In April 2016, the General Data Protection Regulation (GDPR) — a joint proposal by the European Commission, European Parliament, and the Council of the EU which provides individuals with even greater control over the collection and use of their personal data- was adopted by the European Union.

As a provider of a world-class email marketing platform, which by its nature has a global reach and deals with the processing of email contact and engagement information, Campaign Monitor is committed to ensuring our customers are able to comply with their requirements under the GDPR.

With that goal in mind, we’ve created a robust privacy program that integrates data privacy into Campaign Monitor’s core — from training our managers and executives on the GDPR and how it impacts all decisions related to treatment of personal data, to evaluating all of our systems, security practices, and related documentation. Among other things, the key steps that we are taking to comply with the GDPR regulations are:

Chapter 2

Lawful Data Processing

As a marketing professional, especially in the context of using an email marketing application like Campaign Monitor, you will likely rely on consent (see: Consent and Purpose article) as the lawful basis for processing your subscriber’s personal data. While consent is not the only way to lawfully process personal data, at least one of the following grounds for lawfully processing personal data must apply (Art. 6 GDPR):

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

While it’s true that for most marketing activities, the industry tends to rely heavily on consent as the lawful ground for processing, it is up to you to analyze your data processing activities and choose the right justification(s). If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with legal counsel to ensure processing activities are properly justified. As always, diligent record keeping is vital to support these justifications.

Relevant Definitions:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Chapter 3

Security

Risk and Appropriate Technical and Organisational Measures

While personal data is defined very broadly under the GDPR, the sensitivity of the data and the severity of harm that may result in the event of unauthorized access to the data, is not equal. This means that the measures by which you secure personal data (type of encryption, backup procedures, password requirements, etc.) may vary by data type and the processing activities undertaken using that data. The GDPR requires protection of personal data using “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” throughout the life cycle of the data.

“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” (GDPR- Recital 78)

The regulation does not prescribe any specific security mechanisms, but rather requires that data controllers and processors take into “account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”6 should data be subject to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.

Some measures that the GDPR highlights are pseudonymisation and encryption, but the extent to which they represent a standard for data security is unclear. Until more clear guidance is released from the EU, we recommend keeping an eye out for guidance from industry thought leaders, trade organisations, and data security experts and organisations (like the National Institute of Standards and Technology, or NIST), but there may also be clarity in Member State laws and future documents issued from the EU governing body.

Regardless of your current security measures, the GDPR highlights the need for ongoing evaluation of risk to personal data and security measures based on product evolution.

Privacy By Design

The GDPR’s “Data Protection by Design and by Default” model, or more commonly, ‘privacy-by-design’ model, requires that principles of data protection should be taken into account at the product development phase rather than after data is being processed. By implementing appropriate technical and organisational measures, taking into account the nature and sensitivity of data types that will be processed, and ensuring that appropriate data minimization measures are implemented at the product (and feature) development phase, personal data is protected at all stages of its life cycle.

Data Breaches

If you’re getting a hint of that new-regulation smell, that’s because data breach handling and notification is a previously-untouched scope of data privacy law in the EU. In the GDPR, rules for how and when you should notify data subjects and/or relevant authorities are made more clear.

Notice from Controllers to Supervisory Authority:
For controllers, notice to the appropriate supervisory authority must be made “without undue delay and, where feasible, not later than 72 hours” after becoming aware of the breach with the following information7:

  1. Describe the nature of the personal data breach including where possible,
    1. The categories and approximate number of data subjects concerned; and
    2. The categories and approximate number of personal data records concerned
  2. Include the name and contact details of the data protection officer or other contact from whom more information may be obtained
  3. Describe the likely consequences of the breach
  4. Describe what the controller is doing to address the breach and/or mitigate possible adverse effects.

Throughout the process of identifying, measuring the scope of, and remediating the effects of the breach, records should be maintained to “enable the supervisory authority to verify compliance with this Article.”8

Notice from Processors to Controllers:
Processors must inform “the controller without undue delay after becoming aware of a personal data breach”.

Notice from Controller directly to Data Subject:
If the personal data in question represents “high risk to the rights and freedoms of natural persons,” the controller will need to notify the data subject without undue delay. This notification should include a description of the breach in clear, plain language that includes contact details for the appropriate person (DPO or otherwise), the likely consequences of the breach, and the current and future measures the controller will take to address the breach.

There are a few exceptions to the data subject notice requirement: where the controller employed safeguards or has taken subsequent action to render the risk of the breach inert, and where individual data subject outreach would require disproportionate effort. But as with any exception under the regulation, legal counsel should be sought before proceeding.

Relevant Definitions:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

6 Article 32(1)
7 Article 33(3a-d)
8 Article 33(4)

Chapter 4

How can I submit a request to exercise my (or my subscriber’s) GDPR rights?

  1. Head over to https://help.campaignmonitor.com/contact
  2. Ensure that you select “GDPR Request” as your main issue, and the appropriate subcategory of Deletion, Retrieval, or Rectification to indicate the specific GDPR rights you’d like to exercise.
  3. Please provide the following information in the notes with your request (this part is important for us to be able to help as quickly and accurately as possible!):
    1. Full name of data subject, email address of data subject, username for account, admin email address of the account, Name of client account
  4. Our Support team will be in touch with confirmation that we’ve received your request, and we’ll start processing for you as quickly as possible. You’ll receive confirmation when we’re all done and we’ll make sure to deliver any collateral in a secure format (if applicable).

If your subscriber’s personal data was provided to us in connection with any prior request for support or services, please indicate this when submitting the request to our Support team.

Chapter 5

Sub Processors

Name Processing Location Description
Amazon Web Services United States Amazon AWS hosts the services provided by Campaign Monitor, including the
databases which store personal data.
Beaufort12 United Kingdom CM4SFDC provisioning
TalkDesk United States Support ticketing software
Salesforce United States Customer support case tracking
Google G Suite United States Internal communication/ collaboration
Slack United States Internal communication/ collaboration
Atlassian United States Ticketing and productivity suite
Litmus United States Email testing
Email on Acid United States Email testing
PayPal United States Payment processing
Stripe United States Payment processing
Campaign Monitor Affiliates
Campaign Monitor is part of CM Group, a collection of marketing technology service providers. Certain internal business purposes which relate to Campaign Monitor’s services may be provided by affiliates of CM Group. For more information about CM Group, please visit CM Group’s website.
Chapter 5

This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.

Get started with Campaign Monitor today.

With our powerful yet easy-to-use tools, it's never been easier to make an impact with email marketing.

Try it for free