We sat down with Julien Champseix and Arthur Poirier at Brevo (formerly Sendinblue) to discuss all things data security — from following regulations to preventing cyberattacks, and sharing our own approach to global data security. In the second of our three-part Conversations with the Experts, we take a closer look at what data privacy means for small businesses.
Meet our data security experts
Julien is Chief Information Security Officer at Brevo. Since starting his position one year ago, Julien has overseen Brevo’s ISO 27001:2013 certification and continues to reinforce the company’s data security framework.
Arthur is Brevo’s Legal Manager and Data Protection Officer, ensuring GDPR compliance at Brevo as well as supporting clients’ conformity.
There’s so much to keep up with in the world of tech and data security. What are ways for small businesses to stay current with best practices?
Julien: There are some good websites that report on the latest security news, like The Hacker News and Bleeping Computer. Depending on the size of your team, having a mobile device management (MDM) solution and antimalware/antivirus software are also worthwhile investments.
From there, I’d recommend setting up an internal communication channel dedicated to cybersecurity updates. At Brevo, we have a Slack channel where I share news about high-profile data breaches, internal security policy updates, and general best practices. The benefit of this is keeping data security top of mind among employees and making sure everyone is able to recognize malicious activity.
Depending on what your small business does, you may want to look into specific types of threats for your industry and set up watch programs to stay current.
What is Brevo’s strategy for staying up to date on the latest best practices, norms, and threats in cybersecurity?
Julien: We’ve set up monitoring across various business and cybersecurity media and blogs, so as soon as anything’s published about a leak or breach, we know about it.
I’m part of a group of other information security experts across Europe where we discuss common threats and risks, our experiences using different software tools and applications, and what we’re doing in terms of protection. It’s a really great space for staying current and learning from one another.
We also attend conferences like the International Cybersecurity Forum, where service providers, end users, policymakers, consultants, schools and universities come together to discuss the latest in cybersecurity issues.
Upholding your GDPR responsibilities as a small business
Under the GDPR, individuals have rights over their personal data and can request certain actions from organizations handling their data. What kinds of GDPR-related requests can small businesses expect?
Arthur: These are known as ‘data subject requests.’ The ‘data subject’ is the individual whose data it is. Data subjects can ask you to correct or delete their personal data; they can request a copy of their data to download; they can request to no longer receive communications from you; and they can request to know exactly what you do with their personal data. As a business handling your clients’ personal data, the GDPR makes you responsible for answering to these requests.
By far the most common way people exercise their GDPR rights is by unsubscribing from a newsletter. To make everyone’s lives easier, Brevo includes an unsubscribe button in every one of our email templates. And when a recipient clicks ‘Unsubscribe,’ they’re automatically blocked from that client’s contact list.
Do you have any tips for how small businesses can handle other types of data subject requests?
Arthur: So this will depend on a lot of factors — where a business is located, where their customers are, what kind of data they’re collecting, what software tools a business uses, and so on.
At Brevo, we actually get a lot of data subject requests from our clients’ clients, but we’re not allowed to take action without being instructed by the relevant Brevo account.
So what we’ve done to help our clients manage their data subject requests is set up a process that first identifies which of our clients is responsible for that individual’s data. (We often have individuals who are on multiple clients’ lists, but they don’t necessarily want to be removed from all of them.) Then, we inform the client saying ‘this person has requested xyz.’
What’s really valuable for our users is that they can respond to the request natively within the Brevo platform. Depending on the request, you can export and share the data, delete it, delete logs, adjust log retention — all at the click of a button.
How does the GDPR affect businesses outside the European Union?
The GDPR protects the personal data of individuals located in the European Union. Even if your business isn’t in the EU, you must abide by the GDPR for any EU-based customers you have.
Leveraging GDPR as a small business
For non-European businesses in particular, GDPR can seem like a set of overly complicated regulations. How can small businesses leverage GDPR to both protect data privacy and improve overall efficiency?
Arthur: GDPR shouldn’t put a strain on businesses — it’s intended to protect personal data, but that doesn’t mean it’s ‘anti-business.’ It’s actually reinforcing a lot of general good practices.
When collecting contact information, the GDPR and other privacy laws such as ePrivacy require you to ask for consent before sending electronic communications to an individual. Beyond the GDPR, though, this is something all businesses should do. It shows respect for your clients and leads to better communication in the long run. (Sending unsolicited emails never gets you very far.)
The GDPR also requires you only collect necessary information. Ask yourself, ‘Do I really need this information to achieve my specific goal?’ For instance, you might need an email address and a first name to send a newsletter, but not necessarily a last name or a date of birth. It’s personal information that you won’t use and will just clutter your database. Collecting too much or irrelevant information might also send the wrong message to your prospects and clients.
More than anything, deleting data regularly will save you from significant bills for storage or maintenance services. It’s both safer for your clients and cheaper in the long run.
Lastly, applying GDPR to your business means committing to a strong standard of data protection rules, recognized in Europe and beyond. Just like Corporate Social Responsibility (CSR), privacy and GDPR compliance have become new criteria for consumers when it comes to deciding whether or not to do business with a company.
The balancing act of small businesses
Small businesses may find themselves in a tricky situation when it comes to data privacy. Honoring customers’ trust and loyalty is always a top priority, but finding the resources within a small team to ensure robust data security may seem like an impossible challenge — it doesn’t have to be, though.
Careful consideration of your software solutions and sub-processors is the best course of action to preserve your customers’ data privacy. Look into how your email service provider, online marketplace, and CRM process personal data to be able to provide full transparency to your customers.
And thanks to a wealth of resources online, small businesses can learn about cybersecurity best practices, implement them within their teams, and contribute to a culture of cybersecurity awareness.
Check out Part III of our Conversations with the Experts to learn about Brevo (ex Sendinblue)’s approach to data security.