GDPR

Op2mise GDPR Compliance Statement

This statement sets out the operating procedures Op2mise undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU).

The Information Commissioner’s Office is the UK regulator dealing with the Data Protection Act 2018 and the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK.

The ICO are like the data protection police and we need to make sure we always keep on their good side. Our determination to be 100% GDPR and PECR compliance will do exactly that!

It is important to take GDPR compliance very seriously, since the penalties for non-compliance are punitive and designed to be painful. You definitely don’t want to be on the receiving end of an ICO investigation or enforcement notice!

2. Op2mise and GDPR compliance

In addition to appointing a compliance officer to oversee our adherence to the rules, Op2mise have engaged 3rd party compliance expertise to audit and advise on best practice. This investment enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.

3. Op2mise relationship with you

To put this in the language of GDPR and the ICO:

• We are Joint Controllers. Yes – Joint Controllers. Even though, as a service provider, we are essentially working for you, it is important to recognise that we are both responsible for deciding who to target, what data to collect, how the data is processed, what messages we send them and how their data will be collected, processed, and stored. This decision is pretty fundamental to how we operate so if you have any questions let’s talk!
• Just to make all our lives easier we have incorporated a comprehensive Data Sharing Agreement within Op2mise’s standard Terms of Service. This sets out how we work together as Joint Controllers and how we support each other if we ever receive a GDPR request.

4. Is Op2mise’s marketing activity compliant?

Let’s look at this carefully. Op2mise’s services are designed and offered solely to help businesses promote to other businesses. I.e. B2B marketing only. In which case PECR allows email marketing provided material is relevant and we and allow the recipient to opt-out of future emails. In this respect Op2mise is naturally compliant. Now for GDPR, GDPR always applies and actually applies to all aspects of collection, storage, and processing of data. Op2mise has been designed to be compliant and has established technical and operational systems to make sure this is the case. For example, before launching new client activity, Op2mise conducts an in-depth assessment to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR and PECR compliant business to business (B2B) marketing. A key part of this assessment is called the Legitimate Interest Assessment (LIA), we have completed a LIA for us and also a standard LIA for each of our clients. We have also created a standard Privacy Policy update for client use as needed, this includes all the relevant clauses you need plus references to Op2mise to make everything clear to the data subject – just let us know if you need a copy of any of these.

Want to know more about how Legitimate Interest applies?

If Op2mise determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.

In the context of our Services, Legitimate Interest is the relevant lawful basis for processing as defined in GDPR. GDPR sets out a number of permissible circumstances (or categories) under which Personally Identifiable Information (PII) can be stored and processed, the most appropriate category in the case of most B2B marketing is Legitimate Interests. This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ To ensure client activity falls into this category, prior to engaging, we will carry out a full Legitimate Interests Assessment (LIA) with each new client. Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:

• Identify a legitimate interest – The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
• Show that the processing is necessary to achieve it – Can the same result be achieved differently? Core to the Op2mise service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
• Balance it against the individual’s interests, rights and freedoms – Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company? No data processing may replace or infringe the individuals interests or cause unjustified harm.

5. LIA Failures

If Op2mise determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.

6. Rights of Individuals

• Privacy Policy – All messages sent will contain a link to a privacy policy that explains to the user exactly what their rights are as well as the type of data that is held about them and by who. Op2mise will provide a template privacy policy or review your existing one to ensure it meets the required standard. A link to our Privacy Policy which is based upon this template is here: https://op2mise.ai/privacy-policy/ This standard privacy link would typically be contained in the email signature of any outbound messaging, in the case of messaging as part of client campaign activity, the privacy link will be that of our client’s own privacy policy.
• Opting Out & Exclusion Lists – All recipients are able to opt out easily to prevent further email communication being received. All replies to prospecting emails are logged and those prospects are added to your campaign exclusion list within 24 hours. Op2mise allows import of existing exclusion lists in advance of campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains and will prevent communications being issued to those email addresses or domains listed.
• Subject Access Requests – All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to enquiries@op2mise.ai and we will return this data within 72 hours.
• Right to be Forgotten – All individuals have the right to have some or all of their data removed (to be ‘forgotten’) at any time.. A conflict does arise in removing or forgetting an email address whilst at the same time keeping this address on an exclusion list to prevent future mailings. Where we have removed data, we will move the email address to a separate exclusion list, encrypted using a one-way hashing algorithm (SHA1), ensuring we are able to prevent any future messages being sent to the customer whilst continuing to honour their right to be forgotten.

7. PECR and sending of B2B messages

Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic communications Regulations (PECR). This is very clear as to the requirements on business communication: “You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out and screen any new marketing lists against that.” https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

8. Op2mise Employees

All Op2mise employees undergo GDPR, PECR and general compliance training, this covers the GDPR rule set in detail, the relevance and impact of those rules on Op2mise and our clients, and the steps we take to ensure best practice is observed at all times. We also make clear the consequences (I.e. penalties) associated with failure to meet the strict GDPR standards.

9. Client responsibility

Whilst Op2mise continues to take extensive measures to ensure best practice with respect to GDPR and PECR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with each party. Op2mise cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.

10. In Summary:

Op2mise has worked hard to develop a compliant platform providing innovative marketing services and technology for our clients and at all times respecting the rights of the data subjects whose information we collect. Compliance is now part of what we do and ongoing due-diligence is just part of how we operate. Compliance is central to our identity as a business.