While you prepare your company for the GDPR, it’s good to keep two main goals in mind:
- Make your existing data ready for the GDPR,
- Adjust your privacy policies to ensure GDPR compliance.
To help you, we have put together a five-step plan that you can follow to prepare your company for the GDPR. This plan consists of the following steps:
- Map the personal information your company saves.
- Determine what data you need to keep.
- Learn how to stay GDPR compliant.
- Put security measures in place.
- Establish procedures to handle personal data.
1. Map the personal information your company saves
It’s important to check which personal data your company is authorized to store.
The types of personal details you are about to store depending on the type of business you are in. You should also think of how you’re going to use the information you store.
This is why we recommend all our customers to consult a lawyer who is specialized in the GDPR. They will be able to give you legal advice about what information your company is allowed to store and when you need to obtain explicit consent to store personal data.
Based on the legal recommendations you receive, you can map where the personal data in your company comes from and document how you wish to use this data.
What is the legal basis for storing personal data?
The reason why you save certain personal information is called the legal basis.
There are a number of standard legal bases for storing information, for example:
- Required by law
- Protect vital interests
- Public interest
- Legitimate interest
All of these categories for documentation of a legal basis are available in SuperOffice CRM (as of version 8.2).
This is a standard list, and it will apply to 95% of businesses.
You can edit this list of legal basis at any time in the Settings and Maintenance module by adding the legal basis categories that are required specifically to your business or changing the names to fit your own terminology.
If you have a lot of existing data you want to update with a new or a changed legal basis, you can do this by using the bulk update feature.
2. Determine what data you need to keep
To determine what personal information you want to keep, it’s a good idea to look at the information you are currently saving.
You can find out what information your company saves by checking the Contact cards of your contacts: prospects, customers and lost customers.
You can have a look at:
- The general Contact tab, which holds such information as a person’s phone number, email address and mobile phone number. The Contact tab also contains information about the customer’s category and type of business they are in;
- The More tab, which can contain user-defined fields you have added to your SuperOffice solution;
- The Interest tab, which can contain different types of communication, work-related events your company might organize or other personal interests like a person’s hobby, for example.
Once you know what information you already have in your database, you can determine which customer categories you need and which you don’t need.
Maybe new categories have to be added, while others should be deleted?
Another thing you should think about is how long you need to store data about your prospects, customers and lost customers.
After a certain period, you will have to delete information that is no longer being used.
To help you, you can download a template that will help you map all the categories you wish to use, the legal basis for saving, and for how long you intend to save the information.
Irrespective or the GDPR regulation, it is worth considering what data and for how long you keep data for in your CRM database. We recommend not to store unnecessary information and remove any data that isn’t being used. It’s best to store data for the shortest amount of time possible.
If your business collects a lot of data without any real benefit, first of all, it won’t give you anything but a cluttered database, and, secondly, you are simply not allowed to save irrelevant or redundant information under the GDPR (Art. 5).
During this clean-up process, ask yourself these questions:
- Why exactly are we archiving this data instead of just erasing it?
- What are we trying to achieve by collecting all these categories of personal information?
- Who has access to personal data in our SuperOffice CRM solution, and should they have access to this information?
3. Learn how to stay GDPR compliant
Now that you know what information you want to keep and how you want to update your existing customer information, let’s see how you can make sure you stay GDPR compliant in the future.
To do this, start by asking yourself this: “How do contacts typically ‘enter’ my SuperOffice database?”
There are three ways in which contacts are added to your database:
- Contact details can be collected digitally. You can receive contact details through the use of web forms, requests/tickets, incoming emails, or chat.
- Contact details can be collected manually. You can receive contact details through meetings, phone calls, trade shows, events, and social media.
- Contact details can be collected from other systems. You can add contact details through a data import, integrations with other systems, such as your ERP solution, for example.
When contact details are added digitally, you can ask for a person’s consent on your website or via a web form, for example, while people fill in their details.
When you register their details manually or through other systems, however, you have to ask for the person's consent to store and use their personal data separately after you’ve added their details to your CRM solution.
To help you ask for this consent, SuperOffice CRM contains the privacy confirmation email. This email will be sent to contacts to inform them that you intend to store their details in your CRM database.
How to ask for consent?
In order to properly ask for consent from the contacts you plan to store in your CRM database, you need to, first of all, know how you’ve collected their details.
You can make a list of all the sources from which you gather personal information. Write down a list of the web forms you use, the webpages where you use SuperOffice Chat, for example.
To help you document this information, you can download our "Prepare for GDPR template":
When you ask for consent to store a person’s details, you should also allow them to control their consent at all times.
Here are some questions to check whether your contacts have the option to manage their consent:
- Can people opt-in for the subscriptions we offer?
- Is it possible for them to opt-out as well?
4. Put security measures in place
In line with the GDPR, your company needs to develop and implement safeguards throughout your CRM solution to help prevent any potential data breaches.
This means putting security measures in place to guard against data breaches or leaks, and taking quick action to notify individuals and authorities if such an event does occur.
Of course, SuperOffice can help you with this by making sure the data of all SuperOffice CRM Online customers is stored safely and securely.
However, it’s still your responsibility to make sure that you have the right security measures in place if and when a data breach occurs.
How can SuperOffice help you manage incidents?
It’s a good idea to create a workflow that contains a detailed description of all the steps you will take when a data breach is discovered or reported.
When you’ve discovered a data breach, you need to inform all contacts who are affected by it within 72 hours.
SuperOffice Service can help you collect any reports of a possible data breach. You can set up Service to follow the workflow you designed to inform and contain the potential data breach.
The feature Mailings in SuperOffice, on the other hand, can help you inform all contacts who were affected.
You can consider making a data breach email template. This template can be used when a data breach occurs; for example, to inform your contacts about what’s happened and how you plan to resolve the situation.
5. Establish procedures to handle personal data
Under the GDPR, all European individuals have 8 basic privacy rights.
You will need to establish privacy policies and procedures for how you will fulfill all these GDPR rights.
Again, here is a set of questions that can help you get ready to grant the 8 GDPR rights:
- How can individuals give their consent in a legal manner?
- What is the process if an individual wants his/her data to be deleted?
- How will you ensure that information will be deleted across all platforms?
- If an individual wants his/her data to be transferred, how will you do it?
- How will you confirm that the person who requested to have his/her data transferred is the person he/she says he/she is?
- What is the communication plan in case of a data breach?
Under the GDPR, individuals have to give you their permission to store and process their personal data.
This means that pre-checked boxes and implied consent are no longer acceptable.
Also, we recommend you have to review your privacy statements and disclosures and adjust them where needed.
You can read how SuperOffice CRM helps you honor and respect all 8 basic GDPR rights here.
How to configure your database
Now that you have gone through all the steps to prepare yourself and your company in your effort to become GDPR compliant, you can continue to the next step – to configure your database for the GDPR.
Based on your privacy policies, you can now: