How to Properly Implement GDPR for Customer Communications

The General Data Protection Regulation (GDPR) was big news for companies when it came into effect in 2018. It aimed to put more controls on how organizations manage the personal data of their EU-based users. Since the law’s enactment in 2018, some US states, such as California and Virginia, followed suit and passed their own data privacy laws for their respective residents. Companies that do business in those regions now have to ensure they comply with these legal requirements.

This post is the third in a series about what developers need to keep in mind when sorting out security and compliance for their application. The first article in this series covered how to build security for user communications, the second was about compliance certifications and regulations for SaaS apps, and this one is all about GDPR and customer communications. GDPR and similar regulations cover all communications from a company to its customers and prospects, including marketing and transactional notifications. If you are considering sending notifications to the users of your SaaS application, whether via email, push, or a Slack bot, you need to keep GDPR in mind when building your service.

In this article, we cover the implications of GDPR for your customer communications in more detail.

GDPR covers broad swaths of user data

The GDPR serves to protect the personal data and privacy of individuals. While it applies to the European Union, global companies still have to comply with the regulations if any of their customers are EU citizens or residents. The law applies to the handling of data, including its storage, transmission, and analysis. So, if your SaaS company collects any user information, for example, email addresses or phone numbers, and some or all of your users are based in the EU, you must comply with the GDPR or face significant fines.

The GDPR applies to “identifiable information,” which is defined as a person’s name, identification number, location data, online identifier, or information regarding their physical, physiological, genetic, mental, economic, cultural, or social identity. As you can see, many types of data can fall under the regulation’s scope. For example, even if your organization is just tracking the IP addresses of visitors to your website, you have to comply with GDPR standards.

The cost of noncompliance with GDPR

The GDPR obliges organizations around the world to seriously question what forms of data collection are absolutely necessary. Companies need to ask themselves which data to collect, how to process it, and how exactly they will use it. The penalties for noncompliance are steep, as Facebook and Google have already found out. The fines can reach 4% of a company’s global revenue. These fines are as high as they are so that organizations don’t just accept them as the cost of doing business in the EU. The goal is to change how companies manage data and bring the power of data privacy to the general public.

While the tech giants have been the primary target of the EU compliance bodies so far, all SaaS companies could be checked for compliance with GDPR in the future. Because most SaaS products send customer communications that include personal and identifiable information, it’s critical to be in compliance to avoid potentially massive fines.

What’s the best way to avoid GDPR noncompliance when sending user notifications? Know what compliance with GDPR involves, and get ahead of any issues. We offer specific suggestions below.

What does GDPR compliance look like for customer communications?

Your approach to customer communications should be based on chapter 3 (Art. 15–23) of the GDPR, which outlines the rights of “data subjects” (the individuals whose data you’re collecting). According to that chapter, your strategy should include a clear privacy policy, granularity of consent, data storage compliance, and audit logs.

Covering customer communications in your privacy policy

An easy-to-understand privacy policy is one of the tenets of the GDPR. The policy should be written in clear language, freely accessible to the public, and absolutely transparent regarding all handling of data. The GDPR even stipulates that this privacy policy should be readable by children.

The privacy policy also needs to cover your customer communications, including marketing and transactional emails, push notifications, and other types of notifications, as they form an integral part of your SaaS application. Make sure you are transparent about customer notifications in the policy. This includes listing third-party services you might be using for notifications, retention periods for notification data, and ways to access the notification preferences.

While not directly related to the privacy policy itself, it is a good practice to spell out how exactly your customers will get notified of changes to your privacy policy. (This is getting quite meta — we know!)

Check out Courier’s privacy policy for an example of a privacy policy for a SaaS service.

Granular consent

To comply with the GDPR, companies need to ask their users for granular consent. For example, websites have to notify users that their data will be collected and provide a link to the privacy policy. Customers must be able to reject data collection strategies like cookies on a case-by-case basis.

The granular consent requirement also applies to customer communications, specifically the channels of notification. In our series on notification preferences, we wrote about why you should let users choose which notification channels they want to use and when in order to avoid mass opt-outs from all notifications.

To keep more users subscribed (and meet your GDPR obligations), let them choose which channels or, even better, which specific notification types to opt-out of.

Data storage and retention

When it comes to data storage, the GDPR stresses the importance of cybersecurity best practices. If your SaaS company stores data on physical servers, then you need to control physical access. And if you take the more modern approach of storing data in the cloud, the storage services themselves need to be compliant with EU-based policies. Additionally, you need to include password control, firewalls, and data encryption in your organization’s risk management process.

Therefore, you should store the data you use for customer communications, including names, email addresses, and phone numbers, following the best practices while also allowing customers unobstructed access to their data if they request it. Access to the data does not have to be automated through an API endpoint or a menu in the user interface — it can also be a script that your support team runs manually, for example, or a Slack bot command. However, if the volume of customer requests for data increases over time, you should consider automating the handling of data access requests.

Customers can also request that their data be deleted (also known as “the right to be forgotten”). If you receive such a request, remember to clean up the customer’s data from all downstream providers and services that you might be using for customer communications, from email providers to push notification endpoints.

Audit logs

The GDPR requires that companies keep an audit trail of everything that happens to their customers’ data — that is, records of when and by whom the data was accessed and for what reason. The logs will prove invaluable if you’re trying to show compliance or improve your chances of clearing an investigation if an incident occurs.

Consider including actions around customer communications in your audit logs. For example, the sending of a notification to a particular channel should be logged as an auditable event, ideally along with the reason why the notification was triggered. We also recommend logging any changes to customer preferences, whether your application changed or the user made the change themselves.

Conclusion

The whole point of the GDPR was to force organizations to think about how they manage user data. Gone are the days when companies could do whatever they wanted with the data they collected. With US states following in the GDPR’s footprints and voluntary compliance standards such as ISO 27001 becoming more prevalent for competitive SaaS companies, handling customer data with care is no longer a choice.

At Courier, we believe that we need to maintain the utmost compliance standards and transparency for customer communications, not just for the sake of our product but also for all of our users. Not only do we comply with legal standards like the GDPR and the California Consumer Privacy Act (CCPA), but we also push further, like when we recently became SOC2 Type 2 compliant. To stay in compliance and deliver a great notification experience to your customers, learn more about how we approach it.