Currently, fines under the Data Protection Act are relatively low (the absolute maximum fine is £500,000 no matter how horrendous the data breach). The GDPR will significantly increase the maximum fines as follows:
· up to 2% of annual worldwide turnover or 10 million euros (whichever is the greater) for breaches relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default.
· up to 4% of annual worldwide turnover or 20 million euros (whichever is the greater) for breaches relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.
Achieving GDPR compliancy is likely to require organisational-wide changes for many businesses to ensure that personal data is processed in compliance with the new legislation. Such changes may include redesigning or reconfiguring systems that process personal data, purchasing entirely new systems to manage double opt-ins for email marketing and/or renegotiating contracts with third party data processors. It is not a ‘one off exercise’ either as the task of remaining compliant and avoiding breaches of privacy requires commitment to ongoing review, monitoring, staff training and continual vigilance.
Businesses should therefore understand that these changes may require a significant amount of time to implement and plan ahead. The ICO has published an official twelve step readiness guide which we have adapted below to incorporate best practice with CRM.
You should make sure that decision makers and key people in your organisation, such as your CRM database administrators are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. Your CRM system can sit at the heart of the organisation and be a vital component in your GDPR compliance strategy. We have always maintained that CRM involves people, process, data and technology and this is even more relevant today. Simply having a CRM system won’t make you GDPR compliant. If your data policy states that you only need name, address and email information, to fulfil the service that you deliver to your customers then it should not even be possible to store data beyond that. All CRM users need to be briefed on the implications of GDPR and then trained on the use of the CRM system in this context. For example, you need to be able to prove where the data came from and why it is actually on your database in the first place. It is important you can quickly and easily reference and report upon this information. A well configured CRM system will hold this information in the lead source field and automatically record the date that the record was created.
2) The information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit and deploy a powerful suite of data interrogation tool, custom queries and reports. You need to consider the age and accuracy of the data, the type of information that is held, where it was obtained from and the legitimate purpose of retaining it on your system.
3) Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. Do you have a report that would export all the information at the click of a button? Who has the rights to delete data? You need to ensure that you can delete data that should no longer be retained but ensure that live and valuable data is not deleted by accident.
4) Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
5) Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
6) Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. A well-conceived workflow process within CRM can help you to manage and fulfil any subject access request that is received, notify appropriate recipients and escalate the request to appropriate individuals within your organision.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. f you use your CRM system to facilitate email marketing then you need to maintain a double opt-In process for gaining permission to email to any individual and state where you obtained their email address and what you intent to use it for. As an example, you may have firstname.lastname@example.org on your database because you sold him Widget X. However, if subsequently, you start mailing him about Widget Y then it could be deemed to be a breach of GDPR. Double opt-in ensures that a user has subscribed to a mailing list or other email marketing method by specific request and also confirms that they own that email at the same time. Systems need to be in place to manage double opt-ins and manage ongoing opt-outs.
8) Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Of course, you want to put all the measures in place to try to avoid this at all costs too. Sensible precautions start with strong passwords, reviews of user access rights on a regular basis, anti-virus and anti-malware software, hosting data on dedicated servers in reputable UK based data centres and updating operating systems and CRM systems with the latest releases and patches available. If the worst happens then the service desk side of your CRM solution should kick off an immediate workflow process to guide the appropriate teams through the management of the breach.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
10) Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11) Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this. 12 V2.0 201
If you’d like to gain a fuller understanding of how to adopt GDPR principles within the context of your CRM system please contact Prior Analytics.
We can assist with data audit, train staff on the key principles of GDPR, reconfigure your database to support double opt ins for email marketing and advise on secure UK Cloud solutions to host your CRM.