Support Portal ContactGet in touch

GDPR and CRM

   Words by Paul McQuillan

   on 26/02/2018 09:00:00

imageData is more important than ever - and so how we store and use data is under increasing scrutiny.

In a way, the last 15 years have seen a kind of 'data wild west' where companies could collect, use and store data in any way they like without worrying unduly about the consequences.

But with increasing interconnectedness and analytic power in big data, the value of data has risen dramatically and now companies must show that this is being stored securely and that the ownership of this data resides with the consumer - and not solely with the company who happens to be holding the data.

This is part of the process that has led to GDPR and steps taken by regulation to ensure that Customer data is being stored both securely and in a well governed structure that ensures a Company can respond to a Customer's request to view, amend or completely delete the data held about them.

GDPR is likely the first step here in ensuring that the value of our data is respected and this is not left vulnerable to misuse.

In a way this is not new for the CRM world, as this is mandating that we hold our data in a more customer-centric fashion and place the customer at the heart of how we store their data – but to be compliant we must understand GDPR and the requests this places on us.

To help us here, we have documented some of the key tenants of GDPR below – as this involves compliance, this is an area where doing your own research and working with good trusted Suppliers is crucial, however the following is aimed at being a good summary:

Storing Data

Data Access Requests

Security

We should have a documented map of our data, what we hold, and where this is stored.

Where data is communicated to 3rd Party companies or structures, this should be documented as this is our responsibility to correct inaccuracies or communicates changes.

Our Data Protection Officers should have an awareness of the different points of storage and key suppliers to be fully aware of our storage and any possible implications of our approach.

In this we should be aware of our Data Real Estate as the totality of the data we store on Individuals – this includes both structured data of the fashion we hold in CRM, ERP or other Line of Business Systems + unstructured data we hold in Documents, Spreadsheets and Email Attachments.

As both Structured and Unstructured data constitute the data we hold on individuals and so both should be compliant with GDPR – this makes the use of loosely structured or ad-hoc file shares difficult, as these may store individual data without reference back to individual for a Data Access Request.

Individuals may request a copy of the data we hold on them.

Similarly individuals may also invoke their ‘right to be forgotten’ as way of requesting an organisation delete or remove the data they hold about them.

To handle these Data Access Requests, we should have an Access Request Process in place between our Data Protection Office(s) and our Suppliers to accommodate such requests – and these should be completed within 30 days.

Privacy Notices explain the Legal Basis for storing and processing their data, including our retention period for this data.

This empowers the data subject for:

  • subject access
  • to have inaccuracies corrected
  • to have information erased
  • to prevent direct marketing
  • to prevent automated decision-making and profiling
  • data portability

Many of these points are similar to the earlier Data Protection Act that GDPR effectively replaces – however the right to data portability is new. This is an enhanced form of subject access where we have to provide the data electronically and in a commonly used format.

Many organisations will already provide the data in this way, but if we currently use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make the necessary changes.

Documented process for Data Breaches and ideally a Security Incident Register between yourself and your suppliers.

Have the relevant contracts in place with IT and Data Suppliers, preferably for a 3 year period for continuity and robustness to our approach.

Have a Data Protection Officer armed with the right tools and knowledge to take responsibility for how your data is protected and stored.

Remember that your security is only as good as your weakest link – and so again, having a good awareness of your Data Real Estate is key in ensuring we have sufficient security and knowledge of potential breach points. 

Limiting the number of systems and touch-points for data storage here will then help us still secure.

Penetration Testing and working with strong Hosting Partners or Cloud Service Providers will help manage the complexity of modern system security and good data storage.

What defines Personal Data? What defines Sensitive Personal Data?

Any information relating to an identified or identifiable natural person – this relates to a series of possible identifiers such as Name, any Online Identifier (such as IP Address) or Locational Data.

Consent – the data subject whom the personal data is about has consented to the processing

Contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

Legal obligation – processing is necessary for compliance with a legal obligation

Vital interests – processing is necessary to protect the vital interests of the data subject or another person

Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business

Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

(a) Racial or ethnic origin of the data subject;

(b) Political opinions;

(c) Religious beliefs or other beliefs of a similar nature;

(d) Membership of a trade union;

(e) Genetic or Biometric Data

(f) Physical or mental health or conditions.

(g) Sexual life or orientation

Previously data on prior criminal convictions was considered sensitive personal data, whereas under GDPR this is tagged separately and treated with a higher protection controls.

Explicit consent – the data subject whom the sensitive personal data is about has given explicit consent to the processing (unless reliance on consent is prohibited by EU or Member State law)

Employment, Social Security or Social Protection Laws – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject

Vital Interests – processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent

NFP – processing is carried out by a not-for-profit with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent

Public – processing relates to personal data manifestly made public by the data subject

Legal Matters – processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Public Tasks – processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Medical Purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional (provided that professional is subject to the obligation of professional secrecy under EU or Member State law) or by another person also subject to an obligation of secrecy under EU or Member State law

Public Health – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy or

Archiving, Research or Statistical Purposes – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

As a follow-up article to this information, we can also look at how Dynamics 365, SharePoint and supporting Apps can help meet these points for GDPR Compliance.

Further Reading

GDPR is a hot topic at present (to say the least!), and so there is a wealth of information available to us.

The most useful if lengthy read is the original legal document itself: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Prefer to go old-school?

Write to us using the below addresses.

Head Office
CRM Consultancy
61 Oxford Street
Manchester
M1 6EQ

London Office
CRM Consultancy London
Grosvenor Avenue
London

Content © CRM Consultancy.