Easing GDPR transition with integrated software

< Back to resources


Written by Penni Stanton

As a CRM provider and data processor, Gold-Vision’s GDPR team have been working away behind the scenes to provide easy to use solutions to GDPR’s challenges.

Here we investigate why integrated business technology is the simplest way to solve the new requirements, and how we are helping our customers solve the challenges of consent, evidence and subject access requests.

What is GDPR?

The new EU wide legislation, the General Data Protection Regulation, enhances the rules on data collection and processing with the aim of putting the control of personal data back into the hands of the individual. The legislation promotes transparency and allows enhanced rights to individuals to access or withdraw their data.

The existing Data Protection Act (1998) will be replaced by GDPR, however GDPR applies to all companies worldwide that either process personal data, or monitor the behaviour, of data subjects within the European Union. The UK Government has already confirmed that GDPR will apply to the UK after Brexit.

(Read our GDPR 101 Guide for a comprehensive overview of all you need to know about the new EU General Data Protection Regulation)

The business technology challenge

Technology providers are currently ramping up their efforts to help their customers tackle the challenges presented by GDPR. Businesses typically use many different technology systems across various departments, from specialist HR software through to CRM systems, various marketing platforms, accounting systems and beyond.

GDPR places firm requirements on organisations (and the data processors they use) to be able to keep personal data accurate, accessible and secure. For very small businesses this is a relatively simple challenge with most likely two or three systems which can be manually accessed as required. Scale up slightly however, and this challenge could become a much tougher requirement.

Add in the complexities of current marketing regulations, and the as-yet-unknown requirements of the upcoming ePrivacy Regulation (due to launch alongside GDPR), and the importance of integration becomes clear.

Integrated solutions to data protection

To illustrate the need for integration, consider a simple scenario. You meet a prospect at an exhibition and add them to your event management tool. Your marketing department adds them to your third party email marketing tool. Your sales team calls them, sets up an appointment and adds them to your CRM system. Later you convert them to a customer, and they are added to your accounting platform.

Six months later a member of their finance department receives a marketing email that is not relevant. Wondering what data you have collected about them, for what purpose and how far reaching this is, they decide to make a Subject Access Request (SAR). Under the new GDPR regulations they are completely within their rights as a data subject to request a Subject Access Request without charge, with this sent to them in a universally recognised file type within one month.

How easily could your business provide this? Would it involve several departments manually accessing their software systems, including email, to create such a document? Imagine you received 20 such requests in one week? Or even 200? This one example shows why integrated, intelligent systems are essential to prevent potentially crippling businesses once the GDPR comes into effect in May 2018.

Add the need to keep data in separate systems accurate and up to date, along with the need to ensure marketing preferences are updated and adhered to across databases, and the importance of data integration becomes apparent.

Here at Gold-Vision, our multi-departmental GDPR team have been hard at work. Working through scenarios, we’re identifying the challenges we think are most likely to impact our customers. Then we are enhancing our product to help solve them. If you are a Gold-Vision customer we'll be sending you updates soon, but for now here is a look at the challenges we’ve identified and the solutions that our team are designing...

Challenge #1: How do I record the lawful basis for processing contacts in CRM?

Under the new regulation you must record the lawful basis for processing an individual’s data, along with the purpose for which you are holding their data. Essentially you will process data either because it is necessary, i.e. in order to serve a customer you must process their data, or because you have gained their explicit consent, i.e. a prospect ticks a consent box on your website when downloading a file.

If you expect your employees to manually enter this information, and somehow remember to update it, edit it or re-consent when required, it is likely you will fall foul of GDPR’s tighter regulations.

Gold-Vision’s GDPR team have designed the new purpose object. Every new contact record, be that a lead or contact, that is created in CRM will have a purpose field. Settings can be managed to create rules, such as a new contact at a customer having a pre-filled purpose of ‘necessary to fulfil the contract’, whilst a lead would automatically have ‘consent’.

Challenge #2: How can I manage explicit, timed consent?

Implied consent is no longer an acceptable method for a business to justify their processing of personal data.  From May 2018, if consent is the legal basis under which you choose to process a contact’s data, it must be explicit and timed.

You must not use pre-ticked boxes, or hide terms in small print. Clear, legible and obvious terminology must be used in versioned policies which a data subject has agreed to explicitly. You must provide details of how their data will be used, if it will be shared with any third parties, and the consent will only apply for a fixed period defined in the versioned policy.

Gold-Vision’s new privacy log will automatically record the purpose, lawful basis, duration of the lawful basis (i.e. consent to process for five years), and the deletion date if applicable. To meet consent version guidelines, it will be possible to set your current version, which will be automatically be added to new contacts with consent as the legal basis.

The purpose field will be derived from a lead list type, an account type or an event type which can easily be maintained in a new administration screen. This new admin panel will be designed to reduce the time it takes to meet GDPR compliance. Gold-Vision users can start to prepare now for a simple and fast transition. A huge benefit of the above changes is how Gold-Vision will make use of the existing account structure with minimal extra work to achieve compliance.

Gold-Vision’s alerting functionality will also assist with re-consenting and required deletion. Simple reminders to re-consent will pop up, and if not met by the required time frame you will be prompted to delete the contact’s data to prevent processing against GDPR’s rules.

Challenge #3: How do I handle Subject Access Requests?

The right of access under GDPR has removed the charge for Subject Access Requests (SARs), and reduced the time for response from 40 days to a maximum of one month, although it is suggested that it should be no longer than is necessary. A core principal of GDPR, individuals should be able to easily and quickly understand what data you hold, why, and be able to either correct it or request its deletion easily. The data must be provided in a widely used electronic format.

Gold-Vision will be enabling a SAR report for our customers in a CSV format, pulling information from contact fields and the privacy log to make SAR’s as quick and painless as possible while meeting the requirements of GDPR.

Challenge #4: How do I manage marketing consent and double opt-in?

Consent to process data under GDPR is not necessarily the same thing as consent to market to a contact in your CRM, although you may gain permission for both at the same time. Equally, you may process somebody’s data, such as a customer, with legitimate interest under GDPR, but the contact may remove their consent to receive marketing emails from you.

It is important to distinguish between the different laws that apply in these circumstances. GDPR will apply exclusively to processing data, while currently PECR (but soon to be replaced by the ePrivacy Regulation) applies to marketing to a contact. You will need a legal basis, be that consent or legitimate interest, for both processing and marketing in order to send marketing emails, telephone calls and other forms of direct marketing.

For example, should a contact unsubscribe from an email sent by Connect, that unsubscribe will automatically be present against the lead or contact in Gold-Vision. Equally, it is possible to manage a contact’s marketing preferences centrally in Gold-Vision for other forms of marketing such as telephone, SMS and postal. The integrated solution prevents holes in your databases, ensuring that your data's consent preferences are always recorded correctly.

Using an integrated system, such as Gold-Vision with the integrated email solution Connect, allows you to manage both processing consent and marketing consent without any additional hassle. Be aware that using separate systems means you will need to find a way to ensure your consent data is kept up to date.

Opt-in, and double opt-in, has not changed due to GDPR. It has been a legal requirement to obtain double opt-in consent for emails to personal email addresses since 2003 under PECR. Currently, a business email address does not require double opt-in consent, but it is not yet known if this will change under the new ePrivacy Regulation.

Gold-Vision Connect manages double opt-in consent as required by current PECR legislation. We will continue to monitor the upcoming new regulation to ensure the product is fully compliant with time to spare before the May 2018 deadline.

Find out more about how we're tackling GDPR and making compliance as easy as 1-2-3.

Need help? Talk to our CRM experts today!

Whatever you CRM question, our team can help.
Contact us today for a no obligation call to discuss your CRM requirements.