The General Data Protection Regulation (GDPR) of the European Union (EU) is a law that regulates the handling of personal data and outlines the rights individuals have with regard to their data. It was implemented on May 25, 2018. It applies to any “individual, company, or organisation” that processes the data of a person in the EU. This applies whether the organization is based in the EU or elsewhere.
The European Union views the protection of personal data as a fundamental right of natural persons. The GDPR establishes requirements of organizations that process data, defines the rights of individuals to manage their data, and outlines penalties for those who violate these rights.
To better understand the GDPR, you should know what qualifies as personal data and data processing.
Think of personal data as any information that can be used to identify someone or is associated directly or indirectly with a living individual. This includes a person’s name, driver’s license number, location data, IP address, biometric data, and more.
Processing is a broad term that encompasses nearly any use of personal data, including collection, storage, organization, alteration, destruction, and transmission. For all intents and purposes, any use of personal data is considered processing.
Of particular importance to those who manage an email list is the requirement to obtain and document consent* from recipients on that list. This means that the individual recipient must opt into receiving emails, for example, by signing up online. You must maintain a record of the recipient having signed up. It also means that the recipient can opt out of receiving emails, and the sender must honor their request. Also, it has to be just as easy to opt out as it was to opt in. It is important to keep an up-to-date record of that consent so that emails are not sent to recipients who have opted out of receiving them.
*There are a number of different legal reasons for which your organization might be processing personal data. Some uses of data don’t require consent—for example, you don’t need the consent of a signatory to retain their name and signature on a business contract. But when it comes to maintaining an email mailing list, you should get consent from your recipients.
If you need only an email address to achieve your specific business purpose, an email address is all you should store. The GDPR requires that you process only the data necessary for a legitimate business need and nothing more. All this processing should also be done securely with Privacy by Design and by default.
Under the GDPR, an organization processing personal data acts as either a controller or a processor. A controller determines the purpose for processing the data. Whether the controller processes the data itself or contracts another party to do the processing, the controller decides how the data are used. A processor processes data only on behalf of the controller. The sole objective of the processor is to process the data for the controller.
For example, if you maintain a large email marketing list and use SendGrid to deliver promotions, you’re considered the controller, and SendGrid is your processor. You set the business purpose and control the data. SendGrid processes that data on your behalf.
Many businesses are both controllers and processors. You can read more in Chapter IV of the full GDPR legal text. We also have a blog post with more detail about what you need to know as an email sender.
The GDPR is meant to provide rights to natural persons. For this reason, your customers may request that their data be updated or even erased in certain circumstances. If data subjects want to move their data to another service, they are free to do so. Their data should be provided to them in a common machine-readable format that other organizations can understand. When communicating with individuals, they also have a right to receive that communication in plain and transparent language. For more about the rights of a data subject, see Chapter III of the full GDPR text.
SendGrid believes the GDPR is an important move in the right direction. We value our customers’ data. That’s why we’re Privacy Shield certified, GDPR compliant, and we protect personal data throughout the entire processing chain. For more information, please visit our GDPR page or browse our FAQ.