Our Outreach GDPR Compliance
Outreach believes that as a SaaS company security and privacy is a shared responsibility with our customers. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization, and are a shared responsibility between yourself and your partners. It is important to understand your obligations related to the GDPR regardless of where your organization resides, and Outreach will work with you to achieve them. By nature of Outreach’s integration architecture, you determine what data is sent over for processing. Accordingly, your company acts as the controller and must abide to a set of core principles regarding the handling of the personal data.
Per the GDPR principles, you should avoid sharing unnecessary personal data with Outreach. Typically, the only class of personal data you should share with Outreach is contact information and you should not share other classes of data that are not relevant to managing your sales pipeline. It is your responsibility to ensure certain data types are not sent to Outreach for processing. Recommendation: Review the user information shared with Outreach and ensure you are not sharing any unneeded or sensitive personal data. GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared.
If your legal counsel determines you also need to obtain user consent before using Outreach, make sure you update your integration with Outreach to only send data from those who provided the required consent or have otherwise consented to it. Outreach continues to monitor the continuing guidance issued by the Article 29 Working Party to ensure that we remain abreast with the most recent developments pertaining to GDPR. Even when the regulation comes into full effect, Outreach is prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we, and our customers, remain compliant.
General Data Protection Regulation
The GDPR applies to the processing of data subjects’ personal data by any size of EU or non-EU organizations that provides goods or services to the EU or monitors the behavior of EU users. All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a Data Protection Officer. More detailed information about privacy by design can be found in Article 25 of the GDPR. Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. Third-Party Providers – Keep your list of all the third-party solutions you currently use that have access to or process data subjects’ personal data up-to-date.
Processing: The GDPR imposes direct legal obligations on data processors meant to ensure that processors protect personal data appropriately, assisting with data subject requests, and providing notice and a right to object to the use of sub-processors. SendGrid believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. Making available a GDPR-compliant Customer Data Processing Agreement for SendGrid’s processing of personal data under the GDPR on behalf of its customers. If your use of SendGrid requires SendGrid to process personal data within the scope of the GDPR, SendGrid’s Data Processing Addendum is available for e-signature here. Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we modified our vendor agreements to put GDPR-compliant terms in place with vendors and service providers who process personal data on our behalf.
Many companies that are data processors of some personal data are also data controllers of other personal data. Your obligations under the GDPR depend on whether you are acting as a data controller or a data processor in connection with the each category of personal data. Personal data can also be processed: When necessary for the performance of a contract to which the data subject is a party;.
GDPR compliance deadline is approaching: 10 things to do right away
Under the GDPR and other data protection and privacy laws, personal data should be treated as the most precious asset owned by the enterprise. Businesses should hold training sessions to explain the details of GDPR compliance to make sure every employee is aware of their role in protecting data throughout the organization. A typical GDPR policy will establish procedures and protocols limiting access to personal data, set consent standards, and provide for practical procedures regarding the data subject’s right to access and, if requested, delete their personal data. Besides creating a foundation for GDPR specifically, enterprises should also develop and implement a full set of policies regarding data security. Policies dealing with intrusion detection, data classification, privacy protection, password management, auditing and logging, and encryption, just to name a few, should all be developed in support of an overall GDPR compliance policy.
One of the major provisions of the GDPR is the concept of acquiring clear consent to use personal data from the data subjects themselves. While the GDPR requires policies and procedures that establish enterprise-wide data security, there are also specific provisions of the regulation that require organizations to provide data subjects with access to their data. If your enterprise does not currently provide these mechanisms for all data subjects, it is not in compliance with the GDPR and is subject to fines and penalties. To establish compliance with the GDPR, enterprises should implement procedures that require these steps and retrain personnel to include data protection in all development processes. SEE: Hiring kit: GDPR data protection compliance officer.
The GDPR requires enterprises to perform Data Protection Impact Assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of personal data. The documentation of this auditing procedure could reveal areas of data privacy and protection vulnerability and advance the enterprise toward the goal of GDPR compliance.