Customer Engagement & Dynamics CRM Forum

Expand all | Collapse all

GDPR- General Data Protection regulation

  • 1.  GDPR- General Data Protection regulation

    SILVER CONTRIBUTOR
    Posted 01-16-2018 11:56 AM
    With the GDPR- General Data Protection regulation being in effect in May 2018 has anyone come up with rules/policies for their CRM to cover this regulation. Looking for ideas

    GDPR: How Will It Impact CRM? - CRM Software Blog | Dynamics 365
    CRM Software Blog | Dynamics 365 remove preview
    GDPR: How Will It Impact CRM? - CRM Software Blog | Dynamics 365
    The General Data Protection Regulation (GDPR) is a hot topic! The countdown to this new EU regulation is well underway, but what does it mean for your own business? As a Microsoft CRM partner that implements Dynamics 365 , Preact frequently speak to SMB's seeking GDPR advice.
    View this on CRM Software Blog | Dynamics 365 >



    ------------------------------
    Janet Grant
    Manager- Sales Operations
    Salient Management
    Horseheads NY
    ------------------------------


  • 2.  RE: GDPR- General Data Protection regulation

    MICROSOFT MVP
    Posted 01-17-2018 05:57 AM
    MS recently posted a couple of white papers on the topic:
    GDPR for Microsoft Dynamics 365

    ------------------------------
    Jonas Rapp
    MVP, Head of Development
    Innofactor Sverige AB
    Stockholm Sweden
    ------------------------------



  • 3.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-14-2018 03:22 PM
    I wanted to bump this back up and see what others are doing?  The below link documents how MS Dynamics has built in GDPR backend admin capabilities, but I am more interested in what CRM Administrators are doing for the Front End of operations which can include Marketing Campaigns, Lead Entry, Trade Show excel lists and Imported Contacts from electronic Address books, etc?

    Your thoughts and comments are appreciated as we are now less than 2 weeks away from the deadline.

    ------------------------------
    Ron Goetz
    Knowledge Mgr
    SPX Hydraulic Technologies
    Rockford IL
    ------------------------------



  • 4.  RE: GDPR- General Data Protection regulation

    SILVER CONTRIBUTOR
    Posted 05-15-2018 03:54 AM
    We at Data8 recently have a presentation at CRMUG Summit EMEA in regards to this and how we have handled lots of elements of GDPR in some detail.

    You may be able to access them here Summit EMEA Community - Dynamic Communities
    Dynamiccommunities remove preview
    Summit EMEA Community - Dynamic Communities
    Join your Dynamics peers to dig deep into Dynamics AX, CRM, NAV and Power BI features and functionality.
    View this on Dynamiccommunities >


    On the off chance you can't, let me know and I'll send the slide deck on.



    ------------------------------
    Matt Beard
    Senior Software Engineer
    Data8
    Chester
    ------------------------------



  • 5.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-15-2018 11:50 AM
    At this late stage you are probably too late to use Consent as the legal basis for communicating with your prospects and customers so you need to research Legitimate Interest.  If you are B2B, LI is a lot simpler to deal with than Consent.  If you are in a B2C world, then you already need consent to email prospects, so it should *just* be a matter of ensuring your optin process is GDPR compliant.

    We've taken plenty of clients through this in the UK, so happy to chat on the phone if you want an informal view...

    ------------------------------
    Simon West
    Nett Sales LLP
    Aldbourne
    ------------------------------



  • 6.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-15-2018 03:16 PM

    what exactly do we as admins have to do over this? We do have some accounts residing in the EU. But I don't understand what "

    personal information" means? Everything I read has different suggestions. Some state: name, phone number, address, ip address etc..
    so what do we have to do on our end then to be in regulation?



    ------------------------------
    Heather L
    ------------------------------



  • 7.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-16-2018 04:21 AM
    There's some information on what counts as personal data on the ICO site:
    Key definitions
    Ico remove preview
    Key definitions
    The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
    View this on Ico >


    From the text of the regulation itself (Article 4)

    'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

    My understanding of this is that if you have enough information to identify a person, any other information you hold about them becomes personal data. If you remove the identifying information, anything that's left is no longer personal data.

    In CRM terms I'd suggest that anything on a lead or contact record, where that record contains sufficient data to identify a person (name, email, telephone or IP) would be personal data, as would anything in child records of that lead/contact (activities, opportunities, cases etc.). However, if you remove the identifying information you might be left with the same records that would now not be personal data.

    ------------------------------
    Mark Carrington
    Chief Technologist
    Data8
    Chester
    ------------------------------



  • 8.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-16-2018 08:50 AM
    @Mark Carrington when you say "remove data" are you talking about relocating it somewhere else? We do have leads, contacts, account records and also have ID #'s for some records. Obviously, clearing that data would ultimately leave us with no information on those same records above. Is it a matter of how CRM houses that data? Or simply notifying all those contacts and leads that we have this information and getting their approval to keep it? I did read somewhere about getting their consent, or allowing them to opt out of having their personal information.  ​​​

    ------------------------------
    Heather L
    ------------------------------



  • 9.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-16-2018 08:59 AM
    By "remove data" I mean actually deleting the values from those fields. If you still have that data somewhere and it can be linked together by IDs then it would still be personal data.

    You don't need consent to store personal data, but you do need a legal basis, one of which is consent. There are 6 possible legal bases for processing, you can read about the differences between them on the ICO site:
    Lawful basis for processing
    Ico remove preview
    Lawful basis for processing
    There are six available lawful bases for processing. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.
    View this on Ico >

    When you add someone to CRM, the right to be informed would mean you should tell them about your privacy policy, how to invoke their right to erasure and various other steps:

    Right to be informed
    Ico remove preview
    Right to be informed
    Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
    View this on Ico >

    The guidance isn't clear as to whether this should also apply retrospectively to data you already hold in CRM.


    ------------------------------
    Mark Carrington
    Chief Technologist
    Data8
    Chester
    ------------------------------



  • 10.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-16-2018 10:36 AM
    Good discussion!  If I can try to simplify this down to my basic questions:
      1. Can we maintain our contact database in MS Dynamics?
      2. Are we obligated to inform every contact in the database that we have their information?
      3. Can we use the database for any type of Marketing Campaign or mailing list?
      4. Going forward- how do we control any information entered into the database by our Users?

    thanks!

    ------------------------------
    Ron Goetz
    Knowledge Mgr
    SPX Hydraulic Technologies
    Rockford IL
    ------------------------------



  • 11.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-16-2018 10:49 AM
    @Ron Goetz those are my exact questions I have! Please let me know if you get an answer. We are in the same boat. ​

    ------------------------------
    Heather L
    ------------------------------



  • 12.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-16-2018 11:34 AM
    Heather- I just went through the presentation that Matt Beard links above.  It is very good and informative in giving a broad view of what needs to happen.  It is scary in trying to think how this can happen without a high level commitment with management to create and implement the workflows and form changes recommended in the PPTX.

    ------------------------------
    Ron Goetz
    Knowledge Mgr
    SPX Hydraulic Technologies
    Rockford IL
    ------------------------------



  • 13.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-17-2018 01:25 PM
    1. Can we maintain our contact database in MS Dynamics?

    Yes, but you need to take the appropriate steps to ensure the data is secure

    2. Are we obligated to inform every contact in the database that we have their information?

    No but if they ask you are obliged to tell them the data you hold on them

    3. Can we use the database for any type of Marketing Campaign or mailing list?

    That depends.  there are 6 bases upon which you can legally email a prospect or customer.  the two most common are consent (they have consented to allow you) and Legitimate Interest.  (you have a legitimate Interest in contacting them that passes a balancing test that also considers the rights of the recipient.)  telephone and direct mail are opt out, so you dont need their permission, but must stop if asked.

    Companies have spent the last 6 months or so getting up to speed with this, so a short explanation here will never cover all the basest

    4. Going forward- how do we control any information entered into the database by our Users?

    I guess the usual ways of mandatory fields, business rules, etc.

    The issue here is that GDPR planning should have started 2 years ago when the regulations became law, not 8 days before the law comes into force.

    Fundamentally, you have an obligation to protect data in your ownership, use it appropriately and be transparent about how you will use (process) data.
    And there are different rules for sensitive data (under 16s, DOB, etc...) consumer data and business data that need to be understood and considered by your business.


    ------------------------------
    Simon West
    Nett Sales LLP
    Aldbourne
    ------------------------------



  • 14.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-17-2018 01:58 PM
    @Simon West so posting language on our website and allowing potential leads or clients to further call on us if they want more information is deemed appropriate?
    We also have marketing lists that do have an area in CRM for do not call or email options so that should still cover us as well there?​

    ------------------------------
    Heather L
    ------------------------------



  • 15.  RE: GDPR- General Data Protection regulation

    GOLD CONTRIBUTOR
    Posted 05-17-2018 02:09 PM
    @Heather Laughlin​, I am getting slightly different feedback both from the PowerPoint and from internal sources, but it seems clear that-

    "posting language on our website and allowing potential leads or clients to further call on us if they want more information is deemed appropriate?"  What I am hearing is that you need a clear privacy policy on the website and manual check boxes saying what type of information and method of contact they will allow.

    "We also have marketing lists that do have an area in CRM for do not call or email options so that should still cover us as well there?​"
    That covers Microsoft for compliance, but I will again refer to the PPTx as explaining, how to handle, the "Forget Me" clause as well as documented consent.  You can't assume because you have a name in your contact list, that you can contact them.  Exactly opposite.  You have to assume every name in your contact list is now set to DO NOT CONTACT, until such time as they confirm acceptance.

    Again, this is my opinion, here in the USA, not a lawyer's or as a member of the EU.

    ------------------------------
    Ron Goetz
    Knowledge Mgr
    SPX Hydraulic Technologies
    Rockford IL
    ------------------------------



  • 16.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-17-2018 02:43 PM
    @Ron Goetz thanks for your explanations and help! What does PPTx stand for? ​

    ------------------------------
    Heather L
    ------------------------------



  • 17.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-18-2018 04:45 AM

    @Heather Laughlin.  Yes, updating your privacy and cookie policy is vital.  There are plenty of good examples of updated policies.  It's worth reviewing this website for their cookie and privacy policies and also the wording they use when you fill out one of their contact forms.  Marketing Automation and Lead Generation Platform | Communigator

    In terms of your database, you have three possible needs from a technical perspective:

    1) Subject Access Request.  Someone asks "what data do you hold on me?" and you have to provide all data you hold on them.  The contact & account stuff will be easy, but what about email click through data, purchased products, subscriptions, website visits, etc, etc...

    2) The right to be forgotten.  If a person requests it, you have an obligation to delete ALL data you hold on that person.  Again, basic data should be pretty easy but what about all those records that have referential relationships and so are not deleted when a "parent" record is deleted?  As a side note, you are permitted to hold minimal data on a person that requests deleting all their data sufficient to ensure that you don't load their data again from a new list, backup, or whatever...

    3) Logging Opt In, Opt Out and holding the proof that the opted in.  So maybe the URL they visited, the time and data and possibly even a screen shot of the opt in they completed.  Different people have taken different views on this largely depending on what their current tech stack can support!

    Clearly, from a customer & prospect engagement perspective, you should also log the legal basis on which you are contacting the person and link to any supporting docs (eg. a Legitimate Interest Test).  And then you need to make sure that your data is sufficiently detailed to allow you to use it for the purpose you intend.  So, if you are relying on Legitimate Interest, you can demonstrate that you know enough about the contact you are emailing to justify your claims in your Legitimate Interest Test.

    With a bit of thought and reading around, you should be able to get most of the basics covered fairly quickly.  The key areas to start with include:

    1) legal basis on which you are contacting prospects by email
    2) Data security and notification of a data breach to all affected records
    3) Storage of data outside the EU
    4) Appointment of a Data Protection Officer

    DISCLAIMER:  This is my view based on advising our UK based clients.  Get legal advice to ensure what you plan to do covers you.



    ------------------------------
    Simon West
    Nett Sales LLP
    Aldbourne
    ------------------------------



  • 18.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-18-2018 09:37 AM
    thanks @Simon West very helpful! ​

    ------------------------------
    Heather L
    ------------------------------



  • 19.  RE: GDPR- General Data Protection regulation

    TOP CONTRIBUTOR
    Posted 05-17-2018 03:04 PM
    this was passed along to me from a CRM consultant. Perhaps others will find it helpful.
    Winter is Coming: Lock in Your Fixed Natural Gas Plan Today
    Cose remove preview
    Winter is Coming: Lock in Your Fixed Natural Gas Plan Today
    View this on Cose >


    ------------------------------
    Heather L
    ------------------------------