
Frequent testing of the effectiveness of the security measures;
Implement privacy by design for all new technical programs and projects.

Cookie Subgroup	Cookies	Cookies used
documentation.mailjet.com	_cfuvid , __cfruid	First Party
.mailjet.com	OptanonConsent	First Party
mailjet.com	actualOptanonConsent , apt.sid , OptanonAlertBoxClosed , mail_session	First Party
app.mailjet.com	connect.sid , SERVERID	First Party
hello.mailjet.com	uvts , __cf_bm	First Party
m.stripe.com	m	Third Party

Cookie Subgroup	Cookies	Cookies used
hello.mailjet.com	ubpv , ubvs	First Party
dev.mailjet.com	_an_uid	First Party
app.mailjet.com	rl_page_init_referring_domain , rl_anonymous_id , rl_group_trait	First Party
mailjet.com	_vwo_ds , test_rudder_cookie , _vis_opt_s , rl_group_id , rl_user_id , _ga , rl_session , rl_page_init_referrer , ubvt , _vwo_uuid , apt.uid , optimizelyEndUserId , _gat , _vwo_sn , _ga_xxxxxxxxxx , _gid , _uetvid , _vis_opt_test_cookie	First Party
hello.learn.mailgun.com	visitor_id	Third Party

Cookie Subgroup	Cookies	Cookies used
hello.mailjet.com	_gd_session	First Party
mailjet.com	__q_state_zkTi4FmbUJniF8K2 , _vwo_uuid_v2 , apt.temp-xxxxxxxxxxxxxxxxxx , __tld__	First Party
demo.mailjet.com	_gd_visitor	First Party
dev.mailjet.com	_pin_unauth , __uvt	First Party
app.mailjet.com	__stripe_mid , __stripe_sid	First Party
mailgun.zendesk.com	_cfuvid, __cf_bm, __cfruid	Third Party
vimeo.com	_cfuvid, __cf_bm, vuid	Third Party
producthunt.com	__cf_bm	Third Party
goldcast.io	__cf_bm	Third Party

Cookie Subgroup	Cookies	Cookies used
www.mailjet.com	pardot	First Party
app.mailjet.com	rl_trait	First Party
hello.mailjet.com	visitor_id	First Party
mailjet.com	_gat_gtag_xxxxxxxxxxxxxxxxxxxxxxxxxxx , _uetsid , _fbp , _tt_enable_cookie , _ttp , _rdt_uuid , __q_domainTest , _gcl_au	First Party
linkedin.com	bcookie, lidc, li_gc	Third Party
pi.pardot.com	pardot, lpv830283	Third Party
bing.com	MSPTC, MUID	Third Party
hello.learn.mailgun.com	pardot	Third Party
pardot.com	visitor_id	Third Party
doubleclick.net	IDE, test_cookie	Third Party
youtube.com	VISITOR_PRIVACY_METADATA, VISITOR_INFO1_LIVE, __Secure-xxxxxxx	Third Party
www.google.com	_GRECAPTCHA	Third Party