After 2-years of waiting, and with the GDPR legislation now in place and in force, here’s an inside look at how we got GDPR ready, and what it means for our customers.
As a CRM provider, the announcement of the new EU General Data Protection Regulation (GDPR) directive was something that we couldn’t afford to ignore. This was based on the perspective of running our own business, and that of our customers’ changing requirements.
Gold-Vision’s GDPR journey
It was way back in November 2016 when our first customer contacted us about GDPR and how Gold-Vision could assist them with “managing opt-in” for their data.
At the time, the good news was that both Gold-Vision CRM and Gold-Vision Connect (our email marketing tool) were tightly integrated. Even better, opt-in management was already a standard feature of updating contact preferences for marketing.
We then started to receive an influx of common questions from our customers, such as “where is the preference centre, and how can I update it?!”, or “what are our plans for managing GDPR?”.
Understanding the GDPR challenge
Though 25 May 2018 still seemed a long way off, we decided to set up a steering committee and read everything we could. We noted that ePR (Electronic Privacy Regulation) was due to come in at the same time as GDPR. As a result, we started to look into both and how things would affect us and our customers.
Our steering committee started to look at the key “Principles” and the “Rights of Individuals” to identify scenarios and use cases. This ultimately helped us to identify how Gold-Vision could functionally help with compliance.
We went around in circles for a while, working through what should be updated in a “Privacy Log” and how a “retention date”’ should be calculated. Through this
User Stories and a Requirements document were built for our development team and we focused on deploying some key GDPR and data privacy features as standard into Gold-Vision.
By October 2017, we had a focused set of requirements and had identified how we could use our GDPR functionality to get ready. And, yes, we’re not afraid to admit that we too got ourselves confused and went down the “opt-in” rabbit hole for a while!.
Ultimately, we understood the different regulations that were in play and that there were key differentiators between GDPR requirements and
Getting our customers GDPR ready
To ensure our customers were kept up to speed on our plans, we sent out a newsletter that covered “Getting your CRM data GDPR ready“. This provided a set of resources aimed at helping our customers review their own data and manage a data audit in preparation for GDPR.
One of the key rights which we identified as a challenge would be “the right to be notified”. This stipulated that new contacts would need to be informed about what data was held, and how it was being processed, within 30 days of it being received.
We wanted to make this simple to manage, so made a stock email template available in Gold-Vision Connect that could be used by our customers to provide their customers with a link to their new Privacy Notice.
In January 2018, we were made aware that ePR would be delayed until further notice. Therefore, our focus moved to “What are the requirements for GDPR?” and “What are the requirements for ePR?”. This lead to further learning/advisory processes with our customers to ensure that they weren’t left further confused by the pending law changes.
New GDPR functionality is released
Following numerous iterations and internal testing, our new GDPR functionality was released to customers as part of our March update.
By this time, we were all aware that GDPR was not about managing opt-ins, and this was a message we had to relay quickly; highlighting that the key principles of GDPR were in fact about data privacy and protection.
In mid-March, we were exhibiting at the B2B Marketing Expo at London’s ExCeL. On Day 1 of the show, Natalie Gorton (our in-house GDPR Guru and long-standing Projects Consultant) delivered a very well received seminar sharing how we had tackled the task of getting ready for GDPR and our key challenges and learning.
Check out the slides below or view on Slideshare for added Notes.
We realised by this time that much of the information available on the internet and through consultancy firms was often confusing and, worse, factually incorrect! Therefore, we took it upon ourselves to dispel some of the common GDPR myths and provide simple, actionable advice as to what should be done.
We also ran additional, customer-focused webinars to highlight our new GDPR functionality and support the setting up of privacy rules on their own databases. This was based on us having identified some key requirements for an easy setup process:
- Identify personal data fields
- Manage data purpose (lawful basis, retention data based on the purpose of the data)
- Run privacy rules across the data using the above
Getting our own data GDPR ready (in under 10 minutes)
Of course, it wasn’t just our customers who needed to get their data in order before the May deadline – we needed to do so ourselves!
Our own Gold-Vision CRM database is approximately 15 years old and contains a great deal of historical data. As a result, there was certainly some thinking required as to how long we planned to keep certain types of data.
Following our own advice, we first discussed our privacy rules and data purposes and then set about working with our lawyer to ensure our privacy notice was updated based on GDPR requirements. We were also made aware that we would need to release a GDPR addendum to our agreements for our existing customer base.
Once our rules were identified, we were ready to set up our own Gold-Vision privacy rules using the newly released functionality. Over 20,000 records took approximately 8 minutes to become GDPR-compliant based on the rules that we created!
Running this internally, however, made us think again. We identified some additional requirements for managing purposes and the need to identify this per Contact not just at Account level.
Although the bulk rules allowed us to manage our records quickly, we knew we had customers who would need to manage individual purposes for their contacts. Therefore, this would need to be made available as an option.
A user story was compiled, and additional functionality was released that would automatically apply rules that have been set up as new records are entered into the CRM.
A new GDPR data privacy dashboard
It was all well and good that we could manage – and indeed, automate – the information we provided to those we held data on, but what about managing requests that might come from our data subjects?
This was obviously going to be something of great importance for us and our customers alike. As such, we created a new privacy dashboard which would be available to Gold-Vision administrators.
We designed the dashboard to be an effective, one-stop way to manage privacy data requests all in one place:
- A single source to identify SAR’s (Subject Access Requests) and have these available for an administrator to log and review if necessary
- Administration of Erasure Requests (which can be logged by individual users in Gold-Vision)
- Review records which are due to expire based on your Contact Removal date (which has been automatically generated based on your privacy rules)
- Manage erasure of data in bulk, based on your rules
The final countdown
Privacy Notification was the final key step to getting ourselves GDPR compliant. Having updated our Privacy Notice and adding our new GDPR Addendum to our website, we set about informing our customers (and prospects) of the changes.
This was made simple through the use of a Gold-Vision Connect email campaign in the first instance. Moving forward, we have used the Gold-Vision marketing automation tool to manage the sending of privacy notifications to new contacts that are added to our CRM database each day – simple!
GDPR is here!
As you may expect, with the GDPR enforcement deadline looming, April and early May were busy times for us, especially as we had a number of customers still logging support tickets on how to manage opt-in with Gold-Vision.
By this time, my previously mentioned co-presenter (Natalie), had completed a week-long Certified GDPR Practitioners course and wrote up a fantastic, in-depth GDPR 101 Guide. It covered all of the things she’d learned, pulling together some handy resources into a single, easy-to-understand post.
This really seemed to help customers understand the difference between marketing and GDPR, and what the requirements were in terms of managing their customer data. We also added some additional Help Site resources and further GDPR-focused webinars for those that needed more help on the Gold-Vision CRM configuration side of things.
Today we are still assisting customers (old and new) with setting up their GDPR functionality and privacy notification set up, as well as more generally looking at new features and functionality that will help them improve their overall business performance.
If you’re not currently using Gold-Vision CRM but would like to find out more about what Gold-Vision can do for your business, we’d love to arrange a personalised demo for you.