If you haven’t been hiding under a rock for the last few months, you’ve probably heard a lot about GDPR. About how if GDPR were the law of the land in the US, its standards could have prevented Equifax’s data breach (now one of the largest in history). About how GDPR spares no-one – with behemoths like Google overhauling their products to comply. And even about how the US Congress, energized by the Cambridge Analytica scandal, grilled Mark Zuckerberg on whether Facebook would expand its GDPR-compliant privacy tools to users globally, during his Congressional hearing on privacy
Whether you have been hiding under a rock, or you’re up to speed on GDPR, it’s legally imperative that your business, too, complies with the landmark law by May 25th. With so much to change in so little time, getting started can feel overwhelming. To help you navigate that journey we’ve created this 3-part series on GDPR. In it, we’ll cover everything you need to know to become compliant with the main part of the law:
- What is GDPR and how does it affect CRM? (Part 1)
- How Vtiger helps you comply with GDPR, including powerful consent management (Part 2)
- How to setup Vtiger’s new privacy features to comply with GDPR (Part 3)
This series covers general compliance with GDPR’s main principles and rights (articles 5 to 23). There are other processes, responsibilities, and standards that you must comply with (articles 24 to 43) and are not covered in this series.
This series and the product changes to come are derived from a few different sources. From the legal texts and their generally accepted interpretations. From discussions with customers and their lawyers, and from other tertiary research about solutions covering the legal consent problems we were addressing. The general guidance it has been distilled into should help the average business start down the journey to compliance, but should not be considered legal advice, which we still recommended that you seek when interpreting GDPR for your specific scenario.
If you already understand GDPR’s importance and don’t need a primer, feel free to skip ahead to the section titled “Here’s how GDPR changes your business”.
What is GDPR?
GDPR is a new European law, going into effect on May 25th, 2018, that regulates how businesses can collect, store, and use European citizens’ data. More on that in a second.
Why was GDPR enacted?
To put it simply – to stop businesses from indiscriminately collecting and using peoples’ data in ways that could hurt them. Today, businesses treat data the same way economic imperialist nations treat foreign countries. They capture as much as possible and exploit it with little respect for the owners’ wishes, or concern for the harmful effect it has on them.
That comparison might seem harsh, because nobody dies when a company buys a list of leads and markets to it without consent. But, when Equifax lost critically the sensitive data of more than 140 million people, and then essentially left them to deal with the consequences, the hurt was much more palpable. Their private identities and financial futures were doomed to an uncertain future circulating on the black market. That could just as easily be your Google search history, or private messages, and still you’d have little legal recourse if it happened.
The logical reaction to this, then, is
If only someone would give me the right to choose who can have my data, what they can and cannot use it for, will make sure they keep it safe, and punish them for violating these rights!
And that’s exactly what GDPR does for EU citizens.
Do I have to comply with GDPR?
GDPR applies to you if you meet any of the following conditions:
- You have customers in the EU
- You provide services to (paid or free) to EU citizens
- You market to EU citizens
- You monitor the activities of EU citizens
If your business is exclusively local and external to the EU, you probably don’t have to worry about GDPR. A flower shop in rural Ohio that only markets and ships to the local town is unlikely to have to comply, even if someone from the EU stops by your website and ends up in your analytics solution.
But just because your business is small doesn’t mean GDPR doesn’t apply. A small-town SEO company that markets its services online and already has a few clients from a few other countries, even if it doesn’t target customers in the EU specifically, is likely to have to abide by GDPR because it could be envisioned that the SEO company would welcome business from European customers if it emerged.
What rights do I have to comply with?
EU citizens now legally own even the data about them that’s in your possession. And they have some fundamental rights to go with that ownership. We’re using the 80/20 rule to summarize the texts below into one-liners. As with any summary there are always caveats, so if you’re curious, click the included links to read the full legal text and exceptions (they’re not long!):
- When you’re collecting data from someone, you must disclose what you plan to do with it and how long you plan to keep it for, among other information, at the time of collection (articles 7, 12, 13, 14)
- When you’re using data from someone, all your uses should either be done with consent for that use, in direct relation to an already agreed upon use, or because it passed the balancing of interests test, with a few caveats (article 6)
- You must respond to the following rights requests from a contact within 1 month of the request (article 12)
- To know what information you have on them and what you use it for (article 15)
- To correct any information you have on them (article 16)
- To erase the data that you have on them (article 17)
- To restrict your ability to use their data without having to delete it (article 18)
- To know when you’ve erased or stopped using their data (article 19)
- To port your data on them to a competitor (article 20)
- To object to any process (article 21)
- To object to automated (algorithmic) decision making (article 22)
- You must not use or store data for longer than needed (recital 39)
- You must use secure data in a way that is proportionate in security to the potential harm that could happen to the data subject if the data were exposed (article 25, 32)
How does GDPR affect my business?
How you store and handle contact data
There are 2 types of data to consider under GDPR. Sensitive data, and personal data. Here are specific examples of data, grouped by type.
|Not Personally Identifying||Favorite brand of chips
|National ID number
Credit card number
This is data that is not publicly available, and that can be misused to harm people – like a passport number or someones’ political affiliation. GDPR recommends obtaining consent for storing sensitive data, and subsequently protecting it however possible. These data are best protected by doing the following:
- Encrypting these fields in databases to prevent misuse if there’s a data breach
- Obscuring these fields in employee views to prevent misuse by employees when access is not necessary (ex: only show the last 4 digits of a CC#)
- Log when employees un-obfuscate values to deter misuse when access is necessary
Personally identifying data
Data can only be harmful if it can be linked back to a person. GDPR allows your contacts to ask you to erase their personally identifying data (subject to certain conditions).
Once personal data is erased, related information that’s important to business decision making, like purchase histories and engagement with your digital services are safe to store because they are no longer associated with an identifiable person.
Be careful with groups of non-personally identifying information, as groups of it can become identifying if that group is unique to a single person. For example when you know someone’s zip code, gender, ethnicity, and date of birth – together those properties might be unique to a single individual and relatable to them through some other information source – so it’s important to be sure that doesn’t happen with what’s left of your erased dataset.
Nobody should have to stay in your database forever, just because they filled out your webform once upon a time. You must now automatically stop using, and eventually delete personally identifying data when no longer needed. The appropriate time limit to use varies from case to case. In our case, we will delete our contact data one-year after a contact stops directly engaging with us.
How you present website forms
People should really only submit information online if they know what the recipient is going to do with it. So your webforms must now either directly state how the information will be used, or link to information about how you will use their data. This can be done through tooltips, or by linking directly to a data usage policy.
If you want to subscribe someone to your email marketing after a form submission, they must now also explicitly consent to it. That means showing an un-ticked checkbox with clear language like “I would like to receive marketing email from [company]”. Simply not asking, or providing a pre-ticked checkbox no longer counts.
- What your company does and how to contact you
- How you use their data, and for what purposes you won’t seek consent
- Who you will share their data with
- Whether you will transfer the data outside of the contact’s country
- How long you plan to use the data for
- All of the subject’s rights (access, correct, erase, restrict, or port data, or lodge a complaint)
- What happens if the contact doesn’t provide the data
- If you make automatic decisions with their data
How you conduct email marketing
To send someone marketing email, you must have non-falsifiable proof that they want to receive it from you. Because anyone can fill out a form on your site claiming to be someone else, the best way to get that proof is with a double opt-in email.
Double opt-in emails work like this – when someone indicates that they want to receive your email (either verbally, or by checking a box on a webform) you send them an email containing a special link. If they click it, their click is recorded, and they’re added to your email list.
Managing preferences and opting out
Whenever you send email to a contact, it must be as easy for them to opt out as it was for them to opt in. That usually means including an unsubscribe link at the bottom of the email. A more robust solution would let contacts manage their opt ins and outs of specific email lists from a page accessible from the email footer.
How you track customers on websites, email, and documents
Many digital services you provide to customers will track their actions and provide you with analytics, so that you can learn how to improve their experience. That could be a website, email campaign, or a document you’ve shared with them. Regardless of how tracking is performed, under most circumstances you should tell users that they are being tracked, and provide them with the ability to opt out of your tracking.
When you use customer data
You use customer data for a number of purposes. From simply storing it, to sending them marketing email, to checking their credit history or sharing it with third parties that will help them use your products better.
Whatever you use customer data for should generally be done for one of these three reasons:
- You have received explicit prior permission for that use
- The use is related to another purpose you have already received consent for
- The purpose is in your legitimate interest and does not violate the contact’s rights (the balancing test)
We always recommend obtaining consent for as many purposes as possible, as this is the only indisputable way to use your contacts’ data. Whatever consent you obtain for a purpose, the best way to obtain it is in some non-falsifiable way. These range from a recorded communication like an email, to a preference management portal that contacts can log into to manage their consents. Like with email preferences, it’s important to let contacts revoke their consent at least as easily as they provided it.
The new legal rights you must facilitate
Right to know what data you store, and the ability to export that data
If a contact asks you for the information you hold on them, you are legally obligated to do so. In addition, you must disclose what you use it for, who it you share it with, how long you plan to keep it for, and the other rights that they have. They may additionally ask for a copy of all of this information in a machine readable format like a CSV file or database, so the CRM system that you use to store their information should facilitate creating such files.
Right to update their information
If a contact asks you to update incorrect or missing information, once you are able to confirm who they are, you are required to update that information in your systems. This is particularly important if you use that data to manually or algorithmically make decisions about them.
Right to be forgotten
A contact has a right to have your data on them erased. While the simplest solution is to erase all your records associated with them, this is usually undesirable because it could delete important business information like purchase data, rendering revenue and other reports incorrect. The ideal way around this is to delete personally identifying information from a contact’s record so that you can no longer identify them. The best GDPR compliant CRM solutions will facilitate this type of erasure.
Right to object to one of your purposes
A contact can request that you not use their data for a specific purpose. That could mean opting out of marketing, requesting that it not be shared with a third party, or any other specific purpose. To facilitate this without requiring arduous records management, choose a CRM solution that lets your contacts automatically manage their consents to your uses, so that the teams responsible for acting on that permission can act only on those contacts that have consented.
Right to stop your use of their entire record
Contacts finally have the right to ask you to take them out of all forms of processing that you do. Whatever system you use to store their information should be capable of freezing their records so that they cannot be modified by your users, or emailed for commercial purposes either manually or automatically.
There’s so much to do! How will Vtiger help me comply?
There may be a lot of new regulations to comply with, but the changes coming to Vtiger by May 9th enable businesses to effortlessly roll out GDPR compliance. Whether your customers are in the US, EU, or anywhere else, these changes will help you present disclosures, store sensitive data more securely, email market legally, and let your contacts provide and manage their own consents with an experience not available with any other CRM on the market today.
You can find a complete walkthrough of these changes in Part 2 of this series>.