What is Return Path doing to prepare for the General Data Protection Regulation (GDPR)?

This document is being provided for informational purposes only. Nothing in this document shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by Return Path, Inc., or any affiliate of Return Path, to you or any other person or entity. It also does not guarantee that your email and/or any other aspect of your business is in compliance with state, federal, or International laws. Return Path makes no representation, warranty or commitment that any message you send to end users will be delivered. This document is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel.

Return Path is committed to complying with the GDPR and global privacy laws. In order to prepare for this new regulation, we have implemented the following:

  • Global privacy law compliance: Return Path currently complies with global privacy laws through the implementation of Model Contract Clauses as well as our membership in the EU-US and Swiss-US Privacy Shield. Our privacy team has spent the last year and a half preparing to comply with the GDPR. 
  • Privacy by design: As part of its GDPR project, Return Path is enhancing its ongoing commitment to privacy by design. Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR.
    • At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organizational an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'.
    • Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
  • Privacy Impact Assessments (PIAs): We are working to embed data protection principles even more deeply into our business processes using PIAs, with the objective of limiting the amount and use of data from our consumer panel to what is minimally required.
  • Privacy council: We created a group of internal stakeholders from across the organization in order to help us educate teams on privacy rules, confirm implementation of required practices, and ensure that we have top down/bottom up buy-in for our privacy program.
  • Privacy mission statement and operations: We have internal data handling policies in place as well as a Privacy Operations Manual, and a formalized charter and mission statement in order to express our commitment to compliance. They include our objectives, key performance indicators (KPIs) and obligations to the organization, our clients, and our partners.
  • Clear and concise opt-in: We are always working on improving our commitment to our clients and visitors to our sites through simple, easy to read policies and clear consent and opt-in practices.
  • Organizational guidelines and compliance: We are working closely with our legal department, marketing, product groups, and human resources to ensure that guidelines are being closely followed and that we have the necessary pieces in place to achieve and maintain compliance.

If you have questions or would like more details, please feel free to reach out to us directly at


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request