Zero BS CRM and GDPR

Last Updated – 21st May 2018

What is GDPR?

GDPR stands for General Data Protection Regulation it is the new regulation coming into force from the 25th May 2018 and it affects anyone in the EU.

This includes the UK (where we are based), but also, importantly it impacts ANY website that might be touched / visited / interacted with by someone from the EU.

Yes, that means YOU.

Zero BS CRM and GDPR

Part of the good news about Zero BS CRM is that we personally are not responsible for  the data you hold in your CRM. That lies with you. While this may make you think there’s more work because you “host your own CRM” in essence even with just having your own website – you’ll (probably) need to comply with GDPR anyway.

Click here for copy-paste html to add ZBS to your privacy policy

If you’re thinking, man, I don’t want to have to comply, let’s shift operations to an online SaaS CRM that has to comply (and not me) well, then again you’re most likely wrong.

You’ll be either a data controller or a data processor irregardless of who hosts your CRM (you or someone else).

A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you are currently subject to the UK’s Data Protection Act, for example, it’s likely you will have to look at GDPR compliance too.

Privacy Concerns

I’m sure you’ve seen the news about Facebook and Cambridge Analytica – trusting your data with a “big online company” means you don’t have the control that you do while running your own data. However, through using Zero BS CRM you’ll be self hosting your data, and as such you’ll be a data controller (and processor).

This is true regardless of where your data physically sits. If you were tempted to use an “online” CRM like Zoho, then you may think you’re free of the rules and it’s up to Zoho. Wrong. You’ll still be controlling and processing data – you’ll just be doing that on their platform rather than your own.

So, wherever you host your CRM you’ll need to be aware of your duties with GDPR.

Hosting your own CRM means you have more control over this and importantly only have yourself to blame about any breaches (vs a 3rd party company who houses your data, selling it out – like Facebook allowed).

 

Our Handy Zero “BS” Checklist

We have sourced a checklist* for “GDPR” and have added comments in bold as to how you can comply with this, while still using Zero BS CRM.

YOUR DATA

  • Your company has a list of all types of personal information it holds
  • You keep the source of that information
  • Who you share it with
  • What you do with it
  • How long you will keep it
  • Your company has a list of places where it keeps personal information
  • and the ways data flows between them
  • Your company has a publicly accessible privacy policy
  • That outlines all processes related to personal data
  • Your privacy policy should include a lawful basis
  • to explain why the company needs to process personal information
 
  • Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it – This goes wider than just your CRM, although you can directly see your lists of data in the CRM (contact view, invoice view, transaction view). We also maintain the Date Added and also the “Date Last Contacted”. It’s up to you do define how long you keep the data (and what you do with it)
  • Your company has a list of places where it keeps personal information and the ways data flows between them – Perfect, just like above, the CRM has the list of places and you’ll be able to see the way data flows. For example, if you use Zero BS CRM and Gravity Forms with our Connector to collect leads, then those leads you automatically add to your MailChimp list then you have the following flow
    • Website (Data captured via Gravity Form)
    • Data flows into Zero BS CRM via the Form (and stored)
    • Data then flows over to MailChimp for email processing
  • Your company has a publicly accessible privacy policy that outlines all processes related to personal data.  – If you have a privacy policy already, then great. If you don’t then you can use a template from here. You can view our own policy here.
  • Your privacy policy should include a lawful basis to explain why the company needs to process personal information – Covered by above.

ACCOUNTABILITY & MANAGEMENT

  • Your company has appointed a Data Protection Officer (DPO)
  • Create awareness among decision makers about GDPR guidelines
  • Make sure your technical security is up to date
  • Train staff to be aware of data protection
  • You have a list of sub-processors
  • and your privacy policy mentions your use of this sub-processor
  • If your business operates outside the EU
  • you have appointed a representative within the EU
  • You report data breaches involving personal data
  • to the local authority
  • and to the people (data subjects) involved
  • There is a contract in place with anyone that you share data with
 

  • Your company has appointed a Data Protection Officer (DPO) –This one is easy to put in place, but then make sure they understand their duties.
  • Create awareness among decision makers about GDPR guidelines – This is a general team / company / Entrepreneurial standpoint.
  • Make sure your technical security is up to date – This includes your extensions and any plugins that you’re using. If you’re not up to date, then the risk is on you and you could be in breach of the regulations.
  • Train staff to be aware of data protection –  Take a course on it or read a book 🙂
  • You have a list of sub-processors and your privacy policy mentions your use of this sub-processor – See what “Zero BS CRM Uses” here.
  • If your business operates outside the EU, you have appointed a representative within the EU.
  • You report data breaches involving personal data to the local authority and to the people (data subjects) involved – If you do suffer a breach, then you need to report it. There’s plenty of guides on what to do in your region. Google a guide for your locale. We don’t list them here.
  • There is a contract in place with any data processors that you share data with – i.e. you have agreed to their T&Cs and read their privacy policy too.
 

NEW RIGHTS

  • Your customers can easily request access to their personal information
  • Your customers can easily update their own personal information
  • You automatically delete data that you no longer have use for
  • Your customers can easily request deletion of their personal data
  • Your customers can easily request that you stop processing their data
  • Your customers can easily request that their data
  • delivered to themselves or a 3rd party
  • Your customers can easily object to profiling
  • or automated decision making that could impact them
 
  • Your customers can easily request access to their personal information – through Zero BS CRM you can easily connect your CRM notes with a contact form. So any access request attach to the record and then providing the data is super easy.
  • Your customers can easily update their own personal information to keep it accurate – this is super easy with Zero BS CRM and the Customer Portal. They can login and update their details from the  portal easily.
  • You automatically delete data that your business no longer has any use for – we have an automation for that, but also you can delete the data in bulk through deleting a contact (from the list view) and choosing delete all related objects.
  • Your customers can easily request deletion of their personal data – A contact form linked to ZBS CRM is easy enough.
  • Your customers can easily request that you stop processing their data – as above.
  • Your customers can easily request that their data be delivered to themselves or a 3rd party – as above
  • Your customers can easily object to profiling or automated decision making that could impact them again, through a simple form is enough

CONSENT

  • Ask consent when you start processing a person’s information
  • Privacy policy should be written in clear and understandable terms
  • It should be as easy for your customers to withdraw consent
  • as it was to give it in the first place
  • If you process children’s personal data, verify their age
  • and ask consent from their legal guardian
  • When you update your privacy policy, you inform existing customers
 

  • Ask consent when you start processing a person’s information – this in in T&Cs, Privacy Policies and checkboxes
  • Your privacy policy should be written in clear and understandable terms –  We have our detailed Privacy Policy, but also a “No BS Privacy Policy” which gives an overview.
  • It should be as easy for your customers to withdraw consent as it was to give it in the first place – a contact form is fine.
  • If you process children’s personal data, verify their age and ask consent from their legal guardian – we don’t process children’s data
  • When you update your privacy policy, you inform existing customers – we do this via our newsletter

FOLLOW UP

  • You regularly review policies for changes, effectiveness,
  • changes in handling of data
  • and changes to the state of affairs of other countries your data flows to
 

  •  You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to. – we have a process in place to review our providers quarterly and update our policies.

SPECIAL CASES

  •  Your business understands when you must conduct a DPIA for high-risk processing of sensitive data. – if you have any, read about what a Data Protection Impact Assessment involves.
  • You should only transfer data outside of the EU to countries that offer an appropriate level of protection

*checklist sourced from: https://gdprchecklist.io/