What exactly is GDPR?
Aside from an increasingly popular buzzword, GDPR is a sweeping change to Europe’s out-dated privacy and security policies. GDPR stands for General Data Protection Regulation and it’s going into effect on May 25, 2018. The new regulations will require companies in the EU (or companies that have customers in the EU) to meet new regulations around the methods of collecting, securing, and deleting personal information.
Some other main themes of the new regulations include data transparency, increased scope of responsibility for those who process personal information, and consent to collect and process personal information. GDPR empowers its residents to better understand who is processing their data, why their information is being processed, and the ability to have their information deleted from specified sources. Failure to comply can be met with very steep fines.
In a nutshell, if your company (or your company’s employees) email EU residents or companies, these regulations may apply to you.
How GDPR Applies to Sigstr
Part of the GDPR is increased scope of responsibility. Companies who process data (like Sigstr) are jointly responsible for following the new regulations’ practices. This is why Sigstr is taking a proactive approach to help educate and prepare for the new changes.
Under GDPR, there are two different entities - data controllers and data processors. Data controllers own and control what information is being collected, and why the data is being processed. Processors are responsible for exercising control of the data they process and the security of that data.
In the case of Sigstr’s email signature marketing platform and its customers, Sigstr acts as the data processor and customers act as the data controllers.
What is Sigstr doing to prepare for GDPR?
Over the past several months, Sigstr senior leadership has consulted with experts, hired a Data Protection Officer, and conducted thorough reviews of its processes and documentation to prepare for the new GDPR.
Under GDPR, it is no longer acceptable to store more personal information than what is needed (of EU residents), or to store information indefinitely. Sigstr is developing data management features that can be configured to meet GDPR and specific customer needs.
The “right to be forgotten” is one of the more talked about key changes - it states that users can request to have their information deleted at any time. Sigstr will provide tools to view and delete user information on demand to fit this requirement.
Sigstr also appointed a Data Protection Office (DPO), which is a requirement for both controllers and processors. The DPO is responsible for being the main point of contact for data privacy needs, and for ensuring that his/her company is following best practices.
Data Protection Agreements
A large part of GDPR is documenting what data is being processed and why. Data Processing Agreements (DPAs) outline and set expectations between Sigstr and its customers when it comes to processing data. This allows for transparency and, as a data processor under the new GDPR, Sigstr is willing to sign DPAs with our customers. Every industry has a different set of regulations and Sigstr will ensure that we align to those requirements.
Not sure what a DPA should look like? Reach out to us at email@example.com and we can help provide examples of what one should look like.
Why is this important to you?
One of the biggest changes under GDPR is joint responsibility for data processing and privacy. Companies are now responsible for the data they send to their third party vendors, and what the vendors do with that information. Sigstr’s GDPR features and transparency make us one less thing to worry about with the sweeping privacy changes outlined by GDPR. As the new regulations continue to evolve, Sigstr will be ready for them!
If you have any questions for Sigstr’s Data Protection Officer or Security Team, email firstname.lastname@example.org.