Acoustic Campaign General Data Protection Regulation FAQs

Frequently asked questions that surround Acoustic Campaign and GDPR.

Here you will find information that will address some of the most frequently asked questions that surround Acoustic Campaign and what we are doing to assist its customers in becoming GDPR compliant by May 25th, 2018.

IBM® has several data hosting and other processing locations where data processing takes place. To learn more about these locations, use this link. https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216

Processing of Personal Data

How does Acoustic Campaign securely and confidentially process personal data which includes personal data that falls under special categories as indicated in the GDPR articles?

Acoustic Campaign is a web-based, multi-tenant, software-as-a-service (SaaS) digital-marketing operating system that is a data-driven self-service solution with a flexible data schema that allows customers to determine the data elements to be stored, collected, and processed. Typical use cases include the means of contacting recipients (email address, mobile number for SMS messaging, and/or App ID for Mobile Push Notification), first names and other elements wanted for the personalization of messages, and data elements needed to segment recipient lists into target groups.

Acoustic treats all data and content as confidential. For more information on confidentiality and privacy, read the in-depth information that can be found at these links:

• “Acoustic treats all Content as confidential…” IBM Cloud™ Services Agreement (Section: Content and Data Protection) –https://www.ibm.com/support/customer/pdf/cra_att_cloud_services_us.pdf

• Data Security and Privacy Principles for Acoustic SaaS Products – https://developer.ibm.com/customer-engagement/docs/acoustic-terms/

• Privacy and Compliance - Acoustic’s business practices comply with applicable laws and regulations in the jurisdictions in which it conducts business. Acoustic’s Online Privacy Statement and Software and Services Privacy Statement are published online. As a data processor, Acoustic Campaign is certified to be compliant with the EU-US Privacy Shield Framework, processes personal data as instructed by clients, and offers standard EU Model Clauses.

• Acoustic’s commitment to GDPR readiness –https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation/

Data Storage and Processing

Acoustic stores all structured (“contact list”) data on database servers, encrypted at rest (on disk) by the production storage array (US hosting) or database-management system (other hosting geographies).

The Acoustic Campaign production infrastructure is co-located within dedicated cages or hosted in a cloud service (depending on the specific instance) within Tier 3 (or higher) facilities. These facilities employ physical-security and environmental controls, with redundancy, that meet or exceed industry standards, as evidenced by the SSAE-16 SOC Type II attestation reports and ISO 27001 certifications for the facilities.

More information can be found at the following links:

• IBM Data Hosting and Other Processing Locations – https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216

Cloud hosting providers:

• SoftLayer® – http://www.softlayer.com/
• CenturyLink(Cyxtera) – http://www.centurylink.com/business/enterprise/colocation/data-centers/atlanta.html

Subcontracting and Processing of Personal Data

Acoustic performs a Web Application Security Assessment (WASA) at least one time per year by an independent third party. No subcontractor is outside the European Economic Area (EEA). Those subcontractors that are based inside the European Economic Area (EEA) DO NOT use data systems that process data outside the EEA (for example, servers, dropbox, email providers, and so on).

Only offering representatives and corporate offices have the authority to authorize subcontracting activities and written agreements are in place that cover these sub-contracting agreements.

If a third-party subcontractor is used to access client data in normal performance of their contracted duties and/or such a third-party subcontractor is engaged in the delivery of a cloud service, the sub-processor and its role is provided upon request. Acoustic requires all such sub-processors to maintain standards, practices, and policies that preserve the overall level of security and privacy that is provided by Acoustic. Any addition or change to Acoustic’s list of sub-processors is available upon request.

For more information on these written agreements, see IBM Data Security and Privacy Principles: https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216

Security and Data Access Controls

Acoustic has physical, administrative, and technological procedures in place to ensure that all information processing facilities are secure. Additionally, Acoustic's security standards are audited annually by using the ISO 27001 standards by a third party.

Only permanent personnel of Acoustic have access to the personal data that is processed on behalf of its customers. Employees receive training on data protection and other relevant law at least yearly and often more face to face by video or online methods. Additionally, Board level employees, management, and IT Security attended GDPR awareness training.

No Acoustic personnel, other than any Services personnel to whom the customer provisioned application-user accounts to help operate their campaigns, have regular access to customer data through the application. To facilitate troubleshooting, the “Become User” feature, the use of which must be explicitly authorized by the user from within the user account, allows Client Support to temporarily view the account “through the user’s eyes” without requiring the user’s password or allowing the export of data; use of this feature is automatically logged in a secure database table and included in reports that are sent to Information Security daily for review.

Direct access to customer data, at the database layer, is restricted to authorized Acoustic personnel whose regular job responsibilities require such access and is reviewed by management and Information Security on a quarterly basis to ensure that the access remains current and appropriate. Access to the infrastructure in the production environments that host customer data is restricted to authorized personnel and requires a secure VPN with two-factor (software token) authentication. To access production servers, which are configured to deny direct logins, administrators must use SSH to connect to a bastion host and authenticate by using LDAP credentials that are independent of those used to access the corporate network; access to network devices is restricted and controlled by TACACS. Policy prohibits the export of customer data from the operating system without explicit authorization from the customer or Information Security. No third parties have access to customer data except as required for the delivery of specific optional services that are authorized in advance by the customer.

For more information about these procedures, see these links:

• IBM Watson® Campaign Automation (WCA) Security & Operations Overview PDF – http://public.dhe.ibm.com/software/commerce/support/IBM_Marketing_Cloud_Security_Operations_Overview.pdf

• IBM Cloud Services Agreement (Content and Data Protection) – https://www.ibm.com/support/customer/pdf/cra_att_cloud_services_us.pdf

• IBM Data Security and Privacy Principles, IBM Cloud – https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216
• ISO 27001 Scope of Certification – https://www-935.ibm.com/services/multimedia/saas_27k.pdf

Information Archive and Destruction

Acoustic does have a data retention policy for all its customers. However, customers manage and can delete or overwrite their data at any time while their service is active. Upon deletion of data from the database, the database and underlying storage reclaim the space and overwrite it with other data, rendering the deleted data unrecoverable. As customer data are stored exclusively on disk, all copies are purged as backups and the replication process overwrites backups. After service termination, the operating system retains any remaining data according to the terms of the Services Agreement. Any data-storage devices that are decommissioned or otherwise removed from service are secured until physically destroyed to ensure that data cannot be recovered. A Certificate of Destruction is obtained for all data-storage media.

Data Subject Rights

Acoustic’s commitment to GDPR readiness link, https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation/ provides information on how Acoustic handles right access, right to object, right to erasure and right to rectification.

Incident Management and Breach Notification

Acoustic performs regular vulnerability scanning and penetration testing of its systems that includes internal and external tests of infrastructure, applications, and hosts by using a Web Application Security Assessment (WASA) on every major release. This assessment is performed by an application-security specialist in Information Security, and at least one per year is performed by an independent third party. The operating system infrastructure and network are subject to attack-and-penetration testing and vulnerability scans by Acoustic personnel at least quarterly and by an independent third party at least annually. All findings from security testing are presented to the appropriate stakeholders for analysis to determine validity and potential risk exposure, then those that present a risk exposure that warrants remediation is prioritized, placed in the schedule, subject to timing considerations, and tracked through verification of remediation.

Additionally, each Acoustic Cloud service has business continuity and disaster recovery plans, which are developed, maintained, verified, and tested in compliance with the ISO 27002 Code of Practice for Information Security Controls. Recovery point and time objectives for each cloud service are established according to its architecture and intended use and provided in the service description or other transaction document. Backup data intended for off-site storage, if any, is encrypted before transport.

In regard to breach notifications, these Security incidents are handled in accordance with Acoustic incident management and response policies, which take into account data breach notification requirements under applicable law. The core functions of Acoustic’s global cybersecurity incident management practice are conducted by Acoustic’s Computer Security Incident Response Team (CSIRT). CSIRT is managed by Acoustic’s Chief Information Security Office and is staffed with global incident managers and forensic analysts. National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for computer security incident handling formed the development and remain the foundation of Acoustic’s global incident management processes.

Your Acoustic sales account team is your primary point of contact when notification needs to be sent to a customer, and are responsible for communications about any Acoustic business impairment that might directly impact customers. Communications are initiated within the Crisis Management Team and managed as part of the Crisis Management Team communications plans.

Privacy Program Management

Acoustic’s Data Protection Authority is in the US and detailed information can be found at https://www.ibm.com/cloud/privacy#AlternateAction

Acoustic's security and privacy principles can be found at https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216, while privacy policies can be found at https://www.ibm.com/blogs/policy/dataresponsibility-at-ibm/, https://www.ibm.com/cloud/privacy and https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1412721510216

Acoustic also maintains a central Record of Processing Activities (RPA). More information about RPA can be viewed at this link https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation/

How does GDPR in Watson™ Campaign Automation impact consent for EU data contacts that were entered into the system prior to May 25th, 2018?

GDPR requires that marketers establish purposeful consent; it requires that you obtain consent that is “freely given, specific, informed and unambiguous”. You should be sure that your opt-in mechanisms require a data subject to explicitly opt-in. That means that things like pre-checked opt-in boxes are not going to be sufficient. Many marketers are evaluating their current processes and existing lists of consented contacts to determine whether they meet the expectations of GDPR. Where there is any ambiguity, a good course of action would be to have contacts 're-consent'. You could send an email with a call to action to confirm consent, later removing any contacts who have not confirmed. For anything related to GDPR and privacy, it is recommended that you discuss with your own legal and privacy counsel in order to determine what is most appropriate for your company.

If a data source has multiple email address records that are the same, how many of those records are deleted with the Right to Erasure request?