Is Your ESP GDPR compliant? Here’s How To Find Out

Have you investigated if your email service provider is on the right side of the law with the new GDPR?

Under GDPR being compliant means that you need to have a GDPR compliant email service provider and you need to be fully prepared or you both will be at risk of fines.

You’re Only As GDPR Compliant As Your Email Service Provider

The GDPR regulation will come into effect on May 25th, 2018. So you need to be fully prepared. Becoming GDPR compliant means implementing changes to various areas of your company. Such areas include, for example, updating your privacy policy, training staff to be fully aware of what GDPR entails, and implementing stricter security measures.

When it comes to selecting an email service provider, the new GDPR rules around for third party providers are the ones to pay special attention to.

More companies are using third party providers than ever before. Third Party Providers range from cloud hosting solutions, CRM systems, Marketing Automation systems, chat messaging services, to email service providers. Under GDPR, being compliant means that you need to have a GDPR compliant email service provider, or you both will be at risk of fines.


The penalties for non-compliance are worrisome. Those who do not comply with it, will be penalised with fines up to €20 million or 4% of annual global turnover, whichever is greater. Other consequences include legal and reputational risks to your organisation. There have already been some GDPR fines.

But how exactly do you vet this? A part concerns all Third Party Providers, while a second with specifically the Email and Automation providers, but it starts with a deeper understanding of GDPR.

Remind me what’s GDPR again?

For those who are not completely familiar with it, GDPR is a regulation the European Parliament, the Council of the European Union and the European Commission have implemented to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive with additional requirements – some of those being new obligations. GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based.

In a survey we carried out in order to find out if people were getting ready for the regulation, results showed that although 91% of startups collect personal data, less than a third of them (29%) encrypt such data. Only 47% of participants reported always asking customers for consent prior to contacting them, and only 50% make it easy for customers to withdraw their consent. Such results are a clear sign that many are not ready for the regulation to come into force. This is why, you should choose your partners carefully.

Is my Email Service Provider GDPR compliant?

The first step, into vetting your email service provider or Marketing Automation provider is understanding how to assess Third Party Providers (in general). We’ve broken these steps down into a handy list below.

1. Conduct a 3rd Party Provider Audit: Make a list of all external service providers and applications you use across all departments of your business. Example: CRM systems, cloud hosting, email providers, automation tools.

2. Develop a 3rd Party Provider Inventory List: Create your master inventory list. For each provider identify (1) What type of data is concerned (2) What data protection measures are in place (3) Who is responsible in your company and what their access rights are.

3. Map Out The Path Your Data Takes: Using the information in your inventory list, assess (1) which data is being shared with external providers (2) how that data is being processed and/or stored by external providers. This allows you to ask better questions in the next step and also be more transparent with your clients.

4. Find Out How Compliant Your 3rd Party Providers Are: Get in contact with ALL 3rd Party Providers to determine their level of GDPR compliance. An efficient way to do this is sending them a questionnaire. The specific questions you may want to ask depend on the type of provider you are vetting. However, there are some general questions you should make sure to ask all Third Party Providers you collaborate with, when it comes to GDPR.

Here are 13 example GDPR questions you can use to develop your own:

  1. Where are your data and applications stored?
  2. Is that data ever moved out of the European Union?
  3. Do you ever transfer data between data centers outside of the EU?
  4. Do you always inform me when my data is being transferred?
  5. Do you have a Data Protection Officer?
  6. How do you handle data breaches, do you have a process?
  7. What data controls and risk management processes do you have in place?
  8. How do you manage the version release process on your platform to ensure adequate level of data protection?
  9. Who can access our data, under what circumstances and what can they see? Is this access tracked?
  10. Can I audit your security and technical measures on the protection of data?
  11. Do you have in place a security breach notification process?
  12. Do you currently adhere to Binding Corporate Rules?
  13. Do you have measures in place to become GDPR compliant in time for May 2018?

5. Decide How Risky Each Provider Is + Take Action: Evaluate the responses given by your 3rd Party Providers with the purpose of identifying whether they meet the security and privacy regulations set out by GDPR.


Once you’ve carried out the above steps, you should be able to come to a conclusion on whether your third party providers are GDPR compliant or not. But the fun’s not done yet…

Even if they meet the requirements, you should still identify if you need additional components in your contract with them, like additional security clauses, restriction of transfer of data clauses, or termination of contract for non-respect of data protection laws. If they don’t meet the requirements, it’s time for you to seriously consider a new ESP.

Subjects should have the right to retrieve the personal data they have provided, and they should be able to give such data to other service providers, without the first one exercising any control over it.

Questions To Ask Your Email Service Provider To Find Out If They Are GDPR-Ready

Keep in mind, not all third-party providers are created equal. Some you will share more personal data with, and some less. But when it comes to email providers, an email address is usually personal data in itself and therefore email service providers in particular MUST be vetted.

Any GDPR-compliant email provider, must be ready to handle a number of incoming questions from email marketers and business they serve, as well as their customers (who’s personal data you store). Asking your ESP if they are ready to handle the following questions will give you a strong sense of if there are really ready or not!

Right to be Forgotten

According to article 17 of the GDPR, a subject should have the right to request for all of their personal data to be deleted. This allows data subjects (including your email subscribers) to have more control over their data.

  • How can recipients be removed from a specific contact list?
  • How can recipients be removed from all of your databases (all contact lists)?
  • Can data sent by subscribers to your services not be retained or retained only for a specific amount of time?
  • How can users be removed from all of your databases and files?
  • How do you handle confidential information?
  • Do you have measures in place that allow for data to be anonymized?
  • How can sub-accounts be removed for all of your databases?
  • Can an employee ask for all of their data to be removed?

Right Of Access

In addition to have the right to request for their personal data to be deleted, article 15 states that subjects have the right to access and retrieve the personal data they have provided.

  • Can a data subject request to access or recover their data?
  • How do you facilitate and ease the process of account access and deletion? Is there any feature to make it easier?

Right To Rectification

According to article 16, subjects should have the right to rectify, change or complete their personal data at any time. In the case of an ESP, this includes the possibility to unsubscribe from a mailing list at any time, as well as update other preferences. To safeguard this, you would like a way to ensure no one removes these options from the email.

  • Do you allow for an account to be transferred from one user to another?
  • Do you allow for the unsubscribe link to be removed from your newsletter templates?

Responsibility of The Controller

According to article 24 of the regulation, service providers shall be able to demonstrate that subjects have consented to processing of his or her personal data and they should be able to demonstrate that processing is performed in accordance to GDPR.

  • How do you gather and store proof that all of the contacts in a specific list have been added with the consent of the recipients?

Minors Consent

GDPR considers children as vulnerable subjects, as they may not be fully aware of the consequences of divulging personal data. Therefore, article 8 states that for subjects below the age of 16, data processing is only lawful when consent has been given or authorised by a parent or guardian.

  • How do you protect minors (as clients or recipients) from putting their personal data at risk?

Information Not Provided Directly By The Subject

Along with access to the data they have provided, according to article 14 subjects have the right to be informed about, and provided with, all of the data that has been collected from them.

  • How can you provide your recipients with a list of clients who have them as recipients?
  • How can you provide recipients with details on tracking data collected through your platform?

Answers to these questions should help you define if your Email Service Provider is GDPR ready or not. Always remember, that your own compliance can depend on the compliance of your ESP. So, with GDPR around the corner, it’s time for you to choose the Email Service provider that will really support you on your road to data privacy protection.

A note about in-house systems

If you are running a custom or in-house email marketing system, it might be time to consider switching to a commercial ESP or start adding features to your in-house system to manage the requirements of the GDPR.

Does all this sound like an awful lot of work? We are here for you. Feel free to ask any questions below, if you have any doubts, or leave a comment to help other readers.

About Laura Chieri

Marketing Assistant at Mailjet in the UK. Italian born, I have Brazilian and English blood flowing through my veins. I have earned the nickname of Cactus because I can be prickly at times. Now, the Saguaro has become my spirit, ahem, plant. ?

Enable registration in settings - general
Compare items
  • Total (0)