Mailjet’s activity is 100%-based on the use of personal data. Consequently, rather than waiting until 25 May 2018 and the entry into force of the General Data Protection Regulation (GDPR) before ensuring their own compliance, the French mass-mailing specialists took the proactive step of gaining AFAQ certification in advance. Darine Fayed and Yves Rocha, joint managers of the Mailjet compliance project, share with us their experience of becoming the first French firm to be certified.
What exactly does the GDPR mean for a company such as yours?
Darine Fayed: We’re specialists in the mass-sending of e-mails for major accounts such as Orange, Microsoft and Trivago. Essentially, our activities involve us using the personal data of their clients, such as their name, address, date of birth, etc. Since the GDPR also requires businesses to ensure that their contractors correctly observe the new rules, it was essential for our clients to see that we were complying fully with the new legislation. We started to put the relevant processes in place back in January 2017, as we didn’t just want to be ready on time; we wanted to be early!
What requirements did you have to meet?
Yves Rocha: There are many of them and they cover the entire processing chain. In practical terms, we need to enable every individual whose data we hold to be able to access, correct or delete this information. To be able to do that, we had to conduct an in-depth review of the way we operated. This involved the creation of a data processing register, the overhaul of our IT processes… Because in the event of an inspection, we need to be able to prove without any unnecessary delay that we’re fully compliant with the requirements.
Why did you want to obtain AFAQ certification on the protection of personal data?
Darine Fayed: Because it constitutes a guarantee, an invaluable element of proof for our clients. It shows that we’re pulling out all the stops in order to comply with the legislation. And the effects speak for themselves, because as well as excellent feedback from our existing clients, prospects who were in the process of signing up with competitors in the end chose to work with us, as the certification reassured them and offered them security.
What does the audit consist of?
Yves Rocha: In March 2018, we underwent an initial two-day evaluation with AFNOR Certification, with the aim of taking stock and assessing the work that remained to be done. For us, this essentially consisted of completing the data processing register to make it more exhaustive. The real audit took place in May and lasted a day and a half. All of our processes were scrutinized using real cases, as the AFNOR Certification auditor followed the path between the sending of a batch of e-mails, the receipt of a request for deletion of data and the actions which we then conducted in order to honour it.
Which aspects were the trickiest to comply with?
Darine Fayed: The monitoring of our own suppliers, as we had to satisfy ourselves that they were all fully compliant with the regulation. We started by listing our 80 suppliers, before studying their confidentiality policies based on the documentation provided. Some were already compliant, while others signed a charter of commitment to become so. A few of them proved to be such a long way from the good practices required that we had to end our relations with them. Now, it’s our duty to continue to ensure that they remain in conformity over time.
What role did AFNOR Certification play?
Darine Fayed: They provided solid support and precious advice that helped to guide us on the path towards certification. The audit was tailored to our particularities and we saw the real effort they made to understand our environment, our issues and our profession. The conclusions put the reality of our activity into perspective with the requirements of the GDPR.