The General Data Protection Regulation (GDPR), the new EU data privacy legislation, came into force on May 25th 2018.
The responsibility for conforming to the requirements of the GDPR is placed on both the Individual or Company acquiring, holding and/or using the data and on any Individual or Company holding and/or processing that data, such as SendReach in its capacity as an Email Service Provider.
We don’t provide legal advice, you should consult your legal advisor regarding the way you conduct your business and what you should do to comply with GDPR.
The GDPR is based entirely on how and on what basis personal data is collected, how it is stored, what access the person involved has to their personal data, how they are able to modify that data and/or have it deleted, and how that data is used.
Below we show the main requirements of GPDR and how SendReach assists you in meeting those requirements:-
A. Obtain Consent
A “Consent” checkbox must be included in all Optin Forms, unchecked by default, where the Subscriber can indicate their consent for sending them emails periodically, and they can only be added to the list if they indicate that consent. It is necessary that that consemt be recorded and retrievable at any future date as proof of consent.
GDPR also applies to existing subscribers and in their case if the Subscriber Record includes the Subscriber’s IP Address, that is accepted as proof that they did Optin in accordance with previous legislative requirements, as the action of “Submitting” an Optin Form via any ESP automatically includes the capture and recording of the submitter’s IP Address.
B. Right to Access/Rectification
Subscribers must be able at any time, to “Update their Profile” information – the personal data held in the Subscriber Record.
Subscribers may contact you directly in order to have their data corrected/removed and if so you should always manually fulfill their request.
C. Right to be Forgotten
Subscribers must be able to Unsubscribe at any time, thereby unsuring that all personal data held is permanently deleted within 14 days
A Subscriber can remove their personal data by using the “ Unsubscribe” Link automatically included in all email footers. The use of the “ Unsubscribe” Link results in the subscriber’s personal data being immediately deleted from the current Subscriber database in real time. SendReach Data Backups are deleted after 14 days at which point the personal data of a Subscriber who Unsubscribes is thereby permanently and irrevocably deleted from all SendReach files.
D. Data Portability
Subsciber Personal data must only be moved from one location to another in a secure manner.
You can export your subscriber records at any time from your SendReach account, and that export function is carried out in a secure manner. Once exported you as the SendReach account holder are responsible for its security.
E. Privacy by Design
It is necessary that Personal Data is acquired, stored and processed in a carefully structured and managed environment, with a designated person responsible for security.
The SendReach datacenter utilises state of the art security systems to ensure Subscriber data is held in a secure environment at all times.
F. Breach Notification
In the case of a data breach at any location in which the data is stored or processed, the Subscriber must be notified immediately if they are likely to be effected in any way.
SendReach will inform you immediately should there be any breach in datacenter security concerning your subscriber’s data. You can send a regular campaign to your subscribers for this purpose.