General Data Protection Regulation (GDPR) is a regulation adopted by the EU Parliament and Council which protects personal data of EU citizens . It was passed into legislation on May 2016 and will be moving into full force starting May 25, 2018.

While this is not the first law aimed at protecting personal data in EU, GDPR consists of regulations which are changing the privacy landscape dramatically. The regulation applies any organization or body operating in EU but it also includes any worldwide organization or entity that operates with EU citizen’s private data. GDPR also defines expensive fines for any breach of compliance – €20 million or 4% of a company’s global turnover, whichever is higher. It’s no wonder with these 2 facts alone that the regulation has attracted a lot of attention.

This document is created to help organization using CRM prepare for GDPR compliance. It covers the CRM software and describes how to use CRM features to perform preparation activities and routine tasks needed for GDPR compliance. However, it does not describe processes inside your organization which needs to be performed both at preparatory stage and thereafter. This whitepaper is based on the UK Information Commissioner’s office recommendations and checklist.

You can also find more information about GDPR at the EU GDPR Portal.​

This section provides guidance for performing actions required by GDPR for both before and after May 25, 2018 when the regulation goes into effect.

GDPR guides and checklists recommend performing an organizational data audit in order to identify all components and systems used in your organization that store and process personal data. By its nature, the CRM software collects, stores and processes personal data of your customers. Your organization needs to discover and document the systems, components and physical elements of your infrastructure which store personal data of your customers. That is why we documented these software components for your convenience.

CRM use the following entities to store personal data:

There are also special cases like:

The specific structure of these entities depends on the particular configuration of your CRM instance. You can use the Entity management​ feature or CRUD form to inspect the content of each entity.

During data audit, we advise you to set the property Auditable​ to True​ for all entities containing personal data. This will enable data audit trails for tracking personal data changes inside your CRM.

All data for CRM entities is stored in the database (MySQL or PostgreSQL – depending on the specifics of your deployment).

Web server access logs, as well as any other system logs configured by your organization’s sysadmins, can also contain personal data as a part of a request or query so these logs must also be reviewed during the audit.

CRM uses different integrations with identity providers and services, e-marketing sending systems, e-commerce and help-desk systems . This means that CRM can perform personal data exchanges with these systems so you need to define which data is sent, provide this information to users (if requested) and develop a process for coordinating user’s requests with this systems (e.g. deleting personal data).

CRM does not allow users to create their own record so it is the responsibility of the person who creates a new record in the CRM to collect consent from your customer for the storing and processing of their personal data.

However, existing CRM data may contain where user consent needs to be collected before May 25 2018. We recommend creating a Segment​ containing such users (e.g. citizens of EU country) and sending them an email using our Marketing campaign​ feature. All replies consenting to storing and processing their information must be handled by your team. The way to store customer consents in CRM is described in the next section.

In order to store and present user’s consent for personal data processing, you need to create the additional boolean field for every module listed in the module manager section. This can be done using the module manager -> Create field feature. We recommend using checkbox type. We also recommend setting field properties Show on view​ and Auditable​ to Yes​.

Since this field’s default settings is No​, a person creating a new record with personal data must explicitly set it to Yes​ if consent is given by the owner of this personal data.

Having this field added to all modules storing personal data will enable your organization to create a report for GDPR compliance.

In the following sections, we will provide Variance InfoTech Pvt Ltd’s recommendations for executing actions from user requests for exercising all personal data protection rights declared in GDPR.

Under the GDPR regulation, a person has the right to confirm if his/her personal data is stored and processed. The person also has the right to get access to this data including information about exact data structure. This right can be requested in many different ways.

CRM supports easy-to-use yet powerful search capabilities which help find all modules records related to the particular person requesting personal data information. You can use the CRM Reports or Export option from module to inspect, collect and export information about personal data stored.

GDPR protects the right for an individual to correct personal data if it is incorrect or outdated. This can be done by a special request. CRM search and CRUD tools are perfect for fulfilling these requests. Your personnel responsible for user data management can rectify the personal data in the system.

One of the newest requirements in privacy protection is the right of individuals to obtain and reuse personal data in the other system or organisation.

From a technical point of view, this means that your organisation must be able to export personal data into a machine-readable format. While the exact format is not yet defined by regulators, CRM is able to export any entity into CSV format using the standard Export feature. CSV format is currently a suitable format for personal data portability.

GDPR outlines that a person can ask for their personal data to be deleted from informational systems.
The task of personal data erasure has many different aspects. Here are the points to execute and consider:

CRM stores personal data in entities described in the Data Audit section of this document. All records in entities containing personal data can easily be found using the Search feature in our system. All entities supports deletion of a record making it simple for authorized users.

You need to request data erasure from systems and integrations connected to your CRM instance using the communication procedures developed during data audit.

At the moment GDPR does not contain any direct requirements to cleanup backups which can be a technical challenge . However, keep in mind that a system failure and DB restore can happen right after data removal which will cause the restoration of deleted data. This is why we recommend keeping requests for erasure open until the next cycle of a DB backup process and check if the personal data has actually been deleted before closing this request.

Here is an example of a process where a system backup is made every night outside of business hours:

It is also good idea to develop procedures for restoring databases using backups older than regular ones (e.g. if your organisation decides to rollback the database and restore a 2 month old backup).

GDPR strictly prohibits the transfer of personal data outside of the EU. If your company is a US-based company with technological centers located outside of th​e EU. That is why we ask you to obfuscate any production data (like DB dumps, reporting, etc.) to minimize the spreading of sensitive data.

CRM by it’s business function does not handle any module containing personal data which can have a kind of expiry date. Your organisation can consider cleaning contacts and other entities using any criteria through our filtering capabilities. In addition, it is recommended for users to proactively check if the data they collect is necessary for the business. Identifying unused data can reduce risk and the amount of work for purging data.

In order to be compliant with GDPR your organisation needs to perform preparation steps to be ready for GDPR enforcement on May 25, 2018 and implement routine processes that address GDPR requirements.

Do You Need more information ?

For any further information / query regarding Technology, please email us at info@varianceinfotech.com OR call us on +1 630 861 8263, Alternately you can request for information by filling up Contact Us