GDPR: Steps towards compliance

Epsilon’s previous blog post on the General Data Protection Regulation (GDPR) covered preparation efforts to ensure compliance before May 25, 2018.

Compliance is a collective responsibility and Epsilon strongly urges clients, partners and vendors to review and understand their responsibilities and obligations under GDPR.

At Epsilon, work began on GDPR compliance program almost two years ago, starting with the following focuses:

Cross-functional Teams: Epsilon created cross functional teams to manage its GDPR compliance. With buy-in from the executive team, associates from the business, technology, legal, security and privacy groups, were tasked with bringing and keeping clients, business verticals and internal operations into compliance with GDPR.

Data Inventory: The main task the cross-functional team undertook in 2017 was updating and reviewing each vertical or client’s data inventory. The team then created a GDPR compliance roadmap for its platforms and its clients based on the data inventory. This enabled an understanding of the next steps needed to bring Epsilon into GDPR compliance.

Lawful Basis: As applicable, Epsilon reviewed lawful basis for processing the personal data collected and received.

Data Subject Rights: Epsilon has strengthened its data subject rights policies and procedures to ensure appropriate response to requests and rights individuals have, including the deletion of personal data. This includes the ability to respond to data subject rights through Epsilon’s various services and platforms.

Personal Data Breach: Epsilon has reviewed a security incident response plan to ensure the right procedures are in place to detect, report and investigate a personal data breach.

Training: Epsilon provides training to associates and clients, including:

Over fifty GDPR training sessions for internal teams in 2017
Client-personalized webinar trainings about Epsilon platforms to ensure GDPR adherence (starting April 2018)
Client summit event hosted by Abacus UK to review compliance steps (held October 2017 and March 2018
Maintaining Compliance:

Epsilon is retaining an external, third party data protection officer (DPO) to review its GDPR compliance program.
Each business unit has a “Privacy Champion,” an employee/associate tasked with ensuring continued compliance. If Epsilon starts providing new services or collecting additional personal information, it is this individual’s responsibility to alert the internal audit GDPR team. This will help Epsilon keep clients and its platform in continued compliance after May 25, 2018.
Epsilon will also be audited by Epsilon’s internal GDPR team to ensure compliance.
Privacy and Security by Default and Design: Epsilon is committed to protecting the privacy of individuals. The company has a privacy and security by design policy in place, reflecting the requirement that privacy and security must be part of every service, product, feature, and decision made around data.

Industry Leader: Epsilon is a leader and active participant in the following industry groups that are helping interpret and set standards around GDPR for the marketing ecosystem:

Data Protection Network: Epsilon is an active member of the Data Protection Network and helped craft guidance around legitimate interest being the lawful basis for processing data for direct marketing and internal operations.
Email Service Provider Coalition: Epsilon is an active member of the ESPC and helped draft guidance around interpreting how to comply with GDPR as an email service provider.
Epsilon is using GDPR preparation as an opportunity to further enhance its products, services, and processes, ensuring privacy and security are taken into consideration every step of the way. Epsilon will continue to lead industry efforts in understanding how GDPR impacts the marketing industry.