The heat is on, and not in the fun, Beverly Hills Cop sort of way. General Data Protection Regulation (GDPR) is now in effect. And, whether we like it or not, the European Union’s (EU) new regulations will have repercussions throughout the sales and marketing landscape.
Unfortunately, there is a lot of rumor, misinformation and fear out there. But don’t worry, Outreach has your back. Since our first ISO 27001 certification in 2015, to the many Outreach features that help enable our customers to meet their GDPR obligations, we have been working tirelessly to ensure we are compliant with all national and international laws, and have learned a few things along the way.
In this post, we will cover four essential questions about GDPR in hopes of easing some of the fears.
But first, a quick primer so we’re all on the same page.
What does GDPR cover?
GDPR is a new set of rules that allow European Union residents to have more control over their personal data, including how that data is used, who has access to it and ways to protect that data from misuse.
Outreach’s customers are considered Data Controllers. Data Controllers must ensure that personal data is gathered legally and with the consent of the Data Subject - a natural person who is an EU citizen located in the EU - who can be identified by the personal data collected. Data Controllers also need to prevent exploitation and respect Data Subjects’ rights, i.e. the right to be forgotten, right to data portability, and the right to object to profiling. If Data Processors or Data Controllers (Outreach customers) fail to comply, they will face stiff penalties. As a Data Processor for our customers, Outreach is committed to helping you meet these obligations.
It may sound like this only applies to people living in the EU, but that’s only half right. It also applies to any company that does business in the EU, or plans to expand there, particularly if personal data — name, address, credit card number, etc. — of EU citizens is involved.
For argument’s sake, let’s assume GDPR applies to your business. The regulation is comprised of 99 Articles, but not all of them necessarily require action on your part. In fact, most compliance efforts center around about 25 Articles. To save you from reading the entire document, we’ve boiled down the important parts to four, big-picture questions.
1. Do you know what personal data is being collected and processed?
With the main goal of GDPR being greater control of one’s personal data, any Data Processors (Outreach) and Data Controllers (Outreach customers) must know exactly what data is being collected and processed. Things like name, address and email definitely fall under the scope of GDPR, but so do things like online behavioral data. And Data Subjects (prospects) have the right to know how their personal data is being collected, used, stored and shared. As a best practice, review the information shared with Outreach and ensure you are not sharing any unneeded or sensitive (SSN, driver’s license, credit card #, passport #, etc.) personal data. Stick to contact data.
Furthermore, you may need to update your privacy policy to reflect your use of Outreach or other solution as a data processor for the purpose of improving and managing your sales processes.
If your legal counsel determines you also need to obtain user consent before using Outreach, make sure you update your integration with Outreach to only send data from those who provided the required consent or have otherwise consented to it. Please note that proof of consent is required and may be necessary in the event of legal proceedings.
With that said, there are other ways to lawfully process personal data under GDPR. According to The United Kingdom Information Commissioner, Elizabeth Denham, “consent is one way to comply with the GDPR, but it’s not the only way.”
2. Do you know where the personal data is stored?
You can thank all those high-profile data breaches for this one. It’s important to know exactly where your prospect data is stored in order to adequately respond to Data Subject requests and protect it from misuse. As mentioned above, Outreach is considered a Data Processor under GDPR. We are likely just one of many locations where you have stored personal data. That’s why we take security extremely seriously and have taken numerous steps over the years (even before GDPR) to ensure your prospects’ data is secure. You can find detailed information about how Outreach secures our platform, and your data, on our Trust site.
Key highlights include:
- Compliance with key industry standards: ISO 27001, SOC 2 Type II and US-EU Privacy Shield framework
- Built-in support for encryption (in-transit and at-rest)
- Ongoing penetration testing through our bug bounty program
- Product features to control access to data on the Outreach platform including Governance and SSO
3. Can you demonstrate what has happened to personal data?
Not only do your prospects want to know the type of personal data you have and how you’re protecting it, they want to know how it has been used over time. You will need accurate records of each and every instance a prospect’s personal data has been used, even if they consented. At Outreach, we’ve got this one covered. Outreach’s Activity Feed provides a record of all data processing activities. You can also use our CSV and Salesforce Log Export features to help with data portability requests from a Data Subject.
In fact, we have updated numerous features across the Outreach platform to help you meet your GDPR obligations.
Key features include:
- Product features to support data subject requests including selective CSV Export of personal data (Data Portability) and Prospect and Email data deletion (“right to be forgotten”)
- Inbound Create conditions to help control which prospects your users can contact based on your Opt-in records in Salesforce
- From a marketing perspective, Outreach ensures that all EU users have opted-in to receive any correspondence from us and that they have the ability to delete their information at any time
4. Can you identify and detect personal data misuse or loss?
Another one stemming from the nearly constant barrage of data breaches we see in the news. Maybe you’ve even been a victim. If you become “aware” of a breach or misuse of personal data, you must notify the affected parties without “undue delay”. I purposefully put “aware” and “undue delay” in quotes because they’re terms used in the GDPR text, and they are open to interpretation. Generally, undue delay means within 72 hours. Too often a breach occurs and those affected don’t hear about it for weeks or even months. That’s a big no-no under the GDPR.
Our advice is to take all necessary means to protect personal information not only from breach or theft, but even temporary loss. Outreach offers extensive governance controls over what data users have access to as well as what they can do with it.
In addition, we recommend performing a risk assessment to identify weaknesses in your systems and processes. Also, run a tabletop exercise for your incident response process. Failing to take adequate security measures to safeguard personal data and/or notify people if there’s a problem comes with very costly penalties. As part of the testing ask yourself these questions:
- Can you quickly identify misuse of personal data?
- Does everyone know their role?
- What systems are used to determine if there’s been a breach or misuse of data?
- How do you notify Data Subjects?
- Do you have a Public Relations team as part of your plan?
Conclusion
Like most complicated regulations written in legalese, GDPR can be difficult to understand. We hope that this post has put your mind at ease at least a little bit. At Outreach, we are committed to providing our customers with all the support they need to ensure their usage of our platform is lawful. We’ve put together a one sheet that details all of the features Outreach has that help your business meet GDPR.
Notice: Please note that the information below does not provide legal advice and should not be used as such. We recommend you consult with the appropriate legal counsel for that purpose. If your company uses Outreach as its Customer Engagement Platform, you may be sharing personal data with us. In these scenarios, Outreach acts as a data processor because Outreach processes the personal data on your company’s behalf.
