GDPR is a set of privacy laws going into effect on May 25th, 2018, that forces businesses to be more transparent about the use of peoples' data, and respectful of peoples' rights to decide what, when, why, and how that data is used. It requires businesses to be transparent with people about what data they capture and store about a person, the granular ways in which they use that data, and how they achieve those purposes. It also grants people about whom the data is collected the right to deny storing or processing their data, as well as to request for a copy of the data, or request that the data be deleted.
GDPR achieves its ends in a few ways. It requires organizations that collect data about citizens of the EU, to be transparent and clear whenever they capture that information - about what data they capture and how they use it. It requires those organizations to obtain explicit consent from people for each use of their data, and to create systems through which a person can withdraw their consent at any time. Organizations can no longer use peoples’ data for purposes that they did not obtain consent for, and can no longer share data with undisclosed third parties. Finally, organizations are required to maintain a minimum standard of security to ensure that the data they store about people, is stored and processed securely at all times, to minimize the risk of it being compromised.
To ensure compliance with these laws, GDPR affords EU regulators with the ability to levy significant fines ($20MM or 4% of annual revenue) against companies that do not abide by GDPRs mandates.
In the short few decades after the internet was commercialized, technology has transformed how we live and work. We search for answers to personal questions online, consume news and media that expose our private political and social affiliations, share personal messages, and shop for things that tell people who we are and what we like - all online, and all tracked by the businesses that help us do these things. In the process, these businesses capture our data, store it, use it, and often trade it in ways we have little consent or control over. As we’ve seen over the past few years, that data has often been lost or misused. The Equifax data breach demonstrated that even the largest companies can lack the basic safeguards necessary to protect even the most sensitive data they store about us, for which we often provided little to no consent to capturing and using in the first place. Meanwhile, social networks and search engines capture inordinate amounts of data about us, and use it to monetize us in ways not fully known to us.
All businesses that could potentially collect any personally identifiable (by them or any entities they share data with) data from citizens of the EU, are bound by this law. This means any business with an online presence, or that could take orders from citizens of the EU.
Before May 25th, we expect our practices, policies, and products to fully adhere to GDPR’s mandates. Specifically, this includes:
If you’re our customer, by May 25th our products will be GDPR compliant to ensure that while you use Vtiger CRM, your risk of violating GDPR through technology is minimized. Here’s how:
As our customers, you can trust us to ensure that the software you use to store and communicate with your customers, vendors, and other constituents is GDPR compliant. However, it is up to you to ensure that your policies, practices, and procedures also comply with GDPR. To get started down that path, you should develop a charter for a data protection team, and familiarize yourself with the GDPR law, and institute the changes necessary to becoming compliant. We recommend reading the full GDPR text and articles to familiarize yourself with the legislation, and then review third party for an explanation and checklists for becoming compliant.