gdpr: the impact on crm & how to prepare your workforce
TRANSCRIPT
www.claydenlaw.co.uk www.melearning.co.ukwww.preact.co.uk
GDPR: The Impact On CRM &
How To Prepare Your Workforce
Piers ClaydenClayden Law
Nick Richards Me Learning
What we’ll cover in this webinar
• Background of GDPR
• When GDPR comes into effect, the changes and which organisations are affected
• How GDPR affects organisations using CRM systems
• Particular considerations for marketing/sales personnel
• How Me Learning can help organisations understand and prepare for GDPR
• Why e-learning is the best way to prepare your workforce for GDPR
• A demonstration of the Me Learning solution
• How Me Learning is helping organisations embrace e-learning
When GDPR comes into effect, the changes and which organisations are affected
In force on 25th May 2018
• Personal Data is one of your critical assets
• Board level issue - penalties for non-compliance are severe:• Up to 4% global annual turnover or €20m
• Affected data subjects will have right to sue controllers and processors for compensation
• Affects every organisation in the UK, despite Brexit
• IT and technology will be key to achieving compliance• But will need Board and cross-organisation buy-in: sales/marketing; HR; vendor supply chain
etc.
How GDPR affects organisations using CRM systems
CRM system owner as data controller
Holding personal data on a CRM system is a form of “processing”. Assuming the CRM system owner is holding that information for its own purposes, then it will be deemed to be the data controller and therefore subject to the full burden of complying with the GDPR.
Principles
The use of that data will have to comply with the principles under the GDPR:
• Lawful, fair and transparent
• The purposes must be specified, explicit and legitimate
• The data held must be adequate, relevant and limited to the extent necessary for the processing
• It must be accurate and up to date
• It mustn’t be kept for longer than necessary and must be in a form which permits identification of individuals
• Security (integrity, confidentiality and availability) must be ensured
How GDPR affects organisations using CRM systems
Accountability
The GDPR requires that the controller must be accountable and be able to demonstrate compliance with these principles.
Transparency & Information notices
In essence, this will mean that the controller is able to demonstrate that it has made available to the individuals whose data is on the CRM system, the necessary information requirements from the GDPR. This will typically be through an enhanced information notice (aka privacy policy or notice).
Note that where details are collected other than directly from the individual concerned, the controller will need to provide the information to the individuals concerned on or prior to first communication and in any event within 1 month.
How GDPR affects organisations using CRM systems
Processing grounds
Any processing of personal data through the CRM system needs to meet one of the GDPR conditions in order to be lawful.
These include:
• Consent
• Necessary for performance of a contract with the individual
• Legitimate interest of controller
For special categories of data (eg race, religion, health) then there are different and stricter grounds, - this includes explicit consent
How GDPR affects organisations using CRM systems
Consent
Where consent is used as the basis for processing on or through the CRM system, then that consent has to be freely given, specific, informed and unambiguous – it must be a clear and affirmative action.
Silence or pre-ticked boxes not enough. And it has to be demonstrated. So the CRM system should record how and when the consent was given. Note also that consent can be withdrawn at any time.
Therefore does the controller have processes in place to make sure that a withdrawal of consent is promptly recorded in the CRM system?
Note that children under 16 (currently) cannot give consent –will need a parent or guardian to do it.
How GDPR affects organisations using CRM systems
What Marketing Managers/Sales Managers should pay particular attention to
Making sure that the data on the CRM system complies with the GDPR principles – so look at
• Making sure the information notices actually and specifically reflect the reality of what is being done on the CRM system (note – profiling, next slide)
• Processes for ensuring accuracy and retention periods
• Ensuring that they can demonstrate that processing done through the CRM system is GDPR compliant – in essence recording the basis of what is done
The GDPR also requires that organisations must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities – so for example:
• Staff training – are all staff who handle personal data aware of their responsibilities?
• data minimisation - is it necessary for all staff members to have full access to the CRM system, or can different staff be allocated different access?
How GDPR affects organisations using CRM systems
What Marketing Managers/Sales Managers should pay particular attention to
• Consider also pseudonymisation – i.e assigning ID’s to individuals on the CRM system and only allowing access to the IDs rather than the full personal data (and then keeping the key to the ID’s secure)
• Where there is any “high risk” processing activity being considered, the GDPR requires that a “privacy impact assessment” (PIA) should be conducted so that any risk mitigation measures can be put in place and compliance ensured.
• Where the CRM system is to be used to profile (use of processes to analyse/predict behaviour) individuals then this must be based on the individual’s explicit consent.
• Be aware that individuals have enhanced rights with regard to their personal data – rights to erasure (to be forgotten) being the most high-profile new. So the organisation needs to have processes in place to log and action requests from customers when they come in.
Finally, given the new mandatory breach notification requirement under the GDPR requiring that organisations report the breach to the ICO within 72 hours of becoming aware (and perhaps individuals too), CRM system stakeholders should be aware of their role and responsibilities within any incident response plan.
GDPR Considerations for CRM owners
• Will your CRM solution be GDPR compliant?
• What in-built CRM security controls can be used to hide sensitive data and
control access permissions?
• Integrated CRM and email marketing will make GDPR compliance easier
• How good is your data quality, and how can it be cleansed?
• Are your processes for collecting, managing and storing personal data GDPR
compliant?
What are the next steps?
What do ‘we’ have to do?
Lets define the GDPR ‘we’
The ‘Board’Why do we need to do this?
They need to be aware of the importance of GDPR
They need to know the £ cost and the
REPUTATION cost of getting it wrong
You need their support and buy-in
The ‘Practitioner’the buck stops here
‘Someone’ will have the responsibility to make sure the organisation is compliant
Could be the business owner, a director/senior manager?
Could be you?
Whomever they are, they need to know everything that has to be done (and why)
‘Foundation’Why (how) did I get this job?
‘Someone’ will actually have to do this
Could be the business owner, a director/senior manager?
Could be you?
Whomever they are they need to know exactly what they have to do and how to do it
‘Staff’What's this then?
Everyone who works in the business needs to understand the basics
Basic knowledge is both required and makes things so much easier
What next? – the challenge
GDPR at 11:38 am on 1st September
194,000 results in last 30 days.
97,000 results in last 7 days
96 results in last 24 hours
So much information
Guess what?
Where do you start
What is relevant
Who do you trust
How much is this going to cost
Who has the time to plough through all of it and make decisions
We have done it for you!!
And to help you even more Clayden Law will
provide a free 30 minute consultation to
customers, answering any questions you may have after completing the online course
Using Clayden Law’s specialist knowledge and Me Learning’s experience of eLearning we brought everything together
one simple, comprehensive, up-to-date, cost-effective e-learning suite delivered via an auditable Cloud Based training portal
COURSE Core
(all employees)
Foundation
(executing the
policies)
Practitioner
(leading the
project)
Board
1. GDPR – Introduction and Background ✔ ✔ ✔ ✔
2. GDPR – Definitions and Principles ✔ ✔ ✔
3. GDPR – Individual Rights ✔ ✔ ✔
4. GDPR – Consent and Conditions for Processing ✔ ✔
5. GDPR – Steps to Compliance ✔ ✔ ✔
6. GDPR – The Accountability Principle ✔
7. GDPR – Sanctions, Remedies and Liabilities ✔ ✔
8. GDPR – Information (Privacy) Notices ✔ ✔
9. GDPR – Breach Management and Notifications ✔ ✔
10. GDPR – Supply Chain Management ✔
11. GDPR – Data Sharing ✔
DURATION 1h 30m 3h 30m 5h 30m 1h 30m
The e-learning suite
E-learning Demonstration
Use e-learning to save money and time
Foundation / Practitioner classroom training course of 2 to 4 days costs £995 to £1,795 per person.
E-learning means you don’t have to attend a classroom course.
SME’s typically spend £3,000 to £4,000 on legal fees.
E-learning plus a free 30 minute consultation from Clayden Law will reduce those legal fees.
Don’t waste time searching the Internet and disseminating information.
Clayden Law and Me Learning have done it for you.
Keep an auditable record of everyone's online training to help demonstrate compliance.
As a Me Learning and Clayden Law customer, you’ll be in good company
www.claydenlaw.co.uk
[email protected] 339 640
www.melearning.co.uk
[email protected] 499 100
www.preact.co.uk
[email protected] 381 1000
Register for email updates at www.melearning.co.uk/gdpr
Free GDPR Awareness course – contact Me Learning for more info
Request monthly GDPR newsletters – [email protected]
Thank you for attending
Q&A
www.claydenlaw.co.uk
[email protected] 339 640
www.melearning.co.uk
[email protected] 499 100
www.preact.co.uk
[email protected] 381 1000