Intro
One of the key changes in 7.1.8 is a new privacy log, which will automatically record the purpose, lawful basis and deletion data if applicable.
Having defined your business GDPR policies Gold-Vision Administrators will be able to create a new 'purpose' record for Leads and Contacts. Using the Lawful basis and duration for your Contacts you will be able to apply a retention period for contacts with a specific purpose.
Individuals have the right to access their personal data and supplementary information .Subject access requests can be logged for a Lead or Contact. In the Gold-Vision Administration Console, fields can be marked as personal or sensitive and this data can be exported as a csv file by your Data Administrator.
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. In Gold-Vision, an Erasure Request can be logged for a Contact or Lead. Your data administrator can erase (permanently delete) contacts and leads. Data can be also 'bulk deleted'.
Accessing Privacy Actions and Privacy Logs
Your Data Protection contact or person responsible for data will need access to the Privacy menu in the Admin Console to set up data purposes and configure privacy rules.
All users have access to Privacy Actions in Contacts/Leads. Depending on your access options you may also have access to view Privacy Logs.
Access to privacy settings are managed in User access options.
Privacy Actions
Depending on your user access options you will have access to the following Privacy Actions in a Contact or Lead record:
Apply a purpose
Within the Privacy Actions, you can record a purpose against a contact or lead in order to superficially define their original or on going data relationship..
Log Erasure Request
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
If a contact or lead requests that their data be removed from your Gold-Vision, this can be done by logging an Erasure Request:
The request will be logged against the contact or lead record in their Privacy Log. Note access to this is available in user access options.
This can then be actioned by your data administrator in the Admin Console. The data will be erased.
Note: if a contact is deleted, it can be undeleted in the Admin Console. Erased data cannot be brought back in to Gold-Vision.
Log Subject Access Request
Individuals have the right to access their personal data and supplementary information.
If a contact or lead requests access to their personal data this can be action in the contact record.
The request will be logged against the contact or lead record in their Privacy Log. Note access to this is available in user access options.
The request can then be actioned by person responsible for data from the Administration Console. Under Article 12: you should process the request “without and undue delay” and within one month.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Your data administrator will be able to send the data you hold about them
Administrators can monitor and manage these privacy actions. See more
Privacy Notice Provided
A user might advise a contact or a lead about your privacy policy whist on the phone, they can then update Gold-Vision as follows:
Privacy Log
The privacy log in a Contact or Lead will automatically record the purpose, lawful basis, deletion data and subject access requests (if applicable)
Definitions
GDPR definitions
Data Protection Impact Assessment (DPIA) helps organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
You may need to do this if you undertake large-scale data processing or record special categories if data. If you don’t need to carry out a DDIA you will need to look at conducting a data audit.
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Privacy Notice – this holds information that you direct people to. It tells them about the categories of data you hold, how long you’ll keep it, the lawful basis for processing etc. Link – ICO Guidance https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/
Gold-Vision definitions
Purpose - Record why, how long you store personal data for and the lawful basis for processing personal data according to ICO Article 6 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Privacy Rules - Set up automated system rules to apply the purposes you have created.
Privacy Log – this is a Gold-Vision object that holds any Privacy rules applied and also requests made by each data subject (Contact/Lead)
Privacy Notice Provided– records that a Privacy Notice has been provided. This can be triggered by a Rule applied individually or to a Campaign Stage.
Personal Data - GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Sensitive Data - GDPR refers to sensitive personal data as “special categories of personal data” specifically this includes genetic data, and biometric data where processed to uniquely identify an individual. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
Fields in Gold-Vision can be marked as personal or sensitive using the screen designer (see below).
Subject Access Requests
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Erasure Requests
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Expired Records
Records where the duration for the purpose for holding the data has expired. For example, you might hold prospect data for 2 years, at the end of 2 years the record will be marked as an Expired item. See below.
Deleted Items
Deleted Gold-Vision records can be undeleted by an Administrator.
Erased Items
Records will be permanently removed from the data base and cannot be undeleted.
Best Practice
Q. Do I have to provide a Privacy Notice (Right to be informed) to my existing Contacts and Leads?
A. You can ask for clarifications from the ICO. Current opinion is that you do, and it is good practice.
Q. How do I show I’ve sent a Privacy Notice?
A. Gold-Vision documents this for you in the Privacy Log.
• You can add Privacy Notified and Privacy Notification Reason to your Campaign stage and when the stage is run the privacy log for recipients will be updated
• New leads from inbound marketing may have been provided with a Privacy Notice so use a Lead list rule for this.
• If you individually provide a Privacy Notice, you can record this from the Privacy Action menu on a Contact or Lead
Q. Can I automatically email a Privacy Notice using Alerts?
A. If you are using your own SMTP Settings [Tools-> Administration, Settings-> SMTP Settings], you can set up an alert on Contacts and Lead Lists to send an email on creation.
If you are a Hosted customer and have not entered your own SMTP Settings, the email would come from ‘Gold-Vision’ and therefore is not suitable for this (as its purpose is to inform the data subject that you are the Data Controller).
The best solution is to use Marketing Automation for this regular task. Talk to your account manager for more info.