GDPR Compliance and CRM
If you are using a CRM system and/or an email marketing system then the GDPR legislation is very important to you and your organisation. The EU data protection reform was adopted by the European Parliament and the European Council on 27th April 2016. The European Data Protection Regulation – ‘EDPR’ will be applicable as of 25th May 2018.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. It will replace the older Data Protection Act from the late 90s. It is intended to provide the protection of individual’s personal data and is also designed to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals.
The Main Principles of GDPR
Any data you collect or control must pass the following test, otherwise it should be deleted.
a) Processed lawfully, fairly and in a transparent manner in relation to individuals; You need to be upfront with using an individual's data in a lawful manner and let individuals know how you intend to use the information and why.
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; After being transparent of how and why the data is used, you must not use it for other reasons.
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; You should not control data that has no purpose. For example, you would not hold information about height, hair colour, age and religion if it has no bearing on what you do.
d) Accurate and, where necessary, kept up to date; Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; There are some exceptions to this. For example, where data is stored for the benefit of public interest.
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Grounds for Processing Data
Once you have tested the data you store or control using the principles above, then you can only use or process the data using one of more of the following grounds. These grounds must also be documented and evidenced to show any authority or the subject to which it relates.
1. Consent
2. Performance of a contract
3. To comply with legal obligations
4. To protect the vital interests of the data subject or other people
5. To perform a task in the public interest
6. Legitimate Interest
(Pursued by the controller or third party, except where such interests are overridden by the interests or rights and freedoms of the data subjects)
GDPR and Brexit
What about the UK leaving the EU….does this have implications? If you process data about individuals (a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address) in the context of selling goods or services to citizens in other EU countries then you will need to comply with GDPR and the UK government has said it will support the GDPR legislation. When the regulation comes into effect, the UK will still be part of the EU, so you must be compliant. In the UK, there is still 'PECR' regulation in place - In B2B, the Privacy and Electronic Communications Regulations. PECR works on an 'opt out' basis - e.g. You gain someone's email address from an exhibition, you enter that person into your database/CRM, you then can freely email that person until they opt out of your mailings. It is assumed because it can be proved they had an interest in your product/service, you can send them emails about that product or service, perhaps using Legitimate interest. This may change in the future. This is not the case though if you choose to process data using the grounds of consent. PECR does not overrule GDPR. Processing data has to pass the test under both sets of legislation.
What are the penalties for non-compliance?
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
How can my CRM system help with GDPR compliance?
1. Your CRM system can be a vital tool to gaining and maintaining GDPR compliance. Your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn't make it compliant. If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store. Your CRM should not allow users to enter personal details such as age, marital status etc. Beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need. There is then the associated data, such as emails, transactional history like Orders, Cases, enquires etc. to consider. All Users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system. So….a CRM system will hold records about individuals you sell to. It is important you can identify where, when and how the record got into your system. Typically the 'Source' field of a Lead or Customer record is going to answer that question.
2. Marketing via Email: If you use your CRM system to market via Email then you need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address. E.g. If you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR. By using a double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process. Wizard Systems can help you implement a double opt-in solution for your CRM if you do not already have one.
3. How long can CRM hold a person's data? The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc. The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person's data. Your policy would need to state a case as to why a longer retention period is appropriate. However, with just the subject area of emails, there is complexity. Does this include all emails a person has simply been copied on? If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.
4. But what do I do with the data in the backups? There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application. So, when for example you are using an online hosted instance of a CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.
5. The right to be forgotten. Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support. Clearly, good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently. When such requests are made, high quality data will make it easier to ensure you identify the right person and that that person only has one record in your system. Therefore, any actions required can be carried out in confidence. Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.
6. Review your user's access rights - look at all your users and which access rights they have to your CRM system. Good CRM systems will allow different levels of user access to be defined - who can see what information, change it or delete it.
If you want to know how to adopt the principles of GDPR in your CRM system, please contact Wizard Systems. If you are looking for a new CRM solution which is GDPR compliant, contact Wizard Systems.
Good resources...
https://dma.org.uk/gdpr
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
And 12 steps to prepare for GDPR...
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
This article is for informational purposes only and is not official legal advice for your company.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. It will replace the older Data Protection Act from the late 90s. It is intended to provide the protection of individual’s personal data and is also designed to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals.
The Main Principles of GDPR
Any data you collect or control must pass the following test, otherwise it should be deleted.
a) Processed lawfully, fairly and in a transparent manner in relation to individuals; You need to be upfront with using an individual's data in a lawful manner and let individuals know how you intend to use the information and why.
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; After being transparent of how and why the data is used, you must not use it for other reasons.
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; You should not control data that has no purpose. For example, you would not hold information about height, hair colour, age and religion if it has no bearing on what you do.
d) Accurate and, where necessary, kept up to date; Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; There are some exceptions to this. For example, where data is stored for the benefit of public interest.
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Grounds for Processing Data
Once you have tested the data you store or control using the principles above, then you can only use or process the data using one of more of the following grounds. These grounds must also be documented and evidenced to show any authority or the subject to which it relates.
1. Consent
2. Performance of a contract
3. To comply with legal obligations
4. To protect the vital interests of the data subject or other people
5. To perform a task in the public interest
6. Legitimate Interest
(Pursued by the controller or third party, except where such interests are overridden by the interests or rights and freedoms of the data subjects)
GDPR and Brexit
What about the UK leaving the EU….does this have implications? If you process data about individuals (a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address) in the context of selling goods or services to citizens in other EU countries then you will need to comply with GDPR and the UK government has said it will support the GDPR legislation. When the regulation comes into effect, the UK will still be part of the EU, so you must be compliant. In the UK, there is still 'PECR' regulation in place - In B2B, the Privacy and Electronic Communications Regulations. PECR works on an 'opt out' basis - e.g. You gain someone's email address from an exhibition, you enter that person into your database/CRM, you then can freely email that person until they opt out of your mailings. It is assumed because it can be proved they had an interest in your product/service, you can send them emails about that product or service, perhaps using Legitimate interest. This may change in the future. This is not the case though if you choose to process data using the grounds of consent. PECR does not overrule GDPR. Processing data has to pass the test under both sets of legislation.
What are the penalties for non-compliance?
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
How can my CRM system help with GDPR compliance?
1. Your CRM system can be a vital tool to gaining and maintaining GDPR compliance. Your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn't make it compliant. If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store. Your CRM should not allow users to enter personal details such as age, marital status etc. Beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need. There is then the associated data, such as emails, transactional history like Orders, Cases, enquires etc. to consider. All Users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system. So….a CRM system will hold records about individuals you sell to. It is important you can identify where, when and how the record got into your system. Typically the 'Source' field of a Lead or Customer record is going to answer that question.
2. Marketing via Email: If you use your CRM system to market via Email then you need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address. E.g. If you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR. By using a double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process. Wizard Systems can help you implement a double opt-in solution for your CRM if you do not already have one.
3. How long can CRM hold a person's data? The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc. The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person's data. Your policy would need to state a case as to why a longer retention period is appropriate. However, with just the subject area of emails, there is complexity. Does this include all emails a person has simply been copied on? If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.
4. But what do I do with the data in the backups? There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application. So, when for example you are using an online hosted instance of a CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.
5. The right to be forgotten. Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support. Clearly, good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently. When such requests are made, high quality data will make it easier to ensure you identify the right person and that that person only has one record in your system. Therefore, any actions required can be carried out in confidence. Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.
6. Review your user's access rights - look at all your users and which access rights they have to your CRM system. Good CRM systems will allow different levels of user access to be defined - who can see what information, change it or delete it.
If you want to know how to adopt the principles of GDPR in your CRM system, please contact Wizard Systems. If you are looking for a new CRM solution which is GDPR compliant, contact Wizard Systems.
Good resources...
https://dma.org.uk/gdpr
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
And 12 steps to prepare for GDPR...
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
This article is for informational purposes only and is not official legal advice for your company.