GDPR compliant email marketing

Updated July 31st, 2020

How AdBase, Inc. DBA ("SendSquared”) can help you prepare for the General Data Protection Regulation changes

The GDPR (General Data Protection Regulation) came into force on 25th May 2018. The GDPR legislation is designed to give people in the EU more control over their data and to unify the regulations across the EU for how that data is processed. The legislation applies to all businesses operating in the EU and to all businesses (irrespective of location) who handle personal data belonging to those in the EU. SendSquared is fully compliant with the regulation and we’re here to help you comply too.

What has SendSquared done to achieve compliance?

Through reading the EU documentation on the GDPR and working closely with our lawyers to grasp the impact on SendSquared and our customers we have taken the following steps to be compliant.

  • Thoroughly research where and how SendSquared is impacted by GDPR – DONE
  • Educate all staff on the GDPR – DONE
  • Rewrite our Privacy Policy to clearly explain our role as both a processor and controller – DONE
  • Identify features and changes to the SendSquared website which will help compliance – DONE
  • Implement additional features, such as offering a user the option to delete their account in the Dashboard – DONE
  • Audit all suppliers of Send² to ensure their compliance and sign DPA’s with each – DONE
  • Make the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – DONE
  • Communicate the full compliance – DONE

How can SendSquared help me achieve compliance?

While it’s important that SendSquared is compliant with the changes, it’s equally paramount that you, our customers, are compliant and understand what’s involved with the changes. We’ve made the following changes to the platform which will make it simpler for you to comply and to remain on the right side of the law.

  • Launch Double opt-in functionality, which will make it simpler to record that users have given explicit consent – DONE
  • Add the option for customers to add ‘Terms & Conditions’ checkboxes to their hosted and embedded forms – DONE
  • Provide education and support on the upcoming regulation – ONGOING
  • Offer a data processing agreement which can be signed by you, the controller – DONE

You will also need to update your Privacy Policy to communicate to your users that you are using SendSquared (and why you are using it) on your website or app.

How does GDPR affect me?

The GDPR, like any change in law, is a huge document made up of a number of different articles and concepts. Using our experience and knowledge gained by going through the compliance process ourselves we have outlined the key changes which will likely affect your businesses. We’re not lawyers, so we’d advise taking legal advice where required. We’d also recommend that you give the legislation a read yourself, the UK ICO website is a great place to start.

It covers all businesses, irrespective of location This is perhaps the biggest change to data protection regulations, which is why it’s here, right at the top. GDPR applies to all companies processing the personal data of individuals (data subjects) based in the European Union, regardless of the company’s location. In short, if you run an store based in the USA which is targeting customers based in Germany, then you will need to comply with GDPR. In that case you will also have to appoint a representative in the EU.

Fines One of the main reasons why companies are taking GDPR so seriously is the huge fines which can be issued if in breach of the regulations. If you are found to have breached the regulation you can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The fines apply to both controllers and processors and will be issued for serious breaches. With the right advice and steps taken, though, you should be okay.

Consent SendSquared only allows you to send emails to users who have opted in, or consented, to receiving communications. This will remain the same, but GDPR will strengthen the conditions for consent. Consent must be freely given, it must be distinguishable from other matters and be provided in an easily accessible form, using clear and plain language. You will need to make it as easy to withdraw consent as it is to give it, so ensure you have unsubscribe links in all emails.​ In short, this will not mean a significant change for most genuine businesses; if you’re using any kind of confusing double-speak and pre-ticked checkboxes to collect emails for marketing purposes, they are no longer okay.

Breach notification In the event you get hacked or an employee’s laptop gets stolen you will need to notify your customers if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. No cover-ups allowed, even if you’re a large VC backed taxi firm.

Right to access Your customers, employees or other data subjects have the right to now request how their personal data is being processed, where it’s being processed and for what purpose. Furthermore, you’ll need to be able to provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten This entitles the data subject to have the controller of the data erase their personal data. This only needs to be done under certain conditions, which are outlined in article 17 of the GDPR. As a controller you should not be holding personal data for any longer than necessary – those old lists and campaigns you have in SendSquared? If they’re not needed anymore, they should be deleted.

If you have any questions about GDPR compliance and what Send² has done to achieve it, please get in touch.

Ready to dive in?
Start your free trial today.

Build a better email with SendSquared.