The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) helps protect and ensure the privacy rights of European Union (EU) and European Economic Area (EEA) citizens and GDPR replaces the Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe, while expanding the rights and empowerment of individuals in regard to the control of their personal information. The GDPR establishes global privacy requirements governing how you manage and protect personal data of EU and EEA citizens and residents while respecting individual choice—regardless of where data is sent, processed, or stored. Outreach believes that the GDPR is an important step toward strengthening data protection laws across the European Union and enabling individual privacy rights. This why Outreach is committed to being GDPR-compliant across our cloud services when enforcement begins on May 25, 2018.
Current Status of GDPR Compliance
Privacy Shield and Data Transfer
Privacy Shield allows Outreach to meet the current privacy requirements of Europe for onward transfer by doing the following privacy principles:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
Standard Contractual Clauses (Model contract clauses)
Additionally, Outreach signs Data Processing Agreements (DPA) with customers who need them. Where necessary, Outreach includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Outreach has DPAs in place with all sub-processors where legally required.
Outreach has already implemented many strong data security requirements and controls to protect our customers data - many of which already meet GDPR standards.
- Outreach maintains ISO 27001 certification. ISO 27001 is a security management standard that specifies security management best practices and controls based on ISO 27002 best practice guide. As an ISO 27001-certified organization, there is a high level of integration between the ISO 27002 code of practice and the Information Security Management System (ISMS). The ISO 27001 certification validates our security and meets many of the requirements of GDPR.
- Outreach maintains a SOC 2 Type II accreditation report. The SOC 2 evaluates Outreach controls that are relevant to the principles of security, availability, and confidentiality. This is a rigorous assessment that tests the operating effectiveness of our controls over a defined period, demonstrating and documenting our compliance with controls pertaining to security, availability, and confidentiality.
- Outreach has strong data protection controls, which includes encryption in transit and encryption at rest of customer data, to safeguard data subject’s data from unintended disclosure or misuse. Outreach rigorously tests its product to remedy proactively vulnerabilities and follows industry best practices and guidance in information security.
- Outreach maintains incident response and notification processes. These procedures are tested annually.
- Outreach has procedures in place to ensure data recovery and data integrity, so that customer lost or inadvertently corrupted.
- Outreach provides assurances that the customer retains full control of their data.
- Outreach’s key data sub-processors, i.e. Amazon Web Services (AWS), all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.
GDPR Path Forward to May 25, 2018
We are currently analyzing the GDPR requirements to determine which articles are in scope for Outreach and our customers. We believe that our current security controls, accreditations and Privacy Shield status put us in a strong position to meet the requirements of GDPR on or before May 25, 2018. Our current path includes:
- Consulting with legal and experts in the industry to fine-tune our position.
- Reviewing and understanding our data models and use cases, so we can justify our operations and decisions before the law
- Building processes, if not already existing, to execute data subject requests and rights in an expedient and accurate manner
- Ensuring we have fully reviewed the new requirements implications for data processors and where we may be a joint controller
- Updating our contacts, notices, and other relevant information to ensure data subjects and controllers (customers) can contact us as necessary.
- Acquiring the necessary resources to execute and maintain ongoing compliance requirements and documentation required by GDPR
- Reviewing data security standards and processes to ensure they meet the requirements imposed by GDPR
- Reviewing our contracts with sub-processors and ensure they adequately meet the requirements imposed by GDPR, and that our sub-processors understand their responsibilities and are fully committed to meeting them
- Reviewing our customer contracts where necessary to help ensure our customers meet the letter of the law in their contracts, and ensure that our responsibilities are clearly defined and delimited to make sure there is no confusion that could result in penalties for either party.
Outreach continues to monitor the continuing guidance issued by the Article 29 Working Party (which will be replaced by the European Data Protection Board [EDPB]) to ensure that we remain abreast with the most recent developments pertaining to GDPR. Even when the regulation comes into full effect, Outreach is prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we and our customers remain compliant and provide an experience to meet our customers.
Outreach additionally understands compliance is a shared responsibility with our customers; we are committed to partnering with you to help you successfully comply with the GDPR and future privacy requirements. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization, and are a shared responsibility between yourself and your partners. Therefore, it is important to understand your obligations related to the GDPR regardless of where your organization resides, and Outreach will work with you to achieve them.