The 8 GDPR privacy rights and SuperOffice CRM

Whether it’s a lead, a new contact with an existing customer contract, a partner or a supplier – it all starts with the collection of personal data.

Generally speaking, collecting personal data is still perfectly legal under the GDPR. However, the new EU law highlights that a company needs to have and document legitimate reasons for collecting and storing such data, depending on a business type, purpose and other circumstances, as specified in Article 5. A company is also required to inform a person within 30 days that it has stored personal information.

The GDPR also makes it very clear that everyone has the right to object to their personal data being collected, stored and used. The new EU regulation outlines that an individual has the right to object to direct marketing and some European marketing laws even require you to obtain explicit consent in order to send any marketing message at all.

That is why when “explicit consent” is used as the legal basis for data processing, you need to document where, when and how this consent was obtained (Article 7). This will be especially handy if a supervisory authority requests documentation from you.

How can SuperOffice CRM help you address this right?

GDPR article: 21, 21

Definition: A data subject has the right to object to their personal data being processed, regardless of whether or not they gave explicit consent to their data being processed. EU data subjects also have a right to stop personal data from being included in direct marketing databases.

SuperOffice functionality

In order to be able to satisfy a person’s right to object to their data being processed by your company, you will, first of all, need to be able to properly document the type of consent and the legal basis for data processing. Only then, you will have enough information and tools to respond to your contact’s objection. Tracking customers’ consents means you know if and when someone has objected.

To always be in control and have the necessary documentation in place if anyone enquires about their consent or legal basis for processing their personal data, you can use the Consent and Subscription management features in SuperOffice CRM.

• Consent Management tools allow you to register what consents you have for each person in your database, when and how you got the consent and who registered it, as well as to log the legal basis.

• Subscription Management tools allow you to keep track of the different types of communication someone has agreed to receive from you. These features ensure that you do not send e-marketing communications to people who have not given their permission for you to do so.

Transparency is key in the new GDPR world. All companies and organizations should now be completely clear as to what data they store and how, and specify it in a plain and easy-to-understand language typically in their privacy policies.

The GDPR also ensures that all people have the right to access their personal information and know how this information has been obtained and is being used by a company.  

Every company now needs to be able to provide a copy of the personal data they store on each contact, if and when somebody requests it. This, in turn, means that you need to have it well documented and have the means to deliver the information to the persons requesting it.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 15

Definition: A data subject has the right to know how his/her personal information has been collected, processed and stored, what data exists, and for what purposes.

SuperOffice functionality

In order to help you satisfy this right, SuperOffice CRM offers you a number of features.

• Consent Management: These features allow you to document the legal basis, the source of data, as well as when and how any consents were obtained, in line with the GDPR. Knowing this information allows you to quickly and easily provide a contact with the correct summary.

• Personal data report: Available in the latest version of SuperOffice CRM (8.3), the report allows you to offer access to the personal data you have stored on a particular person. Easily created, this report provides an accurate summary relevant only to the person requesting it. To ensure maximum protection, you can decide who in your organization should have access to create and distribute such a report.

• Shared inbox in SuperOffice Service: You can create dedicated mailboxes in SuperOffice Service, in which all privacy-related requests will be received and handled. This way you will avoid losing any important questions or requests, and be able to respond to such requests efficiently, offering full visibility of whether and how such requests were handled.

Also known as the right to rectification, this GDPR right ensures that companies take measures to allow people to change and correct their information if it is outdated, inaccurate or incomplete. Companies that work with the EU citizens data, from now on, have to provide individuals with a possibility to review and, if necessary, correct the data, as well as to confirm the correction to the requestor.

To correct something, a person, first, needs to know what information a company stores on them. After they’ve identified what needs to be corrected, they would also want to receive a confirmation that the information has been corrected.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 16

Definition: A data subject has the right to have incorrect or incomplete data corrected.

SuperOffice functionality

In order to help you satisfy this right, SuperOffice CRM offers you a number of features.

• Shared inbox in SuperOffice Service: In order to be able to provide information and obtain requests to correct data, you need a centralized, dedicated place to receive such requests and follow up on them. That’s why a shared inbox in SuperOffice Service can help, as correction requests will be stored as customer requests and you can monitor better whether or not they have been resolved. 

• Editing fields in SuperOffice: It has always been possible for the users of SuperOffice CRM to edit the information on a contact directly in the system. However, you may want to impose some restrictions on who can edit or what they can edit. For example, if you use another system as the “master” database, you may not necessary want to give everyone the right to edit, but instead define the authorization steps that needs to be taken in order to delete information.

• Personal data report: This new functionality available in the latest version of SuperOffice CRM allows you to easily send a confirmation to a contact that their information has been corrected.

The GDPR not only states that a person can request that his/her data is deleted from a company’s database, but it also mandates companies to remove personal data form their systems when they no longer have any legal basis for keeping it (Article 5).

So, even if someone does not ask to be deleted, you still cannot keep their personal data indefinitely without a legitimate reason to do so. It means you have to clean up your data regularly and make sure that all the information entries are stored in line with your company’s privacy policies.

In order to be fully compliant in relation to this right, your company needs to ensure that the following functionality is in place: (a) you’re able to track all data related to a contact, (b) you’re able to delete information if requested; (c) you’re able to send confirmation that the data was deleted; (d) you’re able to automatically delete data after a necessary (determined) retention period is over.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 17

Definition: A data subject has the right to have personal data permanently deleted.

SuperOffice functionality

In order to be able to easily satisfy this right, you need to have a procedure for receiving such requests from people who want to be forgotten.

• Shared inbox in SuperOffice Service: You can create dedicated mailboxes in SuperOffice Service, where all such requests will be received and handled, and nothing is lost. Using a shared inbox to capture such privacy-related requests makes it possible for a company to make the necessary assessment, before they delete an individual contact. SuperOffice Service inbox can also help you respond to such requests efficiently, offering full visibility of whether and how such requests were handled.

• Delete an individual contact: The newest version of SuperOffice CRM (8.3) allows you to view all contact-related information in a dedicated screen, making it easier to delete individual contacts. When a contact is deleted, all data is automatically anonymized in the activities stored elsewhere in SuperOffice. This way you do not lose other relevant data that affects your business. Make sure you assign the right to delete contacts exclusively to the people in your organization who should be dealing with such requests.

• Bulk delete contacts from a selection: Available in SuperOffice CRM 8.3 or newer, this functionality allows you to delete a number of contacts at once. For example, you can identify a set of contacts or companies that you no longer want to store in your SuperOffice CRM and then mass delete them rather than having to do it one by one. A useful time-saver!

• Correct deletion mistakes in the recycle bin: Deleting contacts is sometimes a tricky business. If a contact or a company has been deleted by mistake, you can undo it by using the “recycle bin”. Even though a deleted contact or a company are immediately hidden from all users, they are still available for a few days in the recycle bin from which you are able to restore a company or a contact that was mistakenly deleted. 

• SuperOffice SAINT: Another way to easily find the contacts that you need to delete from your database is by using SuperOffice SAINT, which helps you to create SAINT selection and find exactly the customers that match your search criteria. SuperOffice will find these contacts and place them in a dynamic selection for you, so you can decide what action to take.

• Automate the deletion of contacts: You can create a CRM script to delete contacts if they satisfy certain criteria that you have defined for when a contact should be removed from your database. The criteria may be a contact’s category coupled with lack of consents, activities over a given time and so on. Such automatic processes can ensure that there are no obsolete data in your database, which means less work for your CRM team.

The GDPR outlines that individuals have the right to transfer their personal data to other service providers or reuse it for other purposes. The data subjects also have the right to have their data transferred directly from one data controller to another, without them having to handle the data.

If your company receives such a request, you need to be able to provide a summary of the data you store in your database in a structured, commonly used and machine-readable format.

Most of the time such requests are necessary when people switch their banks or insurance providers.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 20

Definition: A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a secure way, in a commonly used format.

SuperOffice functionality

This privacy right is only really relevant to the users of  SuperOffice CRM if the solution is integrated with another system that collects personal data without human intervention. If such data is added to SuperOffice CRM via an integration, then it is necessary to also be able to provide a data report to requesting individuals.

There are no special features in SuperOffice CRM that address this particular GDPR right; however, you still have a few possibilities to offer a report on the data you have stored on an individual by:

• Creating a Selection of the data that pertains to an individual who requested a portable report and later exporting all data fields to an Excel file.

In line with the GDPR, individuals have the right to restrict or suppress processing of their personal data.

Any person can make a restriction request verbally or in writing, and a data controller has one calendar month to respond to the request. A data file that contains information on a person who restricted processing may remain in a company’s system, but the company cannot use this information in any way.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 16, 21

Definition: A data subject has the right to block or suppress their data being processed by public authorities or companies processing without explicit consent, as well as the right to stop personal data from being included in direct marketing databases.

SuperOffice functionality

There are no special features in SuperOffice CRM that address this right. In our view, the only thing that an individual is likely to restrict processing of is their inclusion in the email marketing distribution lists.

However, there are still a few tools that can help you address this right in SuperOffice CRM, if needed:

• Subscription Management allows you to easily restrict the dispatch of any mailings or sending any other unwanted communication to a certain contact.
• SuperOffice SAINT can be used to set up visual alerts in the system each time a contact person requests to not be processed. For example, you can define a field, such as a tick-box or a list option, which, if activated (marked), triggers SAINT to alert a CRM user that this contact has asked to be put on “hold”. This also makes it easier to ensure that no contacts with such “restriction” criteria are included in mailing selections or other external communication activities.

This right, also known as the right to manual processing, is set to protect people against the risk of being subject to a potentially damaging decision that is made without human intervention.

Although it may sound complicated, let’s clarify what it means: the people on whom you store information have the right to choose to not to be the subject of a decision based on automated processing, especially when this decision may entail legal consequences related to them. This means that they can ask for manual (human) processing of their information, in order to avoid being subject to a potentially harmful automated decision-making.

So, instead of algorithms making a decision on a person, those will have to be human beings!

This right also defines profiling – an automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process too.

How can SuperOffice CRM help you address this right?

GDPR articles: 12, 22

Definition: A data subject has the right to demand human intervention, rather than having important decisions made solely by an algorithm or other automated processing.

SuperOffice functionality

This right is more relevant to other systems than what a CRM solution typically is used for. Exercising this right is relevant to the systems that determine whether someone is eligible for a bank loan or insurance coverage, and similar. 

Therefore, there are no specific features in SuperOffice CRM to support this right directly, other than the opportunity to capture requests for manual processing by setting up the shared inbox in SuperOffice Service.