For our first interview of 2020, we’re excited to get the chance to interview Darine Fayed, Head of Legal & DPO at Paris-born Mailjet that recently got acquired by San-Antonio based Mailgun. Darine is a privacy and data protection enthousiast, guest author at MarTechSeries and helped Mailjet become the world's first AFAQ GDPR certified in 2018.
Mailjet is a powerful email service provider that ensures maximum insight and deliverability results for marketing and transactional emails. Founded in France in 2010, Mailjet serves more than 130,000 clients worldwide in 156 countries, sends close to 1 billion emails every month and is trusted by companies like Honeywell, Product Hunt, Microsoft, MIT, Algolia, Mention, ... 🚀
- Name: Darine Fayed (Attorney, J.D. Law, B.S. Finance)
- Role: Head of Legal and DPO at Mailjet
- Website : www.mailjet.com
- Twitter: https://twitter.com/DarineFayed
- Linkedin: https://www.linkedin.com/in/darinefayed
What is your background?
Attorney licensed in Washington, DC & Maryland USA since 2003, then more recently in Paris, with experience in international contracts, corporate law and data protection, I have worked throughout my career within several notable global law firms. I joined the Mailjet team as Head of Legal in July 2016 to oversee all the company’s legal matters and to put in place a solid organisation. I then became their Data Protection Officer in July 2017.
Having a bachelor's of science degree in Finance, I am proud of my strong business sense to help the company identify proactive solutions all the while protecting its interests and managing the impact of external factors.
Since coming onboard at Mailjet, I have put in place internal corporate governance policies as well as the company’s data privacy and protection measures, ensuring GDPR compliance well before the deadline in 2018.
How did you end up at Mailjet?
I previously worked at traditional law firms as an attorney for years, but always knew that I would end up eventually as in house counsel in a fast-paced company. My passion for data protection and international contracts steered me to the role at Mailjet - and the dynamic culture pulled me in wholeheartedly.
How would you define your role?
As the General Counsel, I’m responsible for all things legal within the company at the same time protecting its interests against outside risks.
My role is ever-changing, since there is not a mundane aspect to it - I deal with various subjects on a daily basis from international contracts, data privacy, digital marketing, intellectual property to insurance coverage!
Your day to day habitat
Do you have separate compliance/data protection team?
Our Privacy team officially consists of myself, one member from my Legal team as well as one member from the IT quality team.
Data protection and compliance involve in reality more than one specific department, as it is a correlation of many aspects of a business - including IT, Legal and Operations.
So we invite various “guest” team members to our privacy audit committee meetings, in order to involve the important actors in the business on key decisions and procedures. It is this intertwined collaboration that allows us to best tackle all data protection aspects within our organisation.
What was key to the preparation for GDPR last year?
The elaborate planning was the key to success. As any compliance program, GDPR required a solid project management process at the onset and I took it upon myself as the Data Protection Officer to spear-head that projet.
We had the opportunity to have identified very early in 2017 the need to be in compliance with the upcoming general data protection regulation. So without having any time constraints in the process - as many other organisations who took more of a late start had to grapple with - we proceeded to establish a compliance road map with realistic target dates. Then it was a matter of proper implementation.
The challenges were many, including not having neither a set-aside budget for our compliance efforts nor the internal resources; so our small privacy team was extenuated. The other major challenge was the audit of our third party providers. This in itself was much more a cumbersome task that we originally anticipated.
But notwithstanding these challenges, we were able to assume the complexities in the roadmap and were able to achieve compliance within the defined timeframes - leading to being certified as compliant by AFNOR Certification on our GDPR obligations in April 2018 - before the effective date of GDPR in May! Proud of this accomplishment! 👏👏
What are the biggest mistakes you see other companies make?
I can’t claim to be GDPR omni knowing, but a common mistake made is not devoting enough importance or resources to one’s data privacy compliance. Many companies have shrugged aside their full compliance - not only for lack of resources - but also as they feel immune to any possible fines or levies from the Data Protection Authorities.
It’s a myth that these Data Protection Authorities target only the GAFA and Fortune 500 companies. They receive complaints daily from European citizens on non-respect of their data protection rights by PMEs, so small companies are also at risk and should be respecting the data protection laws just the same.
What metrics do you care most about in your role?
Together with my team, we try to create impact on
- Customer and prospect satisfaction
- Revenues (Spend to Budget metrics)
- Organisational reputation/brand image
What metrics do you care most about in your role?
- Risk minimization / Litigation exposure
- Outside Auditor evaluations
- Outside counsel spending expenses
What’s the hardest part of managing privacy for global platforms like Mailjet?
The biggest challenge I’d say for our privacy compliance is the management of third party providers. We had created from scratch a centralised “purchasing” department within the Privacy team to better manage the global teams’ providers, vendors and online applications. These providers include for example the CRM, the payment solution service, the IT open sources tools, the marketing analytics tools, HR payroll system, etc.
As a result of these wide ranging providers, we put in place an on-premise and third party applications management procedure for the entire company to follow and to have a better handle on the management. But to implement such a procedure was laborious, as we had to audit more than 60 providers at the time, which included sending them third party questionnaire forms in order to determine and analyse their security measures and any associated risks.
The process to implement took over 8 months, but today, through our controls and risk assessments, even though the task remains a challenge, the procedure runs more smoothly and the company now as a whole has a global view of its approved providers/vendors.
How do you keep track of or manage the internal usage of SaaS applications?
The on-premise and third-party applications management procedure that was put in place in February 2018 helps us to assess, select, and review our providers and applications.
The aim is to ensure that all our on-premise and third-party applications provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that meets our strict security and data privacy requirements.
As DPO, I send out periodic newsletters internally to all employees, to remind folks of the procedures and rules in place internally to follow. This is important to continue to maintain solid data protection driven culture within the organisation.
What’s next for customer privacy at Mailjet?
Data privacy and security is one of our pillars at Mailjet and our commitment on that front to our customers will continue for the long term. Being recently acquired by Mailgun, we are joining forces to continue that commitment across borders in expanding our footprint to a more solid emailing solution.
The teams will continue to instill quality and control into the established data privacy and security procedures, and continue to develop new features for our customer base with data privacy by design at heart. The challenge for us is the merger of the two data protection systems into one, all the while continuing the business functions without interruption in parallel. We are definitely up for this next challenge!
What should we expect in 2020 regarding privacy, data protection or compliance?
- The EPrivacy Directive is the next compliance regulation in 2020 at the forefront of many peoples’ preoccupations. The fact the law is still being drafted has many anxious awaiting its outcome. But companies should start considering now the actions they should be taking. How will customer privacy change over the next ten years?
- Brexit is also still a subject since EU model clauses or other protection mechanisms should be put in place in the next few months.
- 2020 will still be an exciting time for data privacy since more fines will be issued under the GDPR and case law will start to develop.
Do you think demonstrating transparency to your end customers or prospects will increase trust? If yes, how?
Transparency is key.
Being transparent vis-à-vis to your prospects and customers helps gain confidence in your brand, allowing them to understand more clearly how you process and treat their personal data. This openness will be appreciated and will certainly lead to brand loyalty as customers generally only seek those services they feel are respecting their rights.
Which companies do you admire for their privacy approach and why?
Being implicated in the data privacy community, I had the opportunity to create in 2017 a data privacy working group consisting of a dozen or so Heads of Legal from various technology SaaS companies in preparation for GDPR compliance. Many of these companies shared the same passion for data protection and transparency and helped define the approach to take in our compliance efforts.
How do you demonstrate compliance to customers?
The principle of transparency again here is key. It is important to clearly communicate on one’s website and through privacy pages how clients’ data is handled and treated and what measures are in place to ensure solid data protection.
- Since at Mailjet we process large scale personal data daily (sending millions of emails per day), this was certainly very important to our customers and prospects. We decided that not only communicating clearly on our website was needed, but having an outside third party auditor report and certificate would establish more credibility to the outside world.
- Hence, the reasoning behind our obtention of the AFAQ GDPR certification in 2018.
What’s the hardest thing about defining a customer privacy framework for end-users?
In today’s highly driven technological landscape, with the use of trackers, analytical tools, cookies to name a few, balancing the business need for intelligence and data with data protection is a challenge in defining any privacy framework.
The balance needs to be stricken and that can be achieved by putting in place an anonymous or aggregated data framework to protect customers’ privacy.
How do you get inspired? Who inspires you?
Inspiration to me comes in many forms, but one needs to be receptive to find that inspiration around them. So I make it a point to take the time to resource and re-energise - through fitness, reading and cooking - and spending quality time with my family. It is in this positive energy and spirit that I learn to appreciate life’s challenges and that allows openness for inspiring people and moments.
"Work is love made visible. For if you bake bread with indifference, you bake a bitter bread that feeds but half man's hunger." -Khalil Gibran
Thanks for your time and great insights Darine! Wishing you a wonderfulp 2020! 🥂
Thank you, Johan