The General Data Protection Regulation (GDPR) will be coming into force from May 2018. The Information Commissioners Office (ICO) has some great documentation and tools to guide you around what you need to do to get ready for this and what the penalties are if you are found to be non-compliant.
We recommend that you consult with a lawyer about what your business responsibilities are and what you need to do to ensure that you are fully compliant by that point and time. Saying that…
What are the big questions you need to ask yourself today?
To help you prepare for GDPR, we’ve come up with a list of some questions that you can ask yourself right now to help you prepare your business for the big day. 25 May 2018, if you weren’t sure.
Am I at risk?
To answer this question, you will need to carry out a series of assessments for your data. You need to know what data you hold, what the risks are that threaten it, and what the impact would be if you had a breach. Once you’ve got this assessment carried out, you can start addressing these risks.
Make sure you document all of this – you need to be able to demonstrate that you know what the risks are and you’ve take appropriate measures to mitigate them.
Do you really need all this data?
Sometimes businesses are storing data because they can, not because they actually need it. Make sure you think carefully about the data you are holding and whether or not you actually need it.
Getting rid of some high risk or sensitive data that you don’t need can make your life a whole lot easier.
If you do need it, make sure you document what the legal basis is for retaining it.
Do I have consent for this data?
You need to make sure you have consent from all your data subjects to have and process their data. In the case of children, you need to make sure you have the consent of a parent or guardian.
This means explicit consent on the data you hold (that’s every little piece), what you do with that data, how long you are planning on keeping it, and why you need it.
What do I need to document?
The short answer is: everything!
Just a few examples of the important things you need to have documented are:
- What data do you hold?
- Where is it stored?
- Where did it come from?
- Who has access to it?
- How do you process it?
- What would you do if there was a data breach?
- What would you do if someone broke into your office?
- and on, and on, and on…
Do you need a Data Protection Officer?
Big companies and/or companies that hold a lot of data of certain types will need to have a designated data protection officer. Make sure you know what your responsibilities are and appoint someone if necessary.
Even if you don’t need a dedicated data protection officer, it is probably advisable that you have one or more people who keep an eye out for data related issues. These will be people who your suppliers will email when anything changes and who do what they can to stay up to date on the latest data protection news.
Who are your suppliers? Are any based outside the EU?
Make sure you know the data protection and security measures for all your suppliers. (Scroll to the very bottom of this page for an outline of what we do to keep your data safe.)
You will need to take extra care checking that your non-EU suppliers, especially those that are storing any of your data, are compliant with GDPR or similar data protection regulations. All of this information should be documented and kept up to date.
Is your team educated about their responsibilities?
Your team needs to know what rights your data subjects have, what they should do if someone makes a data request, and what your processes are for carrying these out.
Remember, if you aren’t sure about your rights and responsibilities, check out the ICO’s GDPR self-assessment toolkit. This will help you get started with what you as a business need to do.
Steps you can take right now in OpenCRM
We know, we know. It’s a big list of things to do before May 2018. But there are things you can do right now within OpenCRM that will help you meet these requirements.
Check for Duplicates
Having duplicate data is one of the fastest ways to end up with out of date or incorrect information in your system. Although you can pay us to run a duplicate checking script on your data, a cheaper alternative is to export your Leads and Contact information into Excel (or another spreadsheet tool).
Once in a spreadsheet, you can use the inbuilt tools in that system to check for duplicate records. Then, when you’ve identified all of them, you can use the merge functionality in OpenCRM to remove these duplicate records.
Going forward, of course, you can set up some duplicate checking rules (if you haven’t already) to prevent any duplicates in the future.
Out of Date Information
This is a tricky one to manage as there a certain level of manual checking required, but there are things that OpenCRM can do to make your life a bit easier.
GDPR has some very strong feelings about holding out of date information in your system.
When did you last modify the record?
One way to kick off the process of checking your data is to run a Report or create a Custom View that will show you Contacts (and another for Leads) that have not been edited in more than let’s say 6 months, using the “Modified Date” field. This will give you a starting point on Contacts and Leads that could have out of date information. You can then contact them to confirm the information you hold on them is correct.
Using the Customer Portal
Another thing you can do, of course, is to ask us to enable the free Customer Portal on your system. You can then give all (or selected) Contacts the ability to login to your portal and update their own personal information.
Recording Email Bounces
Now both of those options have a level of necessary manual intervention, but this is one that works automatically. If you email someone whose email address has been cancelled or otherwise no longer exists, you will receive a bounce notification.
Now at this point, OpenCRM will do something pretty clever. It will remove the address from the email address field and will record the date of the bounce, which email it was that bounced, as well as show you the history of any other bounces.
This is recorded on both Leads and Contacts.
In addition to knowing when a person’s email address has expired, you will need to know how they want to be contacted. We have a default field in both Leads and Contacts that will allow you record what an individual person’s contact preferences are.
If there is other preference information you need or want to record for the people in your system, you can of course add as many custom fields as you need to manage this vital information.
Following on from managing contact preferences, you can use the pre-configured click through link (using our Click Through Wizard) that will record if a person wants to unsubscribe from your mailing list. This will simply tick the “Do not Email” box on their record and prevent you from adding them to a Campaign or bulk email.
You can, of course override this prevention screen, but you must only do so in extreme need. Otherwise you could be in breach of GDPR.
Recording Data Processing Consent
One of the big elements of GDPR is the need to gain consent from all the people you hold information on as to how you are processing this information. As we see it, there are two straightforward ways to record this information.
You will need to start by figuring out what kind of data processing you are doing within your various systems. Then you add a few fields to hold a record of their consent (or lack of it). A simple dropdown field with the options “yes” and “no” would suffice for many of these types of questions.
At this point, you could give everyone a call to ask them these two questions or you could send an email with a link to a JotForm that links into your system as a way of recording this consent.
Providing a Copy of Personal Information
People have always had the right to request a copy of all their personal information held by a company. Now, you’ve always been able to get this information from OpenCRM, but now we’ve made it even easier.
All systems with a version of 3.9.7 or later have a Layout for both the Contact and Leads modules called “GDPR Personal Data” which contains all of the generic fields that may contain personal information on these records. You can, of course, add any custom fields you so wish to ensure you are providing all required information.
If someone makes a request for a copy of their personal information, you can simple load up this Layout, hit the Print Screen link at the top of the screen, and send that out to them.
Our Commitment to GDPR
In addition to the above things that you can do right now in OpenCRM, we have some other tools driving into the car park (as it were) that will give you a helping hand as well.
Upgrades to our Customer Portal
We are currently working on some upgrades to our customer portal that will give you the following expanded options:
Inclusion of Leads
- Once it has been launched, this enhancement will allow your Leads to access your customer portal
Better account management tools
- Your portal users will be able to reset and manage their own password
- You will be able to enable the auto-creation of portal users from all your Contacts and/or Leads
Mailing List Management
- In addition to being able to track unsubscribes more generally as you can at the moment, this new work will allow you automate the subscription to multiple mailing lists.
Data Retention Wizard
We are creating a wizard that will allow you to set up some rules around data retention. This is a big part of GDPR and, although you can do this manually in the system now, we thought it was best to give you the tools to automate this part of your process.
You will be able to choose a module, select a criteria (i.e. a Company being set as a Former Client), set an amount of time (i.e. 2 years after the Last Action), and pick one or more actions. So you might want to delete the record or just remove all linked Contacts or a combination of multiple actions.
Basically, this wizard will give you the power to set up the rules you need to follow within your own system.
Right to be Forgotten
Last, but certainly not least, as part of our Data Retention Wizard, you will be able to mark a Contact or Lead as having made a “Right to be Forgotten” request. This will delete the Contact or Lead from your system and will prevent it from being included if and when you choose to restore a backup of your data.