Posted: April 2018
Outreach has been preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) for over a year. We have implemented processes and procedures to ensure we meet both our Data Controller and Data Processor obligations. With addition of a few new processes to support Data Subject requests, Outreach has determined that our current security controls, and certifications including ISO 27001 and Privacy Shield, allow us to adhere to the GDPR’s requirements applicable to Outreach’s business. This assessment includes supporting our customers in meeting their GDPR obligations.
To determine our readiness for GDPR, Outreach conducted a gap analysis of our current capabilities and validated that assessment with a third party GDPR expert - CoalFire, who conducted a formal GDPR assessment. A Letter of Compliance attesting to our compliance with GDPR requirements can be provided upon request.
It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance. We believe our customers will appreciate that we are voluntarily undergoing an audit with a respected firm to obtain their opinion. We will openly share their Letter of Compliance with our customers as soon as it is available.
Here is what Outreach has done to meet our GDPR obligations and help our customers do the same:
Privacy Shield and Data Transfer
Privacy Shield allows Outreach to meet the current privacy requirements of Europe for onward transfer by doing the following privacy principles:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
Standard Contractual Clauses (Model contract clauses)
Additionally, Outreach signs Data Processing Agreements (DPA) with customers who need them. Where necessary, Outreach includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Outreach has DPAs in place with all sub-processors where legally required.
Outreach has already implemented many strong data security requirements and controls to protect our customers data - many of which already meet GDPR standards.
- Outreach maintains ISO 27001 certification. ISO 27001 is a security management standard that specifies security management best practices and controls based on ISO 27002 best practice guide. As an ISO 27001-certified organization, there is a high level of integration between the ISO 27002 code of practice and the Information Security Management System (ISMS). The ISO 27001 certification validates our security and meets many of the requirements of GDPR.
- Outreach maintains a SOC 2 Type II accreditation report. The SOC 2 evaluates Outreach controls that are relevant to the principles of security, availability, and confidentiality. This is a rigorous assessment that tests the operating effectiveness of our controls over a defined period, demonstrating and documenting our compliance with controls pertaining to security, availability, and confidentiality.
- Outreach has strong data protection controls, which includes encryption in transit and encryption at rest of customer data, to safeguard data subject’s data from unintended disclosure or misuse. Outreach rigorously tests its product to remedy proactively vulnerabilities and follows industry best practices and guidance in information security.
- Outreach maintains incident response and notification processes. These procedures are tested annually.
- Outreach has procedures in place to ensure data recovery and data integrity, so that customer lost or inadvertently corrupted.
- Outreach provides assurances that the customer retains full control of their data.
- Outreach’s key data sub-processors, i.e. Amazon Web Services (AWS), all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.