How Gold-Vision Got GDPR-Ready

< Retour à resources (en)

BLOG

Écrit par Jiggy Patel - 27/06/2018

As a CRM provider, the announcement of the new EU General Data Protection Regulation (GDPR) directive was something that we couldn’t afford to ignore – both from the perspective of running our own business, and that of our customers’ changing requirements.

After 2-years of waiting, and with the GDPR legislation now in place and in force, here’s an inside look at how we responded, and what it means for our customers…

Gold-Vision’s GDPR Journey

It was way back in November 2016 that we had our first customer contacted us about GDPR and how Gold-Vision could assist them with “managing opt-in” for their data.

At the time, the good news was that both Gold-Vision CRM and Gold-Vision Connect (our email marketing tool) were tightly integrated, and opt-in management was a standard feature of updating contact preferences for marketing:  It was already available!

We then started to hear common language from our customers asking, “where is the preference centre, and how can I update it?!”, and then further customers started to get in touch and ask us what our plans were for managing GDPR. 

Understanding the GDPR Challenge

Though 25 May 2018 still seemed a long way off, we decided to setup a steering committee and read everything we could.  We noted that there were in fact a couple of new regulations planned – with ePR (Electronic Privacy Regulation) also due to come in at the same time as GDPR, so we started to look into both and how things would affect us (and our customers).

Our steering committee started to look at the key "Principles" and the "Rights of Individuals" to identify scenarios and use cases – which would ultimately help us identify how Gold-Vision could functionally help with compliance. 

We went around in circles for a while, working through what should be updated in a "Privacy Log" and how a “retention date”’ should be calculated.  Through this exercise we were able to provide a really simple solution which was easy to understand!

User Stories and a requirements document were built for our development team and we focused on deploying some key GDPR and data privacy features as standard into Gold-Vision. 

By October 2017, we had a focused set of requirements and had identified how our GDPR functionality could be used.  We shared this on our blog and as part of a customer update on how to ease GDPR transition using integrated software.

The enabled our customer base to understand the key requirements for GDPR and prompted them to start reviewing their own internal processes.

The blog focused on 4 challenges with GDPR:

  • How do I record the lawful basis for processing contacts in CRM?
  • How can I manage explicit, timed consent?
  • How do I handle Subject Access Requests?
  • How do I manage marketing consent and double opt-in?

And, yes, we’re not afraid to admit that we too got ourselves confused and went down the “opt-in” rabbit hole for a while!

We had understood the different regulations that were in play based on the above and that there were key differentiators between GDPR requirements and ePR requirements. Our challenge was around relaying this to our customer / prospect base who were being fed conflicting information from all sources!

Getting our Customers GDPR-Ready

To ensure our customers were kept up to speed on our plans, we sent out a newsletter that covered "Getting your CRM data ready for GDPR" – which provided a set of resources aimed at helping our customers review their own data and manage a data audit in preparation for GDPR. 

One of the key rights which we identified as a challenge would be "the right to be notified" – which meant that new contacts’ would need to be informed of what data was held and how it was being processed within 30 days of it being received.

We wanted to make this simple to manage, so made a stock email template available in Gold-Vision Connect that could be used by our customers to provide their customers with a link to their new Privacy Notice.

In January we were made aware that ePR would be delayed until further notice.  And so, at this point our focus moved to: "What are the requirements for GDPR?" and "What are the requirements for ePR?" and began further learning/advisory processes with our customers to ensure they weren’t left further confused by the pending law changes.

New GDPR-functionality is Released

Following numerous iterations and internal testing, our new GDPR functionality was released to customers as part of our March Update.

By this time, we were all aware that GDPR was not about managing opt-ins, and this was a message we had to relay quickly; highlighting the key principles of GDPR were in fact about data privacy and protection.

To get the important information across in an easily digestible format, we created a quick reference Understanding the General Data Protection Regulation infographic that could be downloaded and shared across teams and a glossy brochure which we could share with customers and prospects.

In mid-March, we were exhibiting at the B2B Marketing Expo at London’s ExCeL, and on Day 1 of the show, Natalie Gorton (our in-house GDPR Guru and long-standing Projects Consultant) delivered a very well received seminar sharing how we had tackled GDPR and our key challenges and learning. 

Check out the slides below or view on Slideshare for added Notes.

We realised by this time that much of the information available on the internet and through consultancy firms was often confusing and, worse, factually incorrect(!), and so took it upon ourselves to dispel some of the common GDPR myths and provide simple, actionable advice as to what should be done.

We also ran additional customer-focused webinars to highlight our new GDPR functionality and support the setting up of privacy rules on their own databases, having identified some key requirements for an easy setup process:

  1. Identify personal data fields
  2. Manage data purpose (lawful basis, retention data based on purpose of the data)
  3. Run privacy rules across the data using the above

Getting Our Own Data GDPR-Ready (in Under 10 Minutes)

Of course, it wasn’t just our customers who needed to get their data in order before the May deadline – we needed to do so ourselves!

Our own Gold-Vision CRM database is approximately 15 years old and contains a great deal of historic data – and there was certainly some thinking required as to how long we planned to keep certain types of data. 

Following our own advice, first up, we first discussed our privacy rules and data purposes, and then set about working with our lawyer to ensure our privacy notice was updated based on GDPR requirements.  We were also made aware that we would need to release a GDPR addendum to our agreements for our existing customer base.

Once our rules were identified, we were ready to setup our own Gold-Vision privacy rules using the newly released functionality: Over 20,000 records took approximately 8 minutes to become GDPR-compliant based on the rules we created!

Running this internally, however, made us think again and we identified some additional requirements for managing purposes and the need to identify this per Contact not just at Account level. 

Although the bulk rules allowed us to manage our records quickly, we knew we had customers who would need to manage individual purposes for their contacts, and therefore this would need to be made an available option. 

A user story was compiled, and additional functionality was released – which means that once your rules are setup, they are automatically applied as you enter new records in your CRM!

A new GDPR Data Privacy Dashboard

It was all good and well that we could manage – and indeed, automate – the information we provided to those we held data on, but what about managing requests that might come from our data subjects?

This was obviously going to be something of great importance for us, and our customers alike, and so we also created a new Privacy Dashboard which would be available to Gold-Vision Administrators.

We designed the dashboard to be an effective, one-stop way to manage privacy data requests all in one place:

  • A single source to identify SAR's (Subject Access Requests) and have these available for an administrator to log and review if necessary
  • Administration of Erasure Requests (which can be logged by individual users in Gold-Vision)
  • Review records in which are due to expire based on your Contact Removal date (which has been automatically generated based on your privacy rules)
  • Manage erasure of data in bulk, based on your rules

The Final Countdown

Privacy Notification was the last, but key factor, to getting ourselves GDPR compliant, and having updated our Privacy Notice and adding our new GDPR Addendum to our website, we then set about informing our customers (and prospects) of the changes.  

This was made simple through the use of a Gold-Vision Connect email campaign in the first instance, and we now use the Gold-Vision marketing automation tool to manage the sending of privacy notifications to new contacts that are added to our CRM database each day – simple!

GDPR is Here!

As you may expect, with the GDPR enforcement deadline looming, April and early May were busy times for us, especially so as we had a number of customers still logging support tickets on how to manage opt-in with Gold-Vision

By this time, my previously mentioned co-presenter (Natalie), had completed a week-long Certified GDPR Practitioners course, and so wrote up a fantastic, in-depth GDPR 101 Guide to cover off the things she’d learned and to pull together some handy resources into a single, easy-to-understand resource. 

This really seemed to help customers understand the difference between marketing and GDPR, and what the requirements were in terms of their managing of their customer data; and we also added some additional Help Site resources and further GDPR-focused webinars for those that needed more help on the Gold-Vision CRM configuration side of things.

Today we are still assisting customers (old and new) with setting up their GDPR functionality and privacy notification setup, as well as more generally looking at new features and functionality that will help them improve their overall business performance.

If you’re reading this and you’re already a customer, then check out our upcoming customer webinar schedule for new GDPR webinars coming soon.

If you’re not currently using Gold-Vision CRM but would like to find out more about what Gold-Vision can do for your business, we’d love to arrange a personalised demo for you.