GDPR and Dryrun

The General Data Protection Regulation (GDPR) is an expanded and updated version of the 1995 EU Data Protection Directive (DPD).

Its purpose is to greatly enhance citizen rights over their personal data for every EU citizen by increasing the responsibilities of every organization that collects or processes personal data. The GDPR’s new and expanded provisions support the rights of the individual’s data and add harsher penalties for violations of the new laws.

The GDPR comes into force on May 25th 2018.

Woah there…

This page wasn’t meant to cover the full scope of EU data privacy, GDPR or legalities associated with both as they concern Dryrun, instead we’ve focused on what we think is most relevant to our users and done our best to link you to really high quality source documents.

Under no circumstances may you rely on this web page as legal advice, or as evidence of any particular legal understanding. If you have questions or concerns about Dryrun policies, please contact Dryrun directly via email at

GDPR Foundations and Newly Added Rights

Foundations of the GDPR

  • Obtain and process the personal data fairly.

  • Keep personal data solely for one or more specific and lawful purposes.

  • Process personal data only in ways compatible with the purposes for which it was given to you initially.

  • Keep personal data secure.

  • Keep personal data accurate and up-to-date.

  • Ensure that personal data is relevant to the organization’s need but not excessive.

  • Do not retain personal data any longer than is necessary for the specified purpose(s).

  • Give individuals a copy of their personal data upon request.

Newly Added Rights

  • Alert downstream recipients of deletion requests

  • Give individuals a copy of their personal data upon request in a common format, without charge and within 30 days of request

  • (Note that organisations may refuse to grant an access request in some cases if the request is deemed unfounded or excessive, but refusal policies and procedures must be clear)

Dryrun’s New Responsibilities Under the GDPR

Internal Procedures

  • Data privacy “by design” is required when developing new systems

  • A Data Privacy Impact Assessment (DPIA) must be performed when we use new technologies or existing technologies in risky ways.

  • We must consider the potential impact that a project might have on an individual’s privacy so that risk issues can be proactively identified and mitigated prior to the project launch.

Privacy Statements

  • Dryrun must review and amend any privacy notices or statements as well as internal data policies for compliance to GDPR’s requirements.

  • If we use third party agencies to collect and process personal data, those contracts must also be amended to comply with the GDPR.

  • Customer contracts must be GDPR compliant.

GDPR Scope

The scope of the GDPR is far more broad than the 1995 DPD. The GDPR will also apply to non-EU businesses who market to people of the EU.


  • Dryrun’s GDPR processes should be documented, put into practice and subsequently reviewed on a regular basis.

  • Dryrun staff should be trained accordingly.

  • Dryrun must take appropriate technical and organisational measures to support and demonstrate compliance.

Penalties for Violations

Businesses that violate data subjects’ rights can incur fines up to €20 million or 4% of their global annual revenue.

Product Changes

Our core team members have worked hard to make the necessary changes to Dryrun’s services and policies to ensure that we’re compliant by the May 25, 2018 both for our accounting pros and for our business users.

It’s important to note that companies need to assess their own data collection and storage practices (including how they use Dryrun’s tools) and seek their own legal advice to ensure that they are in compliance with GDPR.

We’re using the following questions to ensure that we take a risk-based approach to protecting user data.

  • What personal data do we collect and store?

  • Have we obtained personal data fairly?

  • Do we have the necessary consents required to collect and store the data in question?

  • Were individuals informed of the specific purpose for which we’ll use their data?

  • Were we clear about the purpose of data capture and storage in these circumstances?

  • Were individuals informed of their right to withdraw consent at any time?

  • Are we keeping data only as necessary and is it up-to-date?

  • Is data safe using security that is appropriate to the risk?

  • Are we limiting access to ensure it is only being used for its intended purpose?

  • Are all team members informed to make sure we’re all aware of their obligations under the GDPR?

  • Do we have sufficient resources to implement any required changes and processes?


GDPR is an important policy tool that helps restore the balance of power between users and organizations on the internet to something resembling ‘brick and mortar’ ethics. Dryrun looks forward to being a positive part of this trend toward internet good citizenry.

CAN-SPAM and Dryrun

The CAN-SPAM Act, a law that sets the rules and requirements for commercial email messages, and gives users rights under the law, as well as spells out penalties for violators.

CAN-SPAM Laws apply to all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Here’s a rundown of CAN-SPAM’s main requirements in plain English so you can easily see how Dryrun complies.

  • We use truthful header information. Our “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – are accurate and identify the person or business who initiated the message.

  • We use truthful subject lines. Our subject lines accurately reflect the content of our messages.

  • We identify the message as an ad, where applicable. There are several different ways to do this, but the law states that we must clearly disclose when our messages are advertisements.

  • We tell our recipients where we're located. Our messages always include our physical postal address.

  • We tell you how to opt out of receiving future email from us.

  • We honor opt-out requests promptly.

  • We monitor what others are doing on our behalf. The law makes it clear that we can’t contract away our responsibility to comply with CAN SPAM laws if we ever chose to hire a third-party company. In that case, we'd both be legally responsible.

Security and Dryrun

Dryrun conducts an annual third-party audit of our major systems and assets expressly to look for gaps in our security infrastructure and processes. We take the findings and implement changes accordingly.  Want more info? Contact us at

Did this answer your question?