How to become GDPR Compliant? Insights from Mailjet’s DPO Darine Fayed

Mailjet is one of the few GDPR compliant companies which has cracked the complex regulation very well. Last week, I sat down with Mailjet’s Head of Legal and Data Protection Officer (DPO), Darine Fayed to understand their GDPR journey and how SaaS companies are GDPR compliant. Darine shared some of Mailjet’s best practices to be GDPR compliant.

In this interview, Darine explained to us how being compliant is not just about laws and regulations but also creating an improved customer experience. Darine talks in depth about the Record of Processing Activities, its benefits to the rest of the organization and the resources needed to be compliant before the official deadline.

How did you start doing your Records of Process Activities (GDPR Compliant Proess)?

We started with a compliance roadmap where we listed every obligation we needed to take care of before the deadline, which in our case was December 2017 because we want to offer become GDPR compliance to our customers before the official deadline. We really wanted to become GDPR compliant.

One of the obligations in our list, from Art. 30., is to maintain a Records of Processing Activities aka Data Registry. This article basically entails that we, as an organization, must keep track of all the data that we collect, hold, process and that we identify the responsible party for that data, also to make sure to note the data retention period.

It was an identification process for us - to give us a global view of the data we store and to properly manage the flow. The whole data registry for us was one of our GDPR compliant roadmap steps.

Some companies think they don’t have to do the Record of Processing Activities (RPA). How did you identify that as an obligation?

In our case, we serve more than 100.000 customers in Mailjet, and we process a large volume of personal data from our customers, containing  anything that they enter into our platform, such as the contact list which includes their email address and also other specific information like gender or any other personal identifier of that specific person. From this, we realized we are dealing on a large scale basis with this kind of data.

And I know there is an exception under the GDPR compliance for micro and middle size companies - that any company that has under 250 employees and a turnover of less than a certain amount of Euros can be exempt. But for us, it is not just about being GDPR compliant but there are also other benefits behind having the Records of Processing Activities [done]. It’s for the entire global view of our company and for just basic good business practices and organization.

It’s also really important for companies to have a complete understanding of what data they collect because it also helps identify and comply to the other obligations you have under the data processing rules.

Find out more about the exemptions for micro and small size companies in these guidelines.

From your perspective, if a small size company, let’s say ten employees, is processing personal data very often, do you think they have to comply with the GDPR?

Yes, if it's on a large scale basis. The working party guidelines have given us some guidance on what large scale processing means, and it’s not really large in terms of quantity but it’s based on your activity and the proportion on processing that data.

The example given by the working party describes this situation very well. Consider a hospital, where they take in patients and treat them. This, has nothing to do with data processing per se, a hospital is not a technology company. In a hospital, everyday patients arrive to be treated by doctors and when they arrive, leave or during any other process, the hospital records the patient’s information such as name and health information. The hospital collects data from the patients, sensitive data, and they hold and process this data. Their main business activity is treating patients, but because they process a large scale of data (sensitive data), they must keep a record of processing activity.

It’s not just based on the activity but it's whether you have to analyze your data processing activities.  

For us at Mailjet, processing data is the heart or the core of our activities. We turn around personal data, we turn out statistics. Based on our software as a service technology,  we consider that a big aspect for us and we must maintain this at a high level of security for our customers.

How many processing activities are there roughly for Mailjet as a software provider?

There is not an exact number, but we estimate it’s under one hundred activities around three different roles.

First, we process the data of our customers. This data is given to us by our customers when they type in about themselves, their company and credit card details to process their accounts. This data is collected based on the contract between Mailjet and our customers.

The second role is data processing of end recipients, i.e. the data subjects. In Mailjet, we send a large volume of emails on a daily basis on behalf of our customers. Those emails will be received by the data subjects because our customers have plugged in email addresses. There isn’t a contract between us and the end user, but we process their data on behalf of our own customers. In this case, we still have to respect the rights of the data subjects or end users.

And lastly, our third role is data processing for own employees and contractors. As a company, we treat and process HR related data about our internal processes and employees. This refers to the payrolls and other activities regarding our staff, and to do so our HR team processes personal data in that regard.  

How long did the whole process of Record of Processing Activities take?

For us, this was a very long process, taking several months and a lot of effort to complete it. We assigned a manager, who interviewed various people in different departments to have a better understanding of the data that we collect at Mailjet. Basically, he looked at the databases to find out the different sorts of data present. He identified the sub-segregated databases and what is stocked in each  of them, all of this taking time and effort to complete.

Did the RPA actually help you somehow? In terms of benefits, you already spoke about good business practices. But in general, did it actually help you in some way?

It helped us with our other obligations, to have a better understanding of the data that we hold. Furthermore, it also helped us identify and come up with better business decisions in terms of data retention and deciding which data is really necessary for providing our service.

What is critical to have this RPA process, before starting out this whole process?

The critical resources are time, human resources and authority to access to the data. Companies starting this process closer to the main deadline may not have enough time to do that because it usually takes plenty of resources and time.

For us at Mailjet, we can’t just ask anyone on the IT team. You need the right person, the one who has access and authority to see what is in the database. There are only specific people with access to the data in Mailjet.

Here is how Mailjet suggests you to get ready to start!

And how many departments and people were involved in this whole process?

GDPR compliance involves the entire organisation. It is not just a question of the legal department or the IT department. It is a collaborative process that involves various roles. You do need one or two people to spearhead the project. For us that was myself in the legal department, who took care of the organisation of the roadmap, then the data registry and to identify what information needed to be included.

Also very involved was the IT department, which in Mailjet, is divided into a development team and an operational team and headed by the CTO, Pierre Puchois. The operational team was in charge of implementation and modification of various IT processes.

Did you have the chance to talk to the marketing and sales departments because there are practices which involve them?

Yes, everyone has to be involved in taking Mailjet to GDPR compliance. Our compliance manager sat down with all the other managers, including sales and HR, and to get all the information you need them involved too and to rework the communication and processes internally.

People usually question whether or not to regularly update the Records of Processing Activities. How often is Mailjet’s Record of Processing Activities registry updated?

We have milestones rather than fixed dates to modify it. At the beginning, when we started the document, we updated periodically every two weeks, during the creation of the file.

Now, that the file is complete, we update at least every six to eight months, and before that if there’s a new product or feature designed with new specs, once the team gets the approval by the data protection side, an update to the RPA might be needed too.

Did you use any software to manage this RPA and become GDPR compliant?

Zero. No external tools were used.

The IT department had their own kind of IT tools - internally developed and maintained. They ran a search of the databases to discover all types of data stored (personal or non-personal data).

If you had the chance to do this via software, you would have chosen because it could have benefitted you in some way?

Yes, ideally, the more resources the better, especially when time is limited. And I think if we had less time at Mailjet, maybe we could have used a software to become GDPR compliant.

If you had a software, what would have been the first software that you would have used for different aspects in the obligations? Did you have any specific thing if there was a let’s say, a consent software, RPA, audit tool that would have got you started. Which software would that been in which direction  of the GDPR?

I've attended several conferences on the subject and I’ve seen different software out there. I think for some people who don’t know where to start, a management software could be the way to go. Also from the auditing aspect, it could be an interesting software because sometimes you need an external person or entity to provide analytical help as well.

One advice for companies that are starting their GDPR compliant process now?

One advice will be to choose the right third-party providers. Because it’s also your responsibility to have compliant third party providers. You could be in trouble if you don’t check or verify the other services you’re using. And you still have the time before May to make the switch to compliant providers.

Learn more on how Mailjet deals with third-party providers: here

About Mailjet: Mailjet is an all-in-one solution to send, track and deliver both marketing and transactional emails. Its cloud-based infrastructure is unique and highly scalable with a proprietary technology that optimizes email deliverability. Mailjet can be accessed either via an easy-to-use online drag-and-drop interface or via APIs that allow developers to integrate its features within their online app or service, or its sophisticated SMTP relay. Mailjet has offices worldwide (including Paris, London, Berlin, Toronto and New York) and 100k clients and partners across 150 countries.

Are you going to use any GDPR tool? Tell us, we can help.