Managing GDPR - Easy compliance
I was for a long time guilty of dismissing GDPR as just another Y2K like beano for unscrupulous consultants, but I was very very wrong.
GDPR is coming. The Information Commissioner’s Office has even started advertising it. 25th May 2018 is the date by which ALL your data needs to be compliant with the General Data Protection Regulation.
So what exactly is ‘compliant data’? In a nutshell, it is data, or the details of your clients and prospects, for which you have express consent to hold and use.
GDPR affects EVERY company that processes the data of EU citizens. If you collect personal data – names, addresses, phone numbers, dates of birth, email addresses, etc. – then you will be bound by the rules of GDPR, regardless of the size of your business or where it is located. Brexit won’t change anything.
GDPR changes how consent to hold and use personal data is sought, collected and recorded. If after GDPR you receive a phone call or an email from a company you’ve never given permission to contact you, then that company will be in breach of GDPR. It could be fined: substantially. Up to 4 per cent of annual global turnover or €20 million.
The days of having to opt out of being contacted are over as of 25th May. After then, it’s opt-in only. Even if you have bought something from a company, under GDPR that company still has to ask you for permission to keep in touch. This is obviously not the way things are now and is one of the major changes. So all those pre-ticked consent boxes that are hidden away at the end of your terms and conditions are out, and you must have an easy way to withdraw any consent you do give.
Ouch: £70K fine for trying to comply with GDPR
Many businesses realised early on that they were not going to comply with GDPR and started contacting all their clients to gain express consent to keep in touch with them. Hopefully they didn’t do what Flybe did, contacting people who had already opted out of receiving emails from them, for which the airline was fined £70,000 by the ICO.
But GDPR compliance isn’t just about gaining consent. It’s also about keeping records of that consent and having in place a process by which information held about a person can be deleted on request, moved to another organisation or details of it disclosed to the owner of the information.
In other words, you are going to need a failsafe process to manage your GDPR compliance, and that process will need to be employed company-wide so that whoever needs to access the personal data held on your clients has all the information they need about the status of that data at their fingertips.
Is your CRM GDPR compliant?
Customer relationship management (CRM) systems in general do a great job of storing data. But they aren’t automatically GDPR compliant. Your data protection policy will dictate the extent of the data you are reasonably allowed to collect, and the length of time for which you are reasonably allowed to keep it.
So, if you identify that the only data you reasonably need in order to deliver the required service to your clients is a name, an address and email contact details, then your CRM system must be configured only to accept those details, and nothing more. Configuring a system to ONLY accept those details rather than relying on staff following policy is far less risky.
Question: Can your CRM system be configured in this way?
The source of the records you hold and the consent you obtained to keep in touch must be recorded. You may need to present them as evidence in case of a complaint.
Question: Does your CRM system allow you to record where, when and how a record got onto your system?
And can it store copies of the consents you obtained against the record entry, such as screen grabs of online forms or scans of printed forms?
As we said a few paragraphs back, GDPR only allows data to be retained for a reasonable period of time. How long this is depends upon your specific commercial needs and the type of product or service you supply.
If for example you are in the business of supplying goods with a warranty, then in theory there is no reason for you to retain the details of a client for any longer than the warranty period. If you feel that you should be retaining details for an extended period then your data policy will need to set out good reason for it.
Question: Does your CRM system alert you to data expiry dates so that you are prompted to delete data that is no longer reasonably required?
With GDPR comes the right to be forgotten. Individuals now have the right to demand that all data held on them is removed from a system.
Question: Does your CRM system allow you to accurately identify the person making the request so that the correct data is removed?
Is it easy to cross reference your system to ensure there are no duplicate entries that are missed?
GDPR provides free access to information. This means that any individual can demand to see a copy of all the information held on them by a company.
Question: Is it straightforward for you to derive the necessary information from your CRM system following a request?
Under GDPR, individuals are allowed to obtain and reuse their personal data across different services. In other words, they can copy, move or transfer personal data from one supplier or service provider to another, safely and securely, without any interruption in usability.
Question: Does your CRM system allow for the safe and secure transfer of data on request to another IT environment?
So there we have lots of questions. The good news is that in answer to those questions, the maxxpal X Cloud Platform says YES.
What’s more, the contact management feature of the maxxpal X Cloud Platform shows at-a-glance the GDPR status of a data record and the required date of re-gaining consent.