GDPR Compliance with SugarCRM

As we mentioned in our previous blog post (link to part I) about how EU citizens are sceptical about processing personal data by tech businesses which lead EU Union in introducing GDPR regulations.

However, you need to look at the positive side of GDPR compliance. Even if GDPR regulations appear to be constraining at first, you might eventually realize that you can use it as a competitive advantage. GDPR is an opportunity to re-establish a relationship of trust with your EU customers. Plus, full transparency can actually be an incentive for individuals to share their data more easily. So more than ever, companies will be able to keep on studying behaviours and adapt their value proposition.

The compliance checklist
The potential compliance with GDPR will actually improve the customer experience while doing so means this approach should be considered strongly.

Here is a general GDPR compliance checklist:

  1. Start with a Personal Data Audit
  2. Create a per-data-subject list of relevant processes
  3. Document Consent or Lawful Usage
  4. Initialise SugarCRM for capturing and documenting GDPR Processes
  5. Transfer the first three steps into SugarCRM
  6. Implement an ongoing process for the first three steps to be updated in SugarCRM
  7. Define processes for data-subject requests
  8. Establish Internal Notification/Change Processes

Why SugarCRM should be at the core of your GDPR compliance plan?
A modern CRM system like SugarCRM can provide so much more than just capturing data. It can provide lead qualification processes, opportunity tracking systems, case resolution scripts, yearly account plans and even customer journey maps. The SugarCRM structure is ideal for satisfying many GDPR requirements. It can be used not only to maintain compliance in the use of its own personal data, but also to consolidate other important systems’ data to meet GDPR requirements.

For this reason, there is no doubt that SugarCRM can greatly reduce the stress and work required to comply with GDPR, and the potential for actually improving the customer experience along the way. SugarCRM can help with both one-time as well as ongoing requirements across the organisation to support GDPR.

Before May 25th 2018, businesses will need to carry out a number of activities to investigate the degree of compliance of existing systems and processes. In addition, they will want to ensure the existing processes – as well as any new ones – support GDPR compliance in an ongoing way.

1. Personal data audit

The first thing on your GDPR checklist should be a personal data audit. This involves identifying all systems and processes throughout the organisation to identify which personal data is collected and stored and how it is used (such as profiling). You will want to document the exact nature of that data, how it was collected, how it is used and whether the data ages and gets removed when no longer relevant.

A typical organisation will have collected personal data in many places such as marketing systems, including marketing automation and online systems, sales and service systems, financial systems that involve payment and/or risk, warranty or support systems, and other operational transactional systems. You will also need to identify any systems that contain those special categories of personal data and how – if at all – that data is being used. This is related to the processing of special categories of personal data.

2. Automatic profiling audit

Another most important topic in the audit will be identifying where automatic profiling happens. Automatic profiling means rules and algorithms, data mining, machine learning and statistics that take decisions without the intervention of a human being.

Automatic profiling may be used into campaign management, marketing automation, CMS and web systems, omni-channel marketing, analytics and predictive analytics: anywhere that personal data is used to figure out a model for predicting an outcome or for categorising an individual and where that information is then used automatically to take an action.

Since a data subject has the right to know about automatic profiling and to specify that they do not want it, it is important that you have the information captured in your audit. It not only helps you to document the “latest” but provides a basis for the ongoing activities you will need to perform to stay compliant as new systems and processes are added.

3. Per-data-subject identification

Not all systems and processes containing personal data will apply to all data subjects, so the next step is to extract a list of all data subjects who are affected by a given system or process. These lists can be then combined so that you can identify – for any specific data subject – exactly which processes and systems use personal data and how.

Why is this important? Because of all the Articles that give rights to a data subject, an individual. Those individuals are not interested in the organisational strategy surrounding GDPR but instead want to know specifically what affects them personally and any preliminary work you can do now to make the task of surfacing this information to the data subject will be time well invested for later.

This is where SugarCRM provides great value, because if you have that list of processing per data subject you can attach a record of all that information to each data subject in the CRM system. With the processes in place in SugarCRM, this can become a fully automated process existing tools.

4. Obtaining Consent or Documenting Lawful Usage

One special case of documentation will be around one of the strongest concepts in the new law: Lawfulness of processing and either gaining permission to capture and process data in specific ways or alternately documenting which subsection of Lawfulness of processing applies for not requiring consent.

While most people are accustomed to opt in arrangements via cookies, the requirements of this article go much further by requiring companies to be extremely clear about what they are collecting, how they are processing the data, and where they intend to use it. They will also have to do a much better job documenting the mechanisms used to surface and capture the responses. In more complex organisations, there may actually be multiple explanations and permissions that need to be surfaced and captured.

5. Satisfying Data Subject Requests

If you have implemented above suggested step, you have already captured all relevant personal data and related topics. You now need a process of capturing the request, consolidating required information and taking appropriate steps when required, creating a confirmation for the data subject, having that response manually authorised by an appropriate person internally, on approval sending the relevant confirmation as well as logging each step of the process.

In SugarCRM, this will be a series of tasks and subtasks that will be well defined and that can be associated and executed quickly to any specific data subject request.

6. Internal Processes

In the same way, you will have certain internal processes that you will want to set up and occasionally execute, either manually for one data subject or automatically for a group of data subjects.

In SugarCRM, this will be a series of tasks and subtasks that will be well defined and that can be associated and executed quickly to any specific data subject request.

These processes might include Notification of a Data Breach; a notification of a severe Data Breach or one for gaining consent for an extended use of personal data (possibly to be able to give the data subject – your customer – a better offer).

But CRM is not the only system to check
Though SugarCRM System can be used to support overall GDPR activities, it is important to understand that a CRM system is just one of the IT systems that will be processing personal data. A data controller has to ensure that data protection by design and default is applied to all those IT systems. This means the data controller will need to put into place appropriate technical and organisational measures. These measures must be designed to implement data-protection principles in an effective manner and to integrate any necessary safeguards into the processing to meet the requirements of GDPR and protect the rights of data subjects.

About Ambit
Ambit Software is a CRM Partner with extensive experience in implementing SugarCRM, Salesforce, Microsoft Dynamics along with other CRM systems across industries like BFSI, Tech/High-Tech, Distribution, Services, Light Manufacturing, Media and Hospitality. For more details on Ambit’s SugarCRM practice, Click Here.

Reference: Getting-Ready-for-GDPR-Guide-11-2017.pdf

January 18, 2018