December 16, 2019
GDPR for Optimizely customers
If you’re familiar with GDPR data mapping, you understand that operationalizing GDPR throughout an entire organization can be a mammoth task. At Optimizely, data protection and GDPR privacy by design is a core pillar in software development and managed services. With the Optimizely Digital Experience Platform, you can quickly meet the GDPR requirements, while maintaining all of the functionalities that make you a digital leader. Learn what your GDPR responsibilities are and how we can help.
This checklist highlights some of the main GDPR responsibilities, what you need to do, and how Optimizely's features and processes help you become compliant.
| Responsibilities | You Data Controller |
Optimizely Data Processor |
| Minimize data necessary to complete a task or transaction that has been initiated by the individual | Reduce the amount of personally identifiable information they store, and erase it when no longer necessary | One of the ISO27001 guidelines we have in place is the data minimization. Customers should only submit data to Optimizely for processing that is necessary. |
| Obtain Data Subject Consent/affirmative opt-in | Provide clear and affirmative consent to the processing of private data. Pre-ticked boxes are not allowed. Single opt-in boxes for multiple consent types are also not allowed. | Optimizely will process data as instructed by customers but customers are responsible for such consent and opt-ins. We will provide reference solutions that include opt-in capture that comply with GDPR regulations as a guide. |
| Process data lawfully, fairly and transparently | You must use plain language to make it clear to the subject what you are going to be using their data for and only process in line with those statements. Typically this will be done through an easily accessible privacy policy between you and your customers. | Optimizely’s products and services support the efforts to fulfil this requirement for the Data Controller. Optimizely’s Data Privacy Policy addresses the lawful, fair, and transparent use of the data managed within the supported systems between Optimizely and you. |
| Commit to confidentiality persons authorised to process personal data | Appoint a Data Protection Officer (DPO) (mandatory for certain companies). Part of their role will be to document and put in place processes around security and data handling | All employees sign an NDA which covers access, handling and treatment of data. In addition, required training is provided to address data privacy, information security, and confidentiality. Optimizely has also appointed a global DPO. |
| Secure data physically and technically | Adopt a GDPR mandatory privacy risk impact assessment, which is a risk-based approach, before undertaking higher-risk data processing activities. In order to analyze and minimize the risks to their data subjects, data controllers will be required to conduct privacy impact assessments where privacy breach risks are high. | Optimizely are in the process of attaining ISO 27001 certification for all products (some products have already achieved certification), the industry standard for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. In addition, Optimizely is Privacy Shield certified and has supporting controls in place to support the GDPR. |
| Manage record keeping and breach notification | Report data breaches to their data protection authority within 72 hours of becoming aware of it unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. | Optimizely conducts proper logging of activities and conducts reoccurring audits. Optimizely also has a formal Security Incident Management policy that was developed to accommodate applicable standards and regulations including what is required for the GDPR. |
| Provide PII info to subject on request within 30 days | Have processes in place to provide information requests within 30 days. | Optimizely has processes in place to assist customer with requests to provide standard PII data on a subject from within our services. |
| Keep PII data only as long as necessary | Keep personal information only for the length of time it takes to carry out the task that the subject has engaged with you for and shouldn’t be kept for longer or used for any other purpose. | Optimizely has SLA’s for data retention across all products including how long data will be stored in the system, when data will be deleted, what happens upon termination of contract and justification for why data is stored as long as it is. Optimizely will also comply with customers instruction for deletion as requested. |
| Delete of data if requested under “the right to be forgotten” | Providing the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed the data subject can request erasure of their personal data and processes need to be put in place for this. | Optimizely provides the ability to delete PII data from the products. |
| Build in privacy into the design - privacy by design | Make sure when you carry out vendor assessments that you are choosing a supplier that can help deliver against your GDPR requirements. | Optimizely’s Information Security Management System is compliant to the ISO 27001:2013 standard. All products shall undergo a DPIA. |
