Manage your privacy settings (GDPR)
As a company, you need to collect, store and handle people's personal data. Under the GDPR, you now need to have a lawful reason as to why you want to store this information.
The General Data Protection Regulation (GDPR) provides citizens of the EU with greater control over their personal data and assures that their information is being securely protected across Europe, regardless of whether the data processing takes place in the EU or not.
All businesses gather personal information about their prospects, customers, suppliers and business contacts. This is typical information that is stored in your CRM database, and you need to be able to document and handle it according to how you run your business and the GDPR requirements.
To make it easier, SuperOffice CRM has a set of privacy features called Consent Management, designed to help you document when, how, and why new personal data entered your CRM solution.
Tip
If you need help to set up the GDPR settings in accordance with how you run your business, we always recommend using one of our skilled consultants to ensure that the requirements are being followed.
SuperOffice CRM covers your documentation needs
There are several ways the information about persons and their personal data gets stored in SuperOffice CRM. It may come from manual registration, via email, through chat, service tickets, web forms, or integrations to other back-end systems.
Regardless of how a person "enters" the database, SuperOffice CRM offers the documentation a company needs for the WHY, HOW and WHEN new personal data enters the system.
This means that you are responsible for defining policies that are GDPR compliant.
Then you can set SuperOffice CRM to automatically record:
The correct purpose (WHY you are storing the information on a particular person)
The legal base (GDPR article 6.1 – Lawfulness of processing)
The source/origin (HOW this person entered SuperOffice CRM, for example: manual registered, via web form, email)
The date and time (WHEN the information on a person was entered)
Who did it
To help you meet the GDPR requirements, SuperOffice CRM contains a whole set of features.
From the start, there are some default settings that you can change to fit the way you work, and there are additional options to support how your company gathers and handles personal data.
Ask for consent
The GDPR outlines what is regarded as lawful reasons to handle personal data and requires you to gain the person's consent to store their data and respect their privacy.
In some cases, you need to ask for explicit consent to collect and store personal data. This could be relevant if your business collects sensitive personal information about a person. It is also common practice to ask for consent up front when securing personal details via inbound marketing methods.
Whenever explicit consent is needed, then the GDPR states you must document the consent itself, as well as where it was collected, when it was collected and by whom.
This is what you achieve by using the consent management fields in SuperOffice CRM:
Legal basis: where you can document the reason of why you want to store and use an individual's data.
Purpose: where you can document what you are going to use the data for.
Source: where you record how a contact's personal information was collected. This can be anything from getting a business card, to receiving an email or someone filling out a web form on your website.
What types of purposes, legal bases and sources you need to use will depend upon how your business collects personal data and for what reasons and purposes. After you have identified this, you are able to define these fields inside your SuperOffice CRM.
Define privacy and consent requirements
To define these fields, go to Settings and Maintenance and select Privacy. This is where you can define the different consents your business requires to document and store data.
There are two default purposes already created in the system for you to use:
The first, Sales and Services, suggests that the reason you store personal data in your CRM solution is that you want to sell and/or service the contact with your products and services.
The second, E-marketing, states that your purpose for storing the information is to send marketing material to a contact. In a lot of European countries, this purpose requires explicit consent especially when sending marketing materials to prospects.
These purposes may or may not be the right consents for your company to use. Based upon your own company's privacy policies, you need to:
- Define what privacy fields are right for your company.
- Set up the privacy settings according to the consent documentation you need.
- Update, add or delete all the reasons your company needs for storing consents.
Get started with GDPR in SuperOffice CRM
To configure your SuperOffice CRM for the GDPR, you need to take three basic steps:
- Preparation
- Configuration
- Allocation of access rights
You can configure SuperOffice CRM yourself if you have basic needs, or if you have had experience setting up a CRM system before. Alternatively, you can ask one of our consultants to help you do it.
Prepare your company for the GDPR
How the GDPR law applies to your business is the responsibility of your management. You need to have a privacy strategy in place and know what data you want to store in what system, as well as how you intend to handle this data. All of this will determine how you set up SuperOffice CRM to support your operational strategy and processes.
To help you get ready, we created a 5-step plan that will help you:
- Map the personal information your company saves.
- Determine what data you need to keep.
- Learn how to stay GDPR compliant.
- Put security measures in place.
- Establish procedures to handle personal data.
While you prepare your company for the GDPR, keep two main goals in mind:
- Make your existing data ready for the GDPR.
- Adjust your privacy policies to ensure GDPR compliance.
Map the personal information your company saves
It is important to check which personal data your company is authorized to store.
The type of personal data you can store depends on the type of business you are in. You should also think of how you are going to use the information you store.
This is why we recommend all our customers to consult a lawyer who is specialized in the GDPR. They will be able to give you legal advice about what information your company is allowed to store and when you need to obtain explicit consent to store personal data.
Based on the legal recommendations you receive, you can map where the personal data in your company comes from and document how you wish to use this data.
What is the legal basis for storing personal data? The reason why you save certain personal information is called the legal basis.
There are a number of standard legal bases for storing information, available in SuperOffice CRM (as of version 8.2). This is a standard list, and it will apply to 95 percent of businesses.
You can edit this list of legal basis at any time in Settings and Maintenance by adding the legal basis categories that are required specifically to your business or changing the names to fit your own terminology.
If you have a lot of existing data you want to update with a new or a changed legal basis, you can do this by using the bulk update feature.
Determine what data you need to keep
To determine what personal information you want to keep, look at the information you are currently saving.
You can find out what information your company saves by checking the Contact cards of your contacts: prospects, customers and lost customers. You can have a look at:
The Contact tab, which holds such information as a person's phone number, email address and mobile phone number, as well as information about the customer's category and type of business they are in;
The More tab, which can contain user-defined fields you have added to your SuperOffice CRM solution;
The Interest tab, which can contain different types of communication, work-related events your company might organize or other personal interests like a person's hobby, for example. After you know what information you already have in your database, you can determine which customer categories you need and which you do not need.
Maybe new categories have to be added, while others should be deleted?
Another thing you should think about is how long you need to store data about your prospects, customers and lost customers.
After a certain period, you will have to delete information that is no longer being used.
To help you, you can download a template that will help you map all the categories you wish to use, the legal basis for saving, and for how long you intend to save the information.
Irrespective of the GDPR regulation, it is generally worth considering what data and for how long you keep in your CRM database. We recommend not to store unnecessary information and remove any data that isn't being used. It is best to store data for the shortest amount of time possible.
If your business collects a lot of data without any real benefit, first of all, it won't give you anything but a cluttered database, and, secondly, you are simply not allowed to save irrelevant or redundant information under the EU Regulation of GDPR (Art. 5).
During this clean-up process, ask yourself these questions:
- Why exactly are we archiving this data instead of just erasing it?
- What are we trying to achieve by collecting all these categories of personal information?
- Who has access to personal data in our SuperOffice CRM solution, and should they have access to this information?
Learn how to stay GDPR compliant
Now that you know what information you want to keep and how you want to update your existing customer information, let us see how you can make sure you stay GDPR compliant in the future.
To do this, start by asking yourself this: "How do contacts typically 'enter' my SuperOffice database?"
There are three ways in which contacts are added to your database:
Contact details can be collected digitally. You can receive contact details through the use of web forms, requests/tickets, incoming emails, or chat.
Contact details can be collected manually. You can receive contact details through meetings, phone calls, trade shows, events, and social media.
Contact details can be collected from other systems. You can add contact details through a data import, integrations with other systems, such as your ERP solution, for example. When contact details are added digitally, you can ask for a person's consent on your website or via a web form, for example, while people fill in their details.
When you register their details manually or through other systems, however, you have to ask for the person's consent to store and use their personal data separately after you have added their details to your CRM solution.
To help you ask for this consent, SuperOffice CRM contains a privacy confirmation email. This email will be sent to contacts to inform them that you intend to store their details in your CRM database.
In order to properly ask for consent from the contacts you plan to store in your CRM database, you need to, first of all, know how you have collected their details.
You can make a list of all the sources from which you gather personal information. Write down a list of the web forms you use, the webpages where you use SuperOffice Chat, for example.
When you ask for consent to store a person's details, you should also allow them to control their consent at all times.
Questions to check whether your contacts are able to manage their consent:
- Do we offer a link to our Privacy Policy statement?
- Can people easily accept and agree with our Privacy Policy?
- Can people opt-in for the subscriptions we offer?
- Is it possible for them to opt-out as well?
Put security measures in place
In line with the GDPR, your company needs to develop and implement safety checks throughout your CRM solution to help prevent any potential data breaches.
This means putting security measures in place to guard against data breaches or leaks, and taking quick action to notify individuals and authorities if such an event does occur.
Of course, SuperOffice can help you with this by making sure the data of all SuperOffice CRM Online customers is stored safely and securely.
However, it is still your responsibility to make sure that you have the right security measures in place if and when a data breach occurs.
How can SuperOffice CRM help you manage incidents?
It is a good idea to create a workflow that contains a detailed description of all the steps you should take when a data breach is discovered or reported.
When you have discovered a data breach, you need to inform all contacts who are affected by it within 72 hours.
SuperOffice Service can help you collect any reports of a possible data breach. You can set up Service to follow the workflow you designed to inform and contain the potential data breach.
The Mailings feature in SuperOffice, on the other hand, can help you inform all contacts who were affected.
You can consider making a data breach email template. This template can be used when a data breach occurs; for example, to inform your contacts about what happened and how you plan to resolve the situation.
Establish procedures to handle personal data
Under the GDPR, all European individuals have 8 basic privacy rights.
You will need to establish privacy policies and procedures for how you will fulfil all these GDPR rights.
Again, here is a set of questions that can help you get ready to grant the 8 GDPR rights:
- How can individuals give their consent in a legal manner?
- What is the process if an individual wants their data to be deleted?
- How will you ensure that information will be deleted across all platforms?
- If an individual wants their data to be transferred, how will you do it?
- How will you confirm that the person who requested to have their data transferred is the person they say they are?
- What is the communication plan in case of a data breach?
Configure your database for the GDPR
Based on your privacy policies, you can now:
- Change privacy lists
- Set up privacy settings
- Add and edit subscription types
After you know what personal data you intend to store in SuperOffice CRM, as well as why and when you will store it, you can configure SuperOffice to support your policies.
To set up the GDPR functionality in your SuperOffice CRM solution, you can:
Change privacy lists: By default, there are two main purposes for storing and processing personal data defined in SuperOffice CRM and you can change these settings to fit what is right for your company.
Set up privacy settings: This includes the rules for if and when to automatically inform a person by email that their information was stored in your systems. Or set up the system in such a way that e-marketing communications would not be sent to any CRM contacts who do not have necessary consents registered (i.e. exclude from the mailing list).
Add and edit subscription types: This functionality helps you offer a person a chance to not only give consent to receive e-marketing mailings from your company, but also to define their own mailing preferences. Each of these how-to pages contains both a how-to video and a step-by-step guide that you can use to configure your SuperOffice CRM solution to match your privacy policies.
Allocate access rights
because the main goal of the GDPR is to protect people's privacy and to keep their personal data safe, not all GDPR-related functionality in SuperOffice CRM should be accessible to everyone in your company.
You need to assign access rights to perform the following functions:
Manage e-marketing subscriptions: By default, only the contact can update their subscription preferences. You are, however, able to give certain users the access right that allows them to update the e-marketing subscriptions of a contact manually.
Mass update contact information: This functionality allows you to add, change or remove personal details for groups of contacts, activities, sales, and projects. All in just a few clicks.
Mass delete contact information: This functionality allows you to delete contacts that should not (or no longer) be saved in your database as a result of your company's privacy statement. GDPR compliance – an ongoing project
By completing the three steps, you have taken important steps towards GDPR compliance. However, being GDPR compliant is an ongoing project and involves all the IT systems your company uses. From now on, you should focus on maintaining the proper management of personal customer data in your SuperOffice CRM – according to your company's privacy policies and the GDPR requirements.