Purpose
The purpose of this article is to provide information to Outreach Users regarding General Data Protection Regulation (GDPR) compliance.
General Data Protection Regulation (GDPR) Compliance
Since our first ISO 27001 certification in 2015 to the many Outreach features that help enable our customers to meet their GDPR obligations - Outreach has your back! This article outlines the key principles and Outreach’s recommendations to our customers to help you meet your GDPR obligations connected with your use of the Outreach product. You can visit our GDPR page and FAQ for more details on our recommendations for customers and what Outreach has done to comply with GDPR.
The information contained in this article and on our website does not provide legal advice and should not be used as such. Outreach recommends you consult with your legal counsel to determine what is appropriate and required for your business operations and use of the Outreach product.
What is the GDPR?
GDPR is a data privacy regulation designed to harmonize various data privacy laws across the European Union (EU) to create a common set of regulations for protecting EU residents’ personal data. GDPR not only applies to companies that process the personal data of protected individuals, and have a presence in the EU (e.g. offices or establishments), but also to companies that do not have any presence in the EU but target the European market. Customers, including non-EU-based customers, should carefully assess whether they are subject to the GDPR. If your company determines that you are subject to GDPR Outreach will provide you with our latest Data Processing Agreement (DPA) to satisfy the contractual requirements of GDPR.
Outreach Security & Feature Updates for GDPR
A core component of GDPR is ensuring that your data processors (i.e. Outreach) implement security best practices for safeguarding personal data. Outreach already has a number of these security and privacy mechanisms in place. In addition, Outreach has updated the Outreach platform to help you meet your GDPR obligations.
Key highlights include:
- Built-in support for encryption (in-transit and at-rest)
- Ongoing penetration testing through our bug bounty program
- Product features to control access to data on the Outreach platform including Governance and SSO
- Product features to support data subject requests including selective CSV Export and Privacy Compliance data deletion
- Any customer working with Outreach is considered the data controller with Outreach as the Data Processor. Outreach has tools available allowing the Data Controller to remove any individuals from our systems, as well as options for keeping them from being re-added in the future. Outreach can read your consent management system via your CRM sync (where available) and respect any opt-outs that occur, including emails that are sent by the Outreach platform.
Data Controller vs. Data Processor Responsibilities
Finally, your company acts as the Data Controller of all data sent to Outreach for processing. Outreach is most likely just one of your Data Processors. In addition to the built-in capabilities mentioned above Outreach has developed procedures to assist you in your Data Controller obligations regarding the handling of the personal data.
Please visit our GDPR page and FAQ for more details on our recommendations for customers and what Outreach has done to comply with GDPR.
You can also visit our Privacy Compliance Article to get an overview of privacy compliance overall at Outreach.
Additional Information
California Consumer Privacy Act (CCPA) FAQs
Call Recording Laws and Regulations: Us and International
How To Remove Data from Outreach