This article provides an overview of Brevo's initial and ongoing initiatives to ensure our own GDPR compliance as your data processor, as well as our efforts to support our users' compliance as data controllers.
To learn more about what GDPR is and why it may be important to you, check our dedicated page Stay GDPR-compliant with Brevo.
These initiatives focus on five key areas which are outlined in detail below:
- Key features
- Management of partners and processors
- Legal documentation
The adaptation of key features
Brevo identified the key GDPR milestones to meet by collaborating with a sample of our users, our account managers, the product team, the technical team, and our legal counsel.
The duty of providing information in the context of accountability
These resources are available on the platform to help users be compliant in the key usage steps of our platform:
- Importing contacts
- Building email subscription forms to acquire consent from contacts
- Creating email campaigns to send to subscribers
A GDPR-specific section has been added to the help center, and we continue to organize regular informational webinars on the subject as well.
The right to rectification, portability, and to be forgotten
The rights to rectification, portability, and to be forgotten have been well established for several years. Therefore, we don’t have any operational changes related to these rights. However, as indicated above, we have provided more details on the modalities of exercising these rights.
Email subscription forms
Special attention was given to email subscription forms during the compliance process because it is such an integral part of compliance for our users.
Proof of consent
Once the contact information is collected, proof of consent will be available in the contact profile.
Each contact profile will include the exact moment of subscription and the ID of the form used to subscribe. This information will be exportable to allow Brevo users to provide easy proof of consent if necessary.
Notification of violations of personal data
In the event of an accidental or unlawful breach of security resulting in the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data processed by Brevo, Brevo undertakes to immediately notify the User within 72 hours of the detection of the incident.
In such circumstances, and in consultation with the User, Brevo undertakes to put in place the necessary data protection measures and to limit any negative effects on the data subjects.
Brevo undertakes to provide the User with all reasonable information and assistance to enable the latter to comply with its obligations to notify the data protection authorities and, where applicable, the data subjects.
An advanced security review
We know data security is a sensitive issue for many, which is why it has always been one of our top priorities. The GDPR has empowered us to take this priority even further: ensuring airtight data transfers and data storage as well as improving data monitoring and control for easier and more secure access for our users.
To prevent data breaches, it’s necessary to have tight control over the data processing that occurs on our platform.
Using data tracking and log identification, we have enacted a data traceability system across all of the data processing procedures on our platform.
Additionally, we sought to maximize the security of our users’ archived data. This data is now being stored in separate databases and the personal data has been encrypted.
These archives are stored solely for legal purposes. Once the retention period completed, the data is purged from the database.
The management of our partners and processors
One of the main principles introduced by the GDPR is shared accountability. This essentially means that all stakeholders, whether they be the controller (the party who determines the purposes and means of the data processing), or one of the processors further down the chain, carry a portion of legal responsibility since the processing is being performed on personal data.
Carrying the dual role of controller and processor, Brevo is required to approach the principle of accountability from both sides.
As a processor, we have established means to guarantee GDPR compliance across our entire chain of data processing with all of our partner software providers.
As a controller, we must also guarantee the compliance of our own processors with the new regulations. Consequently, we contacted processors with specific questions regarding their data processing methods. This has allowed us to ensure that their procedures surrounding the processing of our data are in line with the GDPR and the commitments we have to our customers.
We ceased collaboration with any processors who were not able to provide satisfactory responses to our questions.
Once we were able to receive satisfactory responses from our other processors, we contractualized our requirements with DPAs (Data Processing Agreements).
The DPA is a document specifying the type and methods of data processing being carried out by the processor on behalf of Brevo, which makes it possible to ensure a legal framework and data traceability.
For our processors located in the United States, we have also verified their Privacy Shield certification, which is a necessary condition for processing the data of European citizens.
A processor clause has been drawn up and appended to our Terms and Conditions in order to detail the role and responsibilities of Brevo vis-à-vis our users as a third-party service provider.
The internal implications of the GDPR on the Brevo organization
The GDPR also compelled us to optimize our internal organization and come up with best practices and procedures that support the main principles put forth by the regulation.
Certain individuals in Brevo have roles that require privileged access to personal data.
For example, account managers might need to access certain elements of a user account in order to answer a support question.
We have started by expanding the confidentiality clause in the contracts of salaried employees and facilitating training sessions.
The training includes a general overview course on GDPR requirements, as well as specialized training courses designed to build off of the initial training for specific teams that deal with sensitive data on a regular basis.
This provides all personnel with a clear understanding of their obligations with regards to the new regulation.
Internal procedures and controls
In order to ensure a smooth application of our compliance measures, we reviewed all of our internal procedures surrounding the management of employee access to personal data, the handling of requests from individuals seeking to exercise their rights regarding their personal data, and the processes involving the preservation and purging of data.
A control plan has been established to regularly verify the proper application of these procedures and the updating of the corresponding documentation.
The nomination of individuals charged with maintaining proper compliance
The implementation of our compliance measures was managed by our Chief Operating Officer. In parallel, our DPO (Data Protection Officer) is responsible for ensuring Brevo’s continued compliance with the GDPR over time.
It is also the DPO’s responsibility to monitor the application of the different aspects of the regulation and ensure that we respect the main principles of the GDPR, particularly the principle of “Privacy by Design,” which refers to the compliance of a data processing procedure before it’s actually implemented.
Our DPO will be assisted by a SecOps for aspects specifically related to data security and traceability. If you need to get in contact with our DPO, he can be reached directly by email at firstname.lastname@example.org.
Current status and next steps
GDPR compliance, in itself, is never truly finished. It’s an ongoing process that requires regular monitoring and confirmation that the principles of the law are being upheld internally with our current data processing, as well as continued evaluation using the criterion of Privacy by Design for each new procedure that involves the processing of personal data.
Brevo is proud to have accomplished the first part of the challenge. We will continue to maintain our dedication to compliance in order to remain a trusted third-party software provider for our users.
Undertaking this massive compliance operation has provided Brevo with several benefits, including:
- Rallying our entire organization around a common goal and collaborating across different teams in order to achieve it
- Implementing even more rigorous procedures around our data management and processing to continue improving our security
- Quickly achieving compliance with the help external partners
- Performing an innovative assessment of our network security and implementing the necessary corrective measures
- Reinforcing the link between Brevo and our users by providing the tools necessary for GDPR compliance in our platform
Brevo is an organization comprised of more than 400 people, and we are all committed to ensuring the security and confidentiality of the personal data entrusted to us. We take this responsibility seriously as part of our core mission to provide an all-in-one digital marketing platform for small and medium-sized businesses to grow and succeed.