I've been going through some GDPR stuff. Amongst other things, we
provide SMTP relay services to some customers, so are a 'Data Processor'
under GDPR. In itself, that's OK as our own operations are GDPR compliant.
But, how it interacts with email, it all seems to get very horrible. I
suspect the *intention* is OK, but I'm struggling with the actual
regulations.
If someone sends a message from the UK to someone in the USA, by
definition, we must send that email outside of the EU. When we send the
email, we are sending personal data (eg usually the name/email address
of the sender never mind the content which could be anything (outside
our control)). That causes issues for GDPR.
When we send the outgoing message to another mail server, that other
server's operator is also a Data Processor. According to Article 28 of
GDPR, we have to get prior approval of the Data Controller before using
them, and a responsibility to check that they are GDPR compliant.
Obviously that isn't going to happen in any feasible way...
Then there's the question about whether Internet connectivity/Wifi
hotspt providers are also Data Processors as they potentially have
access to the message data (including personal data) and could be
classed as 'processing' it.
Also, if a user is on holiday in the USA and downloads email to their
phone or in an Internet cafe, we are 'sending it outside the EU', so
again, GDPR has issues.
I thought it was all OK, but one of our customers asked us to sign a
contract for GDPR which prevents us from sending data outside of the UK
and from sending it to any other companies without prior written
permission. I've pointed out the problems to them, but wondered if
anyone else had come across this.
--
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop