Workspace for GDPR Requests

   Words by CRM Consultancy

   on 09/05/2018 10:00:00

Security_KeyWe are living in an increasing collaborative and connected world where data is more valuable than ever.

This has led to the new GDPR Regulations coming into effect from May which redefine our relationship with data, and establish the Customer as the ultimate controller over their Personal Data shared with a Company.

In a practical sense, this means the Customer has rights for:

  • Data Access Request, allowing the customer to view the data you hold about them.
  • Right to be Forgotten, allows the customer to request you delete the data you hold about them,
  • Portability, the right for a customer to obtain the data we hold about them in a format that they can take to another provider if required.
  • Data Classification, the ability to inform the customer why we are holding their data, and justify our retention period.

In order to meet these new requirements we can implementing processes within our Company and CRM to make these requests easier.

Your CRM should give you a single view of data and a centralised ‘one-stop-shop’ of your Data Real Estate - however compliance will be driven by the teams and Users in a business rather than the system itself, and the easier the functionality in CRM to facilitate these requests then the easier it will be for a business to be compliant.

The way we do this..

To help with this, CRMCS have added functionality into Dynamics that generates a secure link for a Contact, Lead or other ‘Person’ record (i.e. any record where we may hold Personal Data in CRM) that can be shared with that person as way of allowing them to see both the Personal Data we hold on them + the Reason why we store this data.

This builds on our experience of the DocMan for Dynamics App in building a unique Public Access Key for each Request that is then valid for a limited period of time.

This request allows the Data Subject to ‘peek’ into the data and documents we hold on them to fulfil Data Access Requests.

We can see this in CRM by opening a Lead or Contact, and observing the Share via Workspace action.

image

Clicking this action generates a new Secure Link and copies this link into the clipboard.

This can then be emailed to the Lead or Contact in question and invite them into the Workspace to view the Personal Data we hold upon them and why we hold this data.

image

There is nothing revolutionary in this idea as extends on the usual Portal concept to provide a limited page where a Data Subject can view their Personal Data - however the ease of use in making this simple for our User to generate and send out the link.

In addition the Workspace can include Documents (and potentially Emails) so the full portfolio of Personal Data we hold on the Subject is shared, and this transparency can be a useful tool for GDPR Compliance.

As seeing is believing, the video below shows this more visually:

B2B Marketing

The ability to communicate to a Contact or Lead why we hold their data and the purpose of how we use this data is of particular interest to the B2B Marketing Sector. 

Many companies have long lists of Leads that they need to email and communicate utilising an Opt-in or Opt-out policy to ensure they have consent to continue sending email communications to that individual.

We can see this in our day to day lives at the moment from the volume of ‘Keep hearing from us’ or other Opt-in Email Communications that companies are sending out to Contact Lists as a result of GDPR.

There are different schools of opinion on the best way for B2B Marketing Organisations to comply with GDPR – we believe that the Subject Access Request should be a key part of Marketing Compliance.  Organisations should offer this type of Data Access Link in their outgoing correspondence to give full transparency why the contact is receiving this Email.  This transparency should detail both the Data Classification and the Rationale for being on the Marketing Lists that the Contact is a member of, plus enabling the Contact to remove themselves from a given List should they no longer want to receive Emails for this Rationale.

Full transparency with the Contact then mitigates some of the Opt-in requirements that can be particularly challenging for Marketing Organisations that depend upon the database of Contacts they have built up.  But (and is crucial but!) the organisation must be able to show why each Contact’s Personal Data is being stored and justify consent, otherwise an Opt-in to obtain this Explicit Consent should be implemented.

Explicit Consent obtained via an Opt-in should then be stored in CRM as the Data Classification for holding that Contact’s Personal Data; as having the correct classification and reason for retention of personal data in CRM is an absolute necessity for future compliance.

Over the last five years we have helped several of our clients transform their approach to Security and Compliance, and so become a knowledge leader in GDPR and how to manage compliance within Dynamics CRM – if this may be useful to your organisation or you have any queries on GDPR specifically, then please do not hesitate to get in touch with us.

Further Reading

We have been blogging on GDPR for some time, as is an area that we think connects quite naturally with CRM and so the following articles on this blog may be useful:

GDPR and CRM

http://www.crmcs.co.uk/content/gdpr-and-crm.aspx

Implementing GDPR with Dynamics

http://www.crmcs.co.uk/content/implementing-gdpr-with-dynamics-crm.aspx 

Alongside wider articles on Subject Access Requests for GDPR:

Right of Access under GDPR from the ICO (Information Commissioners Office)

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ 

Handling Subject Access Requests (SARs) for GDPR

https://gdpr.report/news/2017/11/20/gdpr-subject-access-requests/