DPO Solutions

• Not all companies formally need a DPO to comply with regulations (contact us to find out)

• Our DPOs enable you to have the strength of a full privacy and legal data team - for a fraction of the cost. Even if you don't need one to comply, investing in this support typically nets our customers 5x+ ROI from increases in business contracts won

1. Improved customer conversion + retention. Compliance is a competitive advantage, increases trust and reputation, and is typically required for working with customer data

2. Legal penalties are expensive and can block a company from certain markets

3. ROI. Investments in data compliance often provide 5x or more ROI

4. Time. Doing things right upfront prevents complex and difficult retroactive solutions

1. Have an internal AI policy and use it - this aligns your company's approved and non-approved uses of AI. This helps prevent confidential or personal data being used in AI tools and large-language-model training (not ideal)

2. Assess your product's usage of AI for data quality, system monitoring and logging, and meeting transparency requirements (can you show how you got your results?)
   

3. Certain uses of AI are prohibited, such as AI that can significantly distort a person’s behavior to cause physical or psychological harm, real-time remote biometric identification systems (for law enforcement), and AI designed to exploit vulnerabilities of specific groups of people

Engage has thorough and approachable AI assessment processes available to our customers, including but not limited to EU AI Act compliance.

1. Don't collect more personal data than you really need and delete it once you no longer need it

2. Secure information from being inappropriately accessed or hanged, and ensure it is available when it's needed

3. Let people know how and why you're using their personal data, and if there's a serious data breach

4. Perform compliance assessments on high risk activities (i.e. using sensitive data, AI, using personal data for multiple purposes)

Compliance can be challenging and differs depending on your company and customers. With that said, some best practices are:

1. Display privacy notices to end users (and your staff), stating how and why you process personal data

2. Use a cookie banner and cookie policy if you operate in US, EU, or UK. Do not pre-opt-in EU/UK users to anything but necessary cookies

3. Ensure you can provide a copy of (or to delete) anyone's personal data, should they ask

4. Keep documentation of what personal data you process and why, where it's sent, how it's long it's kept, how it's protected

5. Perform risk assessments when you utilize AI/ML, sensitive data (i.e. health, ethnicity, behavioral data)

6. Asking for consent? Then make sure you offer a consent-free alternative. Note: consent is required for marketing, biometrics, and any targeting or behavioural analyses

7. Have staff be aware of when and who to report potential data breaches to

8. Have contracts with data protection and privacy terms with your suppliers

Marketing

1. Only advertise or track users or their devices when they have consented to this (some exceptions apply in business-to-business situations). Always allow people to opt-out.

Product

1. Generally don't use personal data for multiple purposes (i.e. using account data for marketing is not good, since you need consent). Some exceptions include product improvement and analytics

2. Perform a risk assessment to ensure the product is compliantly used

HR

1. Do not utilize employee data for secondary purposes (i.e. monitoring) - ask for consent

Customer Support:

1. Keep customer notes professional - these may need to be provided to a customer if they ask for it for a copy of them

US and EU laws are similar but with slight differences. Some of which include:

1. California and EU/UK requirements only apply when you are offering services to (or processing data from) people who live there

2. California requires some additional opt-out (selling or sharing data to third-parties), and allows 15 more days to fulfill data subject rights requests

3. The US is mostly accepting of marketing to end-users without their prior consent (this is not compliant in the EU/UK)

4. Cookies: EU/UK requires individuals to opt-in before cookies process data. Otherwise, you can usually allow auto opt-into cookies as long as users can also opt-out.