Signup for a review of your GDPR requirements http://www.mycrmgroup.com/gdprreview
Today we are looking back at some data questions which as a topic may sound a little boring, but it is a subject that I’ve always enjoyed. I even spent some of my time at University studying the original data protection regulations.
So in the article we are looking at data access rights under the new GDPR regulations and seeing how and what your business may need to do to meet compliancy
Customers, Suppliers and Employees from May 2018 will have new rights to access data on request. Any living person from this date that has interacted with your organisation can request the data that is held about them and request to see your statements on how data is processed.
It is not unusual that data requests are made and this can be done now under the current data protection act, but from May 25th 2018 a set of new regulations will be implemented and adopted that affects all businesses.
Within the new set of regulations the area of data access for customer requests is covered along with other principals that businesses and business owners need to get ready for. In the past it has been generally the mind set of most business owners of small to medium sized business that under current legislation it was not really something to be too concerned about, this now changes for most operating business that process data. The approach of wait and see will no longer be acceptable and fines of up to 4% of global turnover or 20 million euros can be levied against companies that do not comply. The amount levied has increased and although it not anticipated that all none compliance will lead to a maximum fine, it is known to be significantly more that current fines under the UK data protection act.
Most public sector bodies in the early 2000’s also had to deal with the Freedom of Information Act, which enabled anyone to request any recorded information from Public Authorities about any given topic, not just information or data held about themselves.
With the growth in digital economy and cybercrime on an upward trajectory it makes a lot of sense to review regulations, review systems and processes ready for the May 2018 deadline.
It is likely that some people may think that GDPR is the new millennium bug? Not least because of the amount of specialist services that have popped up, and the number of consulting groups that now specialise in giving advice on GDPR you might well think so.
The best thing I can do is break down the requirements that are key and see if centralising your customer and prospect data in a CRM system would help or hinder.
Firstly, it is worth just clarifying that GDPR is not just a piece of EU legislation or guidance it is enforced in law by each country as regulation unlike the last implementation from the EU in 1995.
In May 2018 the UK government will adopt the same regulation into law and this will be enforced by the ICO in the UK.
Any organisation doing business or holding data about EU or UK citizens will need to comply with the new rules and be able to support data requests and data security as define by the many articles.
Using a CRM solution or customer database in business has a range of given benefits and these are covered in many other posts, but keep your data in one place and having the ability to audit and track where data is recorded will make the implementation far easier.
So is it the next big thing, like the millennium? Well actually it could be bigger. If you look back to 1999 and Y2K nobody knew exactly what was going to happen, and could not confirm if all the computers would go haywire. What the millennium bug did achieve was a lot of spending by IT directors who were given big budgets to replace systems and software, resulting is continued growth in the IT sector and what was dubbed the .COM era.
Is GDPR a wait and see kind of thing then? NO it is most definitely not and the clock is ticking toward the inception. Obviously from day one, as a business owner you are not going to be fully compliant and the legislation takes into account that it will be a work in progress, but critical key areas must be addressed. One thing the legislation will not take account for is doing nothing and hoping the GDPR just goes away.
Well, GDPR is not going to go away and with the increased use of cloud computing and our individual digital footprints growing, there is more than ever a need to make sure data is secure and well managed.
One of the first things you need to do is understand GDPR, understand the topic and article areas and what it means for your business and organisation as a whole.
Unfortunately with all new regulation there comes the fact and fiction scenarios of interpretation of what something means to you as a business owner. After researching and talking to a number of self-declared specialists, I, like others and maybe yourself have found interpretation to be hazy, and some advice is not really relevant or correct.
But after some real perseverance, research and reading a number of articles and government draft legislation, I think I now have a pretty good handle on what is expected.
GDPR in the UK and across the EU has been design to enhance the security of data and the rights of individuals. In the UK the new regulation will supersede the current data protection and be managed by the ICO (information Commissioners Office). As a business owner you will still be required to register with the ICO and you will be required to pay your fee for registration. This should be done directly with the ICO https://ico.org.uk/for-organisations/register/ and not any third party broker.
The fee’s for registration may well be enhanced and increased depending on the type of business and further exemptions may be included for none or free registration. By April 2018 the details about cost and registration will be complete and will be made available from the ICO. The fee for a data subject requesting data from you has now been removed, so it is really worth making sure your legal team and your compliance level for GDP are current.
There are several areas in your business that help make up the full picture of GDPR and in this article I will not have time to cover all in great detail, but will give a quick summary of each area that need consideration and conclude with how a centralised CRM system can help you achieve a number of the goals and requirements.
Map and understand your Business Data – As a business owner within your organisation you may have many data silos, from document and spreadsheets to databases and online systems. The first exercise that must be undertaken is understand what silos you have and where they are. The next is to review the data held in each area to see if it contains personal information that can identify an individual and then finally document your findings. This may seem simple, but there is an exercise of work here as you need to consider backups, data drives even data on USB keys. So plan the exercise and record all your data findings.
Once you have identified all the data and the data areas you own including physical data, then an evaluation period of that data needs to take place. All your finding must be recorded detailing the type of data that is held.
Once you have completed this part of your data exercise you will need to detail what the data is used for in your organisation, how it is processed and if it is sent to any 3rd party providers. If data is sent to 3rd parties you need to make sure each and every one are compliant with GDPR regulation and check what locations either nationally or internationally copies of the data are then stored.
3rd Party Processing – Your business will use business service, a payroll, an accountant even a HR facility, you may also use online services. Each will need your attention and evaluation with each 3rd party being required to meet the regulation of GDPR. You must evaluate services and providers to see how data is stored and request a statement of how your related company data is stored and processed. You will need to document these as part of your assessment and make sure any documentation is kept up to date. Employees past and present will have a right to enquire about data held so make sure records and contracts are current and stored in an organised manner and are easy to access.
Brexit and EU data officers - You can’t help but now realise that the UK is going to leave the EU Trading block, so as part of your GDPR assessment you will need to identify data that is held by country and which information office may apply when reporting an incident or a breach of data access. The link below give a list of EU data officers, with contact details: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
If you hold information about any given person that resides in an EU country regardless if they have citizenship in the EU you will need to document and have a record of who or which officer you would need to contact in the event of a complaint or a data breach.
For data on individuals held outside the EU a list of relevant organisation can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/third-countries/index_en.htm
You will also need to take time to review how the regulations are implemented in different countries if you hold data about individuals there. Note that companies in the UK can report to the ICO until the UK leaves the EU and you will then need to report incidents to a nominated EU data office.
Appointing a Data Protection Officer – Depending on your size or type of business, you may need to appoint a staff member with the role of Data Protection Officer. The person appointed will be responsible and accountable for the recording and managing of data and data processing. As part of your GDPR assessment and production of documentation you will produce a list of all systems where data is recorded and the person appointed to this role will need to complete regular reviews and assessments.
Consent to use data – It maybe an assumption that because you have an individual’s data (either customer or employee) you have the right to use it, as needed. This will not be the case post May 2018 as individuals now have a right to be forgotten and you should request consent from each individual and explain what their data is being used for. Obviously an employee cannot request to have all data removed as they are not going to get paid so it is a matter of balancing what data is collected, and what the data is used for providing employees with a detailed breakdown of who has what and where it is held.
The same applies to customer data about individuals especially with marketing activities. Consent will need to be gained and a statement provided on how the data is kept and what marketing activity takes place. Crucially the individual must have the option to change marketing setting within your organisation and fully unsubscribe from activity if they chose. With the ability to request the right to be forgotten, your organisation will need to be able to prove that all data held about the individual has been permanently removed. If the individual has financial obligations with your organisation, then the right to be removed does not until the contract or obligation is complete.
Data held on an individual can also only be used for proportional processing and again the individual needs to give consent of how data is processed. Note data like email addresses that identifies a person or even an IP address that can be used to lookup a person is now covered under the new regulation.
Data access requests – Under GDPR an individual can request access to data held about them, and centralising your data in a CRM system will help your organisation respond quickly to these requests if made. An individual also has the right to request all data in an electronic format and the right to have data electronically transferred to another provider if appropriate. From an I.T perspective consideration will need to be given on how requests are made, how they are validated i.e. it’s the right person making the request, how the process is followed and how related data is then made available. Should an individual request changes to be made about data held, a further request can be made and as a company owner you will need to comply with changes if again they have no impact on legal obligations.
It is anticipated that most organisations will either setup a web portal for GDPR requests, or accept the requests by email and then process accordingly.
Data privacy statement - As part of your GDPR assessment process, you will also need to have your legal team review your privacy statement to include how you process data and how an individual can make requests. I can confirm that I am not a lawyer and do not have legal training, but most businesses have a privacy statement on their web site and this should be reviewed as part of your assessment and process.
Data breach, theft or accidental loss of Data - You can’t help but look on the internet or see in your inbox adverts, statements about GDPR. As a business owner it is everywhere at the moment. A number of companies that I have been in contact with who specialise in network and security seem to put emphasis on selling software that will track a data breach in your network. Yes Data breach and reporting data breach is a very important consideration under GDPR but it is defiantly not the full picture. The new regulation is defined to cover a number of key areas where action is required to safeguard access to data and action against breach of data and this is important, so policy and process will need to be defined in your business to make sure your employees and contractors take care when accessing networks and data. Be careful and have policy about individuals bringing in devices from the outside like USB keys, personal phones, video or camera equipment or personal computers that might not be suitably protected. If an incident does happen then make sure you have a process and practice to resolve it and document the action taken.
Make sure everyone, is up to speed – I can’t really emphasise enough how this is a shared activity for all employees and staff members and not something that should be done in isolation. Training your team on acceptance of process and procedure is paramount to the success of your GDPR implementation. Make sure everyone knows everything there is to know about your environment. Documentation has been mentioned several times and is key to the sharing and adoption of a given process. You will also need to review you documentation regularly and make sure that all your team are kept up to date with any changes that are made.
Can a CRM help with centralisation of data?
So where does a CRM solution come into the mix? It makes a lot of sense if you need to meet customer requests on data held to centralise your data in a number of given systems, one being a companywide CRM systems. Other systems may include Finance, ERP or project tools depending on where you, as a business owner, record most of your personal data.
A costs effect CRM system from MyCRM based on Microsoft Dynamics will not only save you time and help you centralise and grow your sales pipeline, but will help you maintain data. A system that is well implemented will enable you to centralise all your customer data and keep accurate records with interaction of activity like phone calls and email.
As part of the GDPR data access requests, you can with configuration create a Data Profile or Audit of individual customer data that is held in your system.
A CRM system can also be used to integrate systems and data sources together, giving a full 360 degree view of data held. Under GDPR an individual can request data that is held about them on any of your systems and this can also be requested in electronic form.
How CRM can help you?
We love to hear business success stories and with our expertise of CRM and Microsoft Dynamics CRM, we’ll be able to guide you through what we think would be most beneficial for you and your company’s needs. We do the hard work so that you can allow your business to be the best it can be and with CRM it can open up a range of opportunities for any business. We also provide an after sale service where we welcome any queries you may have so that you can carry on using our solutions to the best of their ability. If you would like to find out more or discuss your requirements with one of the team: -
Give us a call:
+44 (0)1983 245 245
Send us an email:
Book a GDPR Review: