This article provides an overview of SendinBlue's initial and ongoing initiatives to ensure our own GDPR compliance as your data processor, as well as our efforts to support our users' compliance as data controllers.
These initiatives focus on five key areas which are outlined in detail below:
- Key features
- Management of partners and processors
- Legal documentation
1 – The adaptation of key features
SendinBlue identified the key GDPR milestones to meet by collaborating with a sample of our users, our account managers, the product team, the technical team, and our legal counsel.
The duty of providing information in the context of accountability
These resources are available on the platform to help users be compliant in the key usage steps of our platform:
- Importing contacts
- Building email subscription forms to acquire consent from contacts
- Creating email campaigns to send to subscribers
A GDPR-specific section has been added to the help center, and we continue to organize regular informational webinars on the subject as well.
The right to rectification, portability, and to be forgotten
The rights to rectification, portability, and to be forgotten have been well established for several years. Therefore, we don’t have any operational changes related to these rights. However, as indicated above, we have provided more details on the modalities of exercising these rights.
Until now, all of our transactional email logs have been preserved indefinitely by default.
Starting at the end of May 2018, it will be possible for users to define how long they wish to preserve the logs their transactional emails and the preview of the content contained in each of those messages. This functionality is already available by request through our customer care team.
Email subscription forms
Special attention was given to email subscription forms during the compliance process because it is such an integral part of compliance for our users.
Proof of consent
Once the contact information is collected, proof of consent will be available in the contact profile.
Each contact profile will include the exact moment of subscription, the ID of the form used to subscribe, and their IP address. This information will be exportable to allow SendinBlue users to provide easy proof of consent if necessary.
2 – An advanced security review
We know data security is a sensitive issue for many, which is why it has always been one of our top priorities. The GDPR has empowered us to take this priority even further: ensuring airtight data transfers and data storage as well as improving data monitoring and control for easier and more secure access for our users.
The installation of data archiving and traceability systems
To prevent data breaches, it’s necessary to have tight control over the data processing that occurs on our platform.
Using data tracking and log identification, we have enacted a data traceability system across all of the data processing procedures on our platform.
Additionally, we sought to maximize the security of our users’ archived data. This data is now being stored in separate databases and the personal data has been encrypted.
These archives are stored solely for legal purposes. Once the retention period completed, the data is purged from the database.
Network penetration tests
We have begun working with a consulting firm that specializes in cybersecurity and received very positive feedback regarding the difficulty of penetrating our system.
Knowing that we can always do more to ensure our data security, we turned to Bounty Factory. This British platform allows us to crowdsource additional research into our network and data security from a large community of “white hat” or ethical hackers and security researchers.
The program, known as a bug bounty, strongly encourages research into the vulnerabilities of our system, with each vulnerability (or “bug”) that is found being rewarded with a financial bounty.
The compensation system creates a strong incentive for researchers to discover any possible vulnerabilities in the SendinBlue system, minimizing our risk of potential malicious attacks.
3 – The management of our partners and processors
One of the main principles introduced by the GDPR is shared accountability. This essentially means that all stakeholders, whether they be the controller (the party who determines the purposes and means of the data processing), or one of the processors further down the chain, carry a portion of legal responsibility since the processing is being performed on personal data.
Carrying the dual role of controller and processor, SendinBlue is required to approach the principle of accountability from both sides.
As a processor, we have established means to guarantee GDPR compliance across our entire chain of data processing with all of our partner software providers.
As a controller, we must also guarantee the compliance of our own processors with the new regulations. Consequently, we contacted processors with specific questions regarding their data processing methods. This has allowed us to ensure that their procedures surrounding the processing of our data are in line with the GDPR and the commitments we have to our customers.
We ceased collaboration with any processors who were not able to provide satisfactory responses to our questions.
Once we were able to receive satisfactory responses from our other processors, we contractualized our requirements with DPAs (Data Processing Agreements).
The DPA is a document specifying the type and methods of data processing being carried out by the processor on behalf of SendinBlue, which makes it possible to ensure a legal framework and data traceability.
For our processors located in the United States, we have also verified their Privacy Shield certification, which is a necessary condition for processing the data of European citizens.
4 – Legal documentation
A processor clause has been drawn up and appended to our Terms and Conditions in order to detail the role and responsibilities of SendinBlue vis-à-vis our users as a third-party service provider.
5 – The internal implications of the GDPR on the SendinBlue organization
The GDPR also compelled us to optimize our internal organization and come up with best practices and procedures that support the main principles put forth by the regulation.
Certain individuals in SendinBlue have roles that require privileged access to personal data.
For example, account managers might need to access certain elements of a user account in order to answer a support question.
We have started by expanding the confidentiality clause in the contracts of salaried employees and facilitating training sessions.
The training includes a general overview course on GDPR requirements, as well as specialized training courses designed to build off of the initial training for specific teams that deal with sensitive data on a regular basis.
This provides all personnel with a clear understanding of their obligations with regards to the new regulation.
Internal procedures and controls
In order to ensure a smooth application of our compliance measures, we reviewed all of our internal procedures surrounding the management of employee access to personal data, the handling of requests from individuals seeking to exercise their rights regarding their personal data, and the processes involving the preservation and purging of data.
A control plan has been established to regularly verify the proper application of these procedures and the updating of the corresponding documentation.
The nomination of individuals charged with maintaining proper compliance
The implementation of our compliance measures was managed by our Chief Operating Officer. In parallel, we have appointed Jule Jeanroy as our DPO (Data Protection Officer), who is responsible for ensuring SendinBlue’s continued compliance with the GDPR over time.
It is also the DPO’s responsibility to monitor the application of the different aspects of the regulation and ensure that we respect the main principles of the GDPR, particularly the principle of “Privacy by Design,” which refers to the compliance of a data processing procedure before it’s actually implemented.
Our DPO will be assisted by a SecOps for aspects specifically related to data security and traceability. If you need to get in contact with our DPO, he can be reached directly by email at email@example.com.
Current status and next steps
GDPR compliance, in itself, is never truly finished. It’s an ongoing process that requires regular monitoring and confirmation that the principles of the law are being upheld internally with our current data processing, as well as continued evaluation using the criterion of Privacy by Design for each new procedure that involves the processing of personal data.
SendinBlue is proud to have accomplished the first part of the challenge. We will continue to maintain our dedication to compliance in order to remain a trusted third-party software provider for our users.
Undertaking this massive compliance operation has provided SendinBlue with several benefits, including:
- Rallying our entire organization around a common goal and collaborating across different teams in order to achieve it
- Implementing even more rigorous procedures around our data management and processing to continue improving our security
- Quickly achieving compliance with the help external partners
- Performing an innovative assessment of our network security and implementing the necessary corrective measures
- Reinforcing the link between SendinBlue and our users by providing the tools necessary for GDPR compliance in our platform
SendinBlue is an organization comprised of nearly 150 people, and we are all committed to ensuring the security and confidentiality of the personal data entrusted to us. We take this responsibility seriously as part of our core mission to provide an all-in-one digital marketing platform for small and medium-sized businesses to grow and succeed.
Questions or concerns?
We are always happy to respond to any questions or discuss any concerns you might have regarding SendinBlue and the GDPR. Contact us anytime by email at firstname.lastname@example.org.