The purpose of this article is to provide information to Outreach Users regarding General Data Protection Regulation (GDPR) compliance.
General Data Protection Regulation (GDPR) Compliance:
Since our first ISO 27001 certification in 2015 to the many Outreach features that help enable our customers to meet their GDPR obligations - Outreach has your back! This article outlines the key principles and Outreach’s recommendations to our customers to help you meet your GDPR obligations connected with your use of the Outreach product. You can visit our GDPR page and FAQ for more details on our recommendations for customers and what Outreach has done to comply with GDPR.
The information contained in this article and on our website does not provide legal advice and should not be used as such. Outreach recommends you consult with your legal counsel to determine what is appropriate and required for your business operations and use of the Outreach product.
What is the GDPR?
GDPR is a data privacy regulation designed to harmonize various data privacy laws across the European Union (EU) to create a common set of regulations for protecting EU residents’ personal data. GDPR not only applies to companies that process the personal data of protected individuals, and have a presence in the EU (e.g. offices or establishments), but also to companies that do not have any presence in the EU but target the European market. Customers, including non-EU based customers, should carefully assess whether they are subject to the GDPR. If your company determines that you are subject to GDPR Outreach will provide you with our latest Data Processing Agreement (DPA) to satisfy the contractual requirements of GDPR.
Outreach Security & Feature Updates for GDPR
A core component of GDPR is ensuring that your data processors (i.e. Outreach) implement security best practices for safeguarding personal data. Outreach already has a number of these security and privacy mechanisms in place. In addition, Outreach has updated the Outreach platform to help you meet your GDPR obligations.
Key highlights include:
- Compliance with key industry standards: ISO 27001 and U.S.-EU Privacy Shield framework (while invalidated Outreach still align), ISO27701 and SOC2
- Built-in support for encryption (in-transit and at-rest)
- Ongoing penetration testing through our bug bounty program
- Product features to control access to data on the Outreach platform including Governance and SSO
- Product features to support data subject requests including selective CSV Export and Privacy Compliance data deletion
- From a marketing perspective, Outreach ensures that all EU users have opted-in to receive any correspondence from us and that they have the ability to delete their information at any time.
Data Controller vs. Data Processor Responsibilities:
Finally, your company acts as the Data Controller of all data sent to Outreach for processing. Outreach is most likely just one of your Data Processors. In addition to the built-in capabilities mentioned above Outreach has developed procedures to assist you in your Data Controller obligations regarding the handling of the personal data.
Please visit our GDPR page and FAQ for more details on our recommendations for customers and what Outreach has done to comply with GDPR.
You can also visit our Privacy Compliance Article to get an overview of privacy compliance overall at Outreach.