GDPR

The European Union’s General Data Protection Regulation (GDPR) is perhaps the most expansive legislation governing the use of sensitive consumer data ever enacted.

Contrary to popular belief, just because a business is physically located outside the EU, it is not exempt from GDPR. Nor does the decision to cease selling products to EU citizens offer freedom from the regulation.

Bottom line—if you retain and process any Personally Identifiable Information (PII) from EU citizens, you are subject to GDPR. Given that PII under GDPR can be a website cookie or IP address, most online businesses will be subject to the legislation, regardless of physical location.

What does this mean for MageMail and MageMail customers?

Here we summarize the steps MageMail is taking to ensure full GDPR compliance on or before the enforcement date of May 25th, 2018. We offer a brief summary of the complex legislation. Lastly, we point you in the direction of additional resources that may be of use to you in your journey towards GDPR compliance.

Our Commitment to MageMail Customers:

We are committed to privacy and trust.
We want to make it easy for MageMail customers to comply with GDPR.
Compliance with GDPR is a shared responsibility. It will likely require changes to the way your organization retains and utilizes customer data, and how you communicate with customers.
It’s important to understand your obligations regardless of where you or your business resides.

What You Can Expect From Us:

Our product (current generation), systems, and processes will meet your needs.
We will have contractual commitments to ensure GDPR compliance and protection by all related parties.
We will continue to invest in technology and resources to build security and privacy into our platform.

MageMail’s Road Map to GDPR Compliance:

Impact Analysis: Research all business and technical areas that could be impacted by GDPR. Include the mapping of current and future-state data within MageMail and relevant 3rd party systems. (Complete)
Third-Party Compliance Analysis: Verify that our partners are or will be compliant. (Complete)
Product Planning: Adjust current generation (v3) product roadmap to achieve GDPR compliance. (Complete)
Product Development Process Updates: Revise our product development process to include the concept of compliance in product design. (Complete)
Operational Process Updates: Implement operational policies, procedures, roles, and responsibilities to achieve and maintain compliance, including data protection. (Complete)
Data Breach Notification Plan: Develop plan for complying with notifying the commission within 72 hours of a data breach of any kind. (Complete)
Privacy Policy Revisions: Revise our Privacy Policies to comply with GDPR. (Complete)
Terms of Service Revisions: Revise our Terms of Service to comply with GDPR. (Complete)
Data Processing Agreement (DPA): Release a DPA to sign for customers within the EU or transacting business with EU customers. Please contact us if you need this agreement (Complete)
Employee Training: Train and create awareness for employees. (Complete)
Customer Communication: Communicate compliance and further recommendations. (Complete)

What Does GDPR Mean for Emails Sent Using Magemail?

Ensure that you use Magento, MageMail, and any third party ESP in accordance with all laws governing privacy and commercial email. This means compliance not just with GDPR but also CAN-SPAM and similar legislation worldwide.Two prominent examples of this include adding your physical store address and unsubscribe links to your emails.
Maintain your data: By design, Magento is the system of record of your customer data, with the exception of subscriber lists that you imported directly into MageMail. MageMail only synchronizes with Magento the data required for your email campaigns, for analytics, and for increased performance.
Follow opt-in rule compliance. It’s good practice to ask customers for their communication preferences when they make a purchase or create an account.Under GDPR, pre-checked opt-in boxes are no longer considered sufficient consent.
Distinguish between transactional and marketing/commercial emails and follow the applicable rules accordingly. You can send both with MageMail, and some transactional emails may be considered marketing emails depending on their content.

More Information and Resources on GDPR

Even before it officially goes into effect on May 28th, 2018, the GDPR is having a significant impact on how business is conducted online.

Designed to give EU citizens greater control and ownership of how their Personally Identifiable Information (PII) is collected, stored and processed, the GDPR applies not only to businesses physically located in the EU, but to any business that retains or processes the PII of EU citizens (or “data subjects”).

Given the GDPR deems both cookies and IP addresses to be PII, this means that most online businesses will be subject to the legislation.

Here is a brief summary of GDPR’s salient points:

Data Protection Officer – Controllers and processors of PII must appoint a Data Protection Officer (DPO). The DPO must have “expert knowledge of data protection law and practices.” The DPO is responsible for interacting with the GDPR’s regulatory authority and any privacy-related complaints or requests from EU citizens.
Consent – The bar for what is considered consent to the use of PII for marketing activities has been raised considerably. Pre-checked opt-in boxes and lengthy “terms and conditions” are specifically prohibited. Consent now requires a deliberate affirmative action. This can include checking a box where a description of how the PII will be used is given in plain – not legal – language.
Cross-Border Transfers – Transmission of PII to countries outside the EU, especially to countries deemed to have inadequate privacy safeguards is strictly regulated.
Profiling – The use of PII to make decisions about EU citizens, for example what price to charge them for a product or a determination of whether they are creditworthy, is prohibited.
Data Breaches – Any breach of PII data must be reported to the appropriate regulatory authority within 72 hours.Under certain circumstances, businesses bear the additional responsibility of notifying EU citizens personally if their sensitive data was compromised in a breach.
The Right of Erasure and the Right to Be Forgotten – Upon request, all PII retained by a data controller must be erased, regardless of whether initial consent to use was given.
Fines and Enforcement – The harsh penalties that can result from failing to obey the GDPR are perhaps the aspect of the legislation which has garnered the most attention. The maximum penalty under GDPR is four percent of annual worldwide turnover, or $25 million (approximately €20 million), whichever is higher.