AgilOne and the GDPR

May 15, 2018

GDPR and AgilOneIn fewer than two weeks, your business will confront a revolution in data privacy policy: the EU General Data Protection Regulation (GDPR). 

The European Union will begin enforcing the GDPR starting on May 25, 2018 in an effort to protect personal data of EU residents and put control of that data into their hands.

As an organization committed to data privacy and security, AgilOne has taken several measures to assist brands to be GDPR compliant. As an enterprise Customer Data Platform (CDP), AgilOne makes it easier for businesses to identify where customer data lives within the source systems integrated into AgilOne, and therefore end user deletion requests can be more efficiently performed in those systems as well as in the CDP. For example, if John Smith requests his data be deleted from Acme Company, Acme Company can look John up in the CDP and see which other upstream and downstream systems have John’s data (e.g., OMS, CRM, ESP, etc.), and then perform the purge within those systems as well.

AgilOne is committed to making it easier for all our clients to comply with the GDPR. We believe that brands, and their customers, should have control over their data. We understand that the GDPR is just one piece of a larger security and privacy program. Our goal is to give you confidence in how your customer data is processed, transported, and stored.

Understanding the Role of Data Subjects, Controllers, and Processors

The GDPR defines the role of end users, technology vendors, and brands in the following ways:

Data subjects are consumers who have residences in the EU, regardless of the country in which they transacted, or they are consumers who provide data within the EU. They are the ultimate owners of their data.

Data controllers are companies that collect personal information of data subjects. They are responsible for making sure that the GDPR is enforced across all their data systems and those of data processors. AgilOne clients are considered to be data controllers.

Data processors are vendors or businesses that process data on behalf of data controllers. As a Customer Data Platform, AgilOne is considered a data processor.

As a data processor, AgilOne has taken the following steps to be compliant with the GDPR:

  1. We have updated the Data Processing Agreement (DPA) Addendum to our Master Services Agreement. Our previous Agreement conveyed our commitment to protecting customer data. Our updated DPA reflects the additional requirements of the GDPR, and states that AgilOne agrees to protect any data originating from a GDPR data subject in line with European data protection standards.
  2. In January 2018, we announced the AgilOne Privacy API, which helps facilitate deletion of customer data upon request, and assists brands in complying with the GDPR.
  3. AgilOne is SOC2 Type II certified. SOC2 Type II certification is an independent audit report that provides assurance that AgilOne is operating effectively and appropriately to protect client data.
  4. AgilOne only processes personal data according to instructions from the data controller (our clients).

How AgilOne Enables GDPR Compliance

If you collect data about EU data subjects, you are a data controller under the GDPR. One of the biggest challenges you will face as a data controller will be managing individuals’ requests to exercise their rights as defined by the GDPR.

To help you comply with the GDPR, we provide the following features to ensure these requests are executed as required.

GDPR Requirement How AgilOne Supports It
The GDPR includes the right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. If a customer requests data to be corrected, AgilOne makes the update and propagates the corrected information acorss AgilOne's data pipeline.
The GDPR Allows restitution for violation.  To ensure a brand is staying compliant, AgilOne gives data controllers the ability to extract data from the platform via the 360 Profile API.
The GDPR gives data subjects the right to be forgotten, and to have their data deleted across all systems used by the data controller.  AgilOne V6 enables data deletion via the Privacy API. (AgilOne V5 enables data deletion through other mechanisms.) AgilOne clients provide a list of customer who have requested deletion to AgilOne, and we delete them from the AgilOne platform following a standard process. 
The GDPR requires that the data processor meet adequate security standards.    AgilOne is SOC2 Type II certified.

What's Next

AgilOne welcomes the GDPR and the spirit of empowering consumers to be able to control their data. We believe that, combined with the recent pressures faced by Facebook and other companies that rely wholly on third party data, the GDPR hails in a new era where brands will prioritize, and reap the full benefits from, first party data.

If you have any questions about the GDPR or want to learn how AgilOne can help you be compliant, please let us know.