Part 1 of our series on GDPR and CRM (What Is GDPR and How Does It Affect CRM?) explained the basics of GDPR – from why the law was enacted, to how it creates a new paradigm for lawfully interacting with European citizens’ data. Refer back to that post for a primer on GDPR and its mandates. In this part, we’ll go over how the changes coming to Vtiger will help you comply with the law unlike any other CRM solution.
The challenges of managing consents
One of the most challenging parts of the new law to comply with is getting verified consent for each use of a person’s data. This is particularly challenging for four reasons:
Managing consents can be a huge drag on time
You’ll be dealing with innumerable contacts, each in a different stage of their relationship with you, and thus needing to provide consent for a different purpose. You might ask a new lead for consent to share their information with your partner, and a new customer for consent to store their credit card number. Each time, you’ll have to ask for consent, wait for their response, log their response, and then take action. Each of these takes time, and scaled across many leads and customers a month it can become a huge drag on time.
Once provided, consent must be easy for contacts to revoke
GDPR requires you to make it as easy for someone to revoke consent as it is for them to provide it. This adds to the time it takes to manage consents.
You can’t let any consents slip through the cracks
Waiting too long to act on a consent can eliminate the utility of obtaining the consent at all. This is particularly true when sharing lead data with partners, who must strike when the iron is hot. Additionally, it is legally imperative that you don’t let a contact’s choices slip through the cracks. If a contact revokes consent to you using their data, but you accidentally share it with a partner after the fact because you didn’t notice, you’re breaching GDPR.
Consents must be hard to falsify
The reason to log a contact’s consents in the first place, is to protect you if they claim they never provided it. That is significantly less likely to happen if you get consent in a way that’s difficult to disavow. You can do that by asking for a form of ID, or asking for it from a verified email address or portal only they have access to. A much less useful consent is one obtained through a publicly accessible resource, like a form on your website, because anyone can submit it claiming to be someone else.
In addition to all the other legal obligations you have to comply with, GDPR seems to need so much micromanagement that you won’t have time to actually do anything else.
Managing consent doesn’t have to be so hard
With that as a primer, we’re pleased to announce Vtiger’s new GDPR compliance and privacy tools – launching on or before May 9th. They are the most effortless way to comply with many of the provisions of GDPR, at scale. Taking just a few minutes to set up, they let your customers see your policy and requests relevant to them, securely provide consent, and exercise other GDPR-afforded rights, all while making it easy for you to see and act on their consents.
The new tools consist of three huge changes that together make up the biggest privacy and security overhaul in Vtiger’s history. They are:
- A new contact preferences page
- A new encrypted data field
- New GDPR compliant email campaigns
And here’s the crown jewel of these GDPR changes:
Introducing Vtiger’s new contact preferences page
The consents page is where your leads and contacts go to do all of the following:
- Manage their email list subscriptions
- Learn about your data usage and other policies
- Control consent for data you store on them
- Control consent to being tracked
- Control consent for other permissions you want to ask for
- Ask you to stop using their data
- Ask you to erase their personally identifying data
The page is completely customizable – from who can see it, to what they see and act on, to even how they’re notified about new consents required from them. The preferences that leads and contacts state on this page are acted on automatically by Vtiger whenever possible (more on that in a second), or available in contact records for you to use in list filters, reports, and workflow automation – minimizing your employees’ need to take on new responsibilities.
How will my leads and contacts learn about and access their preferences page?
Once you’ve enabled the page and chosen who can access it, those with permission to use it automatically receive an email letting them know. This makes them effortless to ask for.
You can enable easier future access to this page by adding a link to their preferences page to the footer of emails sent from your Vtiger users. This footer can be customized.
Additionally, the “unsubscribe” link in email campaigns sent from Vtiger now points to the recipient’s preferences page. If a recipient doesn’t have access to the preferences page, then they’ll see just the email preferences options at the top of the page.
What consents can I ask my leads and contacts for?
In addition to a customizable written statement, there are 5 types of consents you can add to their page.
Data storage and usage
If you store sensitive data, like a contact’s national ID number or credit card number, you can choose to give contacts control over that field by requesting permission through their consents page. If the contact grants permission – great! If they revoke permission, then the CRM field is automatically erased and locked – ensuring your compliance .
When you send email or a document to a contact from Vtiger, their interactions are tracked so that your sales, marketing, and support teams can learn more about contacts’ interests and tailor future communications to them. If desired, you can let your contacts control whether you track them or not through engagement tracking.
If you do things like share contact data with a third party, or use it in automated decision making, you can add a custom consent field to get permission for that use. If a contact grants or revokes consent, you’ll see their decision in their contact record, and can use their response to create filtered lists, built reports, or even in workflow automations.
GDPR requires that you give contacts the ability to opt out of processing entirely. You can hand the keys to a contact’s record over to them by adding a “Stop processing” button to their preferences page. If they click it, Vtiger automatically locks their CRM record so that users cannot edit field values, and opts them out of email campaigns – no manual intervention required.
You can let contacts ask you to delete their personally identifying data by adding an “Erase My Data” button to their preferences page. If they click it, it enables a checkbox labeled “erasure requested”in their record. To act on it, you can either filter on these contacts and delete their entire records – but for some this is too broad an approach. To be more surgical about rendering the records non-identifying, you can use the new “Erase personal data” option in the record’s “more” menu to erase the Vtiger fields you’ve marked as personally identifying.
How do I use their consents?
Unless consents are easy to act on, they become more costly to manage than helpful. This is where Vtiger truly shines.
In addition to the Data storage and usage, engagement tracking, and stop processing erasure automations mentioned above, all consent responses are saved to a new “Consents” block in their CRM record for your users to see when they’re interacting with leads and contacts.
You can use these consents to build lists or reports. In addition, they can be used as conditions in automated workflows – so, for example, the moment a contact consents to being contacted by a partner, Vtiger can automatically and instantly email their information to a partner without your intervention.
If my contact forwards an email containing their preferences link to someone else, can that other person change their preferences?
Changes to a contact’s preferences page require email confirmation – and that’s what makes them verifiable. When a preference change is made, the contact will receive a follow-up email asking them to click a link to confirm those changes. Even changes to email preferences now require confirmation, so your contacts can safely forward around your emails without worrying that someone can change their preferences.
How do I set up the consents page?
The new lead and contact preferences page settings are configured from the Consents page in the CRM Settings area. From here, you can configure:
- Who gets notifications for access and changes to their preferences page (ex: Only notify contacts with region = “EU”)
- The email footer linking to the contact’s preferences page in user emails
- What consents show up in a contact’s preferences page based on information in their profile (ex: Only ask for CC# for contacts with sales stage = “ready to buy”).
- Each consent’s default selection
The consents page goes a long way to helping you achieve compliance with GDPR with an experience that’s great for your customers, and that’s effortless for you.
Encrypted data fields
If you store sensitive data like a credit card number or a national ID number, you now have the option to mark the field as sensitive in Vtiger.
This achieves three goals:
- It encrypts the field in Vtiger’s databases. Once complete, nobody without your permission can see the data. Not hackers (we’re aware of no breaches so far!), not us, and not your other users.
- It obfuscates the field value shown to your users. For example, you can hide all but the last 4 digits of a credit card number. This means, for example, that it’s still usable by your support agents to verify a contact’s identity, but that they can’t see the full value, reducing the risk of it being compromised.
- It allows you to authorize certain users to see the full field value. For example – authorized billing team members could reveal a full credit card number with just a click. That action is logged and searchable through a new encrypted field access log in the settings area.
Encrypted fields do have a few limitations that you should consider before enabling them:
- List views, reports, and exported data can only show encrypted values
- Global search only searches exposed characters
- Once enabled for a field, encryption cannot be disabled
That’s all for encrypted fields for now.
GDPR Compliant Email Campaigns
Last, but definitely not least are Vtiger’s new GDPR compliant email campaigns.
GDPR now requires that you now obtain clear, unambiguous permission to send marketing email – that’s basically means obtaining a double opt-in (described in part 1 of this blog).
With Vtiger, double opting in leads and contacts is easy. If they submitted a webform with the “send me marketing email” checkbox enabled, they’ll receive a double opt-in email asking them to confirm their desire to receive your marketing email by clicking a link. If they didn’t arrive through a webform, you can send this email to a lead or contact manually from their CRM record, or to an entire list from the Marketing Lists module (unless they’ve opted out).
If you know someone isn’t in the European Union, or you’ve received another acceptable form of permission to email them, you can bypass the need for a double opt-in by opting the contact in yourself. To understand how to do that, let’s get into how the rest of the new email opt-ins work.
The new email opt-in statuses
Instead of our old “Opt Out” checkbox field, leads and contacts now each have an “Email Opt-In Status” field that replaces the old “Opt Out” checkbox. In it, there are 6 values.
- Single opt-in (user)
- Single opt-in (webform)
- Double opt-in
- Opt-out (user)
- Opt-out (contact)
These values can be set in one of a few ways. If a contact clicks a link in a double opt-in email they’ve received, Vtiger sets the “Double Opt-In” value. If a contact submits your webform with the “I want to receive email marketing” checkbox enabled, Vtiger sets the “Single opt-in (webform)” value. Single opt-in (user) is only set by your users – and can be done when creating a contact individually or during an upload. Otherwise, all new contacts start with a “None” state.
These states are important because you can tell Vtiger what opt-ins you consider acceptable for sending a contact email from the email campaigns system. Your options are:
- Double opt-in only
- Double opt-in and single opt-in (user)
- Double opt-in, single opt-in (user), and single opt-in (webform)
Which setting you should choose depends on a lot of factors. We always recommend Double opt-in only as the safest choice legally, because it’s always hard to discern if a contact is an EU citizen.
How do contacts opt-out of my campaigns?
Your contacts can opt out of your email campaigns in two ways. If they reach out to you requesting that you opt them out of your campaigns, you can change their opt-in status to “Opt out (user)”. You can reverse this status in case they ask to be opted back in. If the contact visits their preferences page and opts out, however, then their opt-out is irreversible, except if they re-submit a webform to opt back in.
What do opt-outs affect?
To ensure that contacts’ preferences to not receive commercial email are respected, opt-outs stop all new emails from being delivered to the contact. This includes email campaigns, autoresponders, workflow emails, and ad-hoc emails.
To prevent opt outs from stopping existing relationships, or conversations initiated by your contacts, both of these can always be replied to even through a contact opt-out.
To sum it up
GDPR compliance is a complicated subject that requires you to provide European citizens whose data you use, with certain new rights. These rights can be difficult to provide in a way that doesn’t disrupt your business.
Vtiger’s new GDPR and privacy management tools make it easy for you to comply with GDPR by giving your contacts a place to go to manage their consent, or exercise their GDPR rights, in no more time than it takes for you to set the page up.
If we’ve got your interest, stay tuned for our next blog post on how to configure our new GDPR and privacy tools, and email campaigns, to help you get consent and into compliance quickly.