As our resident legal expert here at Mailjet, I set aside at least a full day each week to take care of our data privacy issues. I had put together a compliance roadmap of items to be handled before the year-end as part of the GDPR readiness plan. The next item on my to do list was to update our Privacy Policy.
Privacy Matters With GDPR
So what exactly is a Privacy Policy?
You see them on most websites. Privacy Policies drafted in various different ways. But what is it exactly? It’s important to note that, a Privacy Policy is not the same as the Terms and Conditions of Service (or of Use). If you collect and process personal data, you are likely required to provide information accessible for your users that details your data privacy policies.
The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.
So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.
What needs to be included?
I last updated Mailjet’s Privacy Policy in September of last year. At the time, I wanted not only to harmonize all our online policies but also to make them clearer for our customers — and the last update was, to say the least pretty outdated.
And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.
As a summary, the key information to be provided to your clients and users under GDPR is:
- Identity and contact details of the data controller
- Contact details of the DPO (when applicable)
- Processing purposes and the legal basis
- Where the processing is based
- Recipients of the personal data, if any
- Data transfers outside EEA, when applicable
- Data retention period
- Rights to access, to rectify and to delete data
- Right to lodge a complaint with a supervisory authority
- Existence of any automated decision making (including profiling) and the logic behind it
How exactly to create/update your policy?
In my opinion, the best way to tackle this project was to go through the actual GDPR regulation — article by article — and modify our Privacy Policy accordingly.
I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.
One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.
So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.
After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!
I spent the following few days tweaking the policy to make it just right and coordinating with our marketing team to set up the schedule for its release date. Of course, we needed to give our client’s at least 30 days notice for these updates and create a clear email describing the changes. At the same time, some modifications needed to be made to our Terms of Use, so why not use the same notification to our clients for both? Kill the bird with one stone.
What was updated?
The main items that were incorporated into our new Privacy Policy (which was effective as of September 15th) are:
- To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
- To clarify the consent policy (how we obtain our client’s consent)
- To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
- To define our legal basis for data processing
- To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
- To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
- To communicate our new minimum password security requirements
- To share our new DPO contact information (yours truly!)
Take a look at our GDPR complaint Privacy Policy.
In the meantime, are you creating or updating your company’s privacy policy? Share your experience with Mailjet on Twitter.
This post was first published on the Mailjet Medium account.