GDPR Compliance
What it takes to be a GDPR compliant product?
Activity
I actually think most of the onus is on the owner/user of the CRM to be honest. vtiger the company will also be required to comply with the GDPR themselves as you "process" personal data belonging to EU citizens.
"Permission marketing – organisations will need to confirm they are the owner of an opted-in email address. GDPR also recognizes that permission is not indefinite and data would have to stop being used after a period of inactivity. Clearly this will impact on the usage of email addresses that are included in CRM marketing lists."
So email-opt-out checkbox should be checked by default and maybe a date field added to show when the opt-in was received. Opt-In must be given by the customer; it cannot be assumed. You (the collector/owner of the data) must be able to prove you got consent from the provider of the data to use it in whatever way(s) that must have been clearly specified.
"GDPR requires businesses to have a defined purpose for collection information persons. This reason (or purpose), should always be supported by a legal basis."
So as I understand it you should really record why the consent (opt-in) to store personal data was given, when it was given and who in your company requested it and updated the record.
I also understand that if you share your information with third parties, you must obtain the consent to share specific data, i.e. the fields in vtiger, and for each specific third party.
As I understand it, any company which "processes" personal data (and that is basically EVERY company) needs to have processes and procedures in-place for this. They also need to restrict (and be able to demonstrate that they tried to restrict in the event of a breach) access to the data to only those employees who need to access it.
This seems to be a reasonably clear and understandable short précis of the requirements:
@lord_alan - Thank you for reacting with useful insight. I had few question hope you don't mind taking them and educating me.
Consent - I understood. Right to be Forgotten -
- How will the individual request to be removed? Email or through earlier consent form?
- Does it mean the email address should also be removed from any logs (ex. SMTP log which could have tapped when we would have sent email until they were willing to be with us).
I did see some fancy terms "anonymization and pseudonymization" any heads-up or references on the same?
-
You are asking the wrong man now ;-)
How will the individual request to be removed? Email or through earlier consent form?
I believe that there is no specification for how someone asks to be removed, but however they ask you, email, phone, letter, webform or whatever, you (the data processor) Must have a procedure to ensure all data is removed.
Does it mean the email address should also be removed from any logs (ex. SMTP log which could have tapped when we would have sent email until they were willing to be with us).
I do not know about how detailed the legislation is regarding data in log files etc.. But the intention of the law is clear... ALL personal data should be removed. But this could be just for one specific type of data, e.g. they might ask you to remove information about their hair colour... Which they agreed for you to store before when you asked them if they were happy for you to share it with Hair Dye manufacturers ;-)
I did see some fancy terms "anonymization and pseudonymization" any heads-up or references on the same?
Your guess is as good as mine...
@lord_alan - I appreciate your feedback. Hoping to gain more conversation on this thread in next few days.
-
Some more light reading for you:
WP_EN_TLD_Talend_Outlining_PracticalSteps_GDPR_Compliance.pdf @nilay.automatesmb - do not cite reference to other application, summarize the concept or design that need to followed.
I would like to see a workflow that enables deletion of contacts and Organizations. From a danish point of view a company is obligated to keep records for at least 5 years. So if I a costumer becomes inactive, we have the option to set a deletion date, and delete the Organization from a workflow action. Would also be relevant for leads and contacts.
Further more today deleted records are still found in the "recycle bin" - that isn't GDPR compliant. I don't even know if all records related to Organization are deleted if you delete an Organiazation today... Are comments and all other related records deleted?
Hi @prasad main feature needed are: 1 - strong password 2 - user have to change password every x month If need we can develop if you are ready to accept. Otherwise we should create a module to manage this topic, but we prefer to share with community solution.
@simonetravaglini Sorry, but what has strong passwd and user have to change password every x month together with GDPR ?
@mobilcmcdk again what has Organisation information together with PERSONAL INFORMATION (GDPR)
-
Did you read a official and whole REGULATION (EU) 2016/679 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Please, don't linkt with some marketing companies or new GDPR created companies. Im offical EU regulation, there is nothing about "password".
I agree with @lord_alan that "email-opt-out checkbox should be checked by default". Than, if you implement CRM system by customer, you need keep the GDPR rulles. It's on you, how you set personal fields (visibility) and how will be they handled. This is in every installation different and must be implemented for each customer separatelly.
-
I mean an official dokumentation. I foud this website, that handle this documenation in all EU languages so each can understand it in your language. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
So we can read it and go Point to point ;-) Like, For me is uncler
Article 4 Definitions
If we implement vtiger CRM, what we are ?
(7)
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8)
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(9)
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
And depended on this, we have some obligation.
(7) controller -> We don't determines. This prepare make our customer we apply it.
(8) processor -> We don't processes personal data. Moustly, this is done by controller
(9) recipient -> Maybe this
(10)third party-> Also no we don't process personal data under the direct authority of the controller or processor
I think there are some essential keys on this matter:
1 - Customer can at any time ask for a portable file with his data. The crm have to know or may have the ability to export a xml or similar with customer data. Let's say Name, Email, Phone, Address and maybe the related products, services etc related to him. A button in contacts "export contact data and send by email" would be a must.
This is also related to the ability of the deletion of customer related data. And by related data I say email, phone etc in modtracker. Of course the data still in invoices, quotes etc but that data was consented by customer at that time.
2 - Simply introduce an unsubscribe link to be included in emails that crm send to the customer. Of course, don´t need to be mandatory. Each admin can decide in what emails e wants to include the unsubscribe link.
The other bits I think really depends of the configurations or just include information about the data in the website company that crm collects.
Is this being ported to open source version? -> https://www.vtiger.com/blog/gdpr-and-crm-part-2-introducing-vtigers-new-gdpr-and-privacy-tools-and-the-zen-of-managing-consents-at-scale/
Is at least on your roadmap or not, and it will not be for now?
Thanks
mentioned in issue #1639
