Bloomreach's DPIA guidelines

Guidelines to assist you with Data Protection Impact Assessment


Please note

These guidelines are not legal advice and act as a guideline to help assist your completion of a Data Protection Impact Assessment (DPIA) when using Bloomreach Engagement as your Processor. The completion of a DPIA is your legal responsibility as a Controller.

When working with Bloomreach Engagement, your Data Protection or Security team may request information to complete a Data Protection Impact Assessment or "DPIA". This task is down to you as the collector and Controller of the data, but as a privacy driven provider, we have created this guide to answer questions you may have when carrying out this assessment to work with Bloomreach Engagement. You will find the information divided into several steps outlining the process of completing the DPIA below.

If you are looking for further assistance with Bloomreach Engagement security in general, our security pages or SmartSecure reports might be helpful.

Step 1: Identify the need for completing a DPIA

First, you need to indicate why have you decided to complete a DPIA for working with Bloomreach Engagement and for this data processing. At this point, you could refer to why you have begun the process of a DPIA based on your reasons for using Bloomreach Engagement as a processor.

Step 2: Explain the processing

When discussing your processing, you should explain what data is being used, how is your customer data used, why is the data processed, and the overall data flow.

Bloomreach Engagement can ingest any data which you provide, including identifiers, properties and events, and creates actionable customer intelligence. As a result, the specific what, how, and why, and subsequently this section of the DPIA differs between our clients, depending on their use cases. Remember, that the core aim of completing a DPIA is to illustrate how personal data will move between tools and persons.

What data is being used in our data processing?

The answer to this question will be different for each of our clients' magical campaigns, but could include:

  • Personal data about your customer’s (such as email, full name, address)
  • Customer browsing behaviour and information collected through our Bloomreach Engagement cookie (such as clicks, time on page, referrer)
  • Any other information you collect and choose to process via Bloomreach Engagement

Be sure to also mention whether you are processing any high-risk (e.g. health) data or minors' data.

How is the data being used?

How long are you retaining the data?
You should specify how long specific data will be held. Inside Bloomreach Engagement you are able to set an expiration date on event types at your discretion.

How transparent are you with your customers about your data processing?
Highlight how you indicate to your customers that you process their data. This could be, e.g via a cookie banner or privacy notice.

How can customers control the use of their personal data?
Indicate how your customers can adjust how you handle their data and what actions can they take to exercise their rights in this area. This could be, e.g requesting to delete their information by emailing you.

Which other parties are receiving the data?

The core of a DPIA is to illustrate how personal data will move between tools and persons. In this regard, Bloomreach Engagement relies on several subprocessors to operate, the list of which can be found here. A more detailed description of Bloomreach Engagement's data flows can be found here.

If you require further information on our infrastructure, IT architecture, and technical and organizational security measures, our SOC 2 report will help. You can obtain our SOC 2 report under an NDA after contacting our team.

As a reminder:

  • Bloomreach Engagement relies on GCP (Google Cloud Platform)
  • Bloomreach Engagement utilizes data centers in the US, UK, and the EU depending on your agreement with us
  • Bloomreach Engagement deletes data according to our DPA agreed with you

Step 3: Consultation process

In this section, you can mention who in your company you have engaged in the DPIA process, such as your Legal team, Customer Success, Security, and Data Protection team.

Step 4: Necessity and Proportionality

By completing the necessity and proportionality assessment, you can indicate that you have considered if people’s rights will be affected by your processing and how to protect them. Necessity and proportionality can be split based on the assessment. This assessment is dependent on your use cases, and in case you require assistance, our team would require further information on your data flows.

You can mention Bloomreach Engagement's capabilities in data minimization, the ability to protect user's rights under GDPR, and other data protection features.

Other points to remember

Is there an alternative way to process specific data?
For example, you could ask users to specify items they purchased after purchasing something else/zero party data. You could justify doing this as long as you can show you have balanced necessity and proportionality.

Have you covered all the purposes the data is to be processed for?
To process data for a different reason, you need to ask for consent or be able to fit under another legal basis such as legitimate interest.

Have you notified your customers in a transparent way about processing?
As a Controller, you have to make sure to let your customers know how you are processing their data and to update your privacy policy and cookie notice.

Step 5: Identify and assess risks

At this point, you have explained what data are you processing, why are you processing it, and how are you protecting individuals. Now it is time to evaluate if the processing opens any risks.

Some categories of risks could be:

  • Access management
  • Third-party access
  • International data transfers
  • Appropriate security standards
  • Business continuity
  • Incident response and management.

Step 6: Identify measures to reduce risk

At this stage, you can think about and highlight any approaches you are taking to reduce these risks. Some buckets that these measures could fall into include:

  • Access management (e.g using our role-based access or flagging PII to only allow selected users to see it)
  • Security measures (including Audit log, Vulnerability scan, VPN, Bloomreach Engagement Single Sign-On, Captcha, * * DDoS Protection, SSH tunnels, Integration Protection and Logging or more depending on your instance)
  • Data transfer mechanisms such as standard contractual clauses (SCCs) for data transfers

For further technical details it may be helpful to request our SOC 2 report (conditional on NDA) - just let us know and we can provide it to you.