gdpr: the impact on crm & how to prepare your workforce

www.claydenlaw.co.uk www.melearning.co.ukwww.preact.co.uk

GDPR: The Impact On CRM &

How To Prepare Your Workforce

Piers ClaydenClayden Law

Nick Richards Me Learning

What we’ll cover in this webinar

• Background of GDPR

• When GDPR comes into effect, the changes and which organisations are affected

• How GDPR affects organisations using CRM systems

• Particular considerations for marketing/sales personnel

• How Me Learning can help organisations understand and prepare for GDPR

• Why e-learning is the best way to prepare your workforce for GDPR

• A demonstration of the Me Learning solution

• How Me Learning is helping organisations embrace e-learning

When GDPR comes into effect, the changes and which organisations are affected

In force on 25th May 2018

• Personal Data is one of your critical assets

• Board level issue - penalties for non-compliance are severe:• Up to 4% global annual turnover or €20m

• Affected data subjects will have right to sue controllers and processors for compensation

• Affects every organisation in the UK, despite Brexit

• IT and technology will be key to achieving compliance• But will need Board and cross-organisation buy-in: sales/marketing; HR; vendor supply chain

etc.

How GDPR affects organisations using CRM systems

CRM system owner as data controller

Holding personal data on a CRM system is a form of “processing”. Assuming the CRM system owner is holding that information for its own purposes, then it will be deemed to be the data controller and therefore subject to the full burden of complying with the GDPR.

Principles

The use of that data will have to comply with the principles under the GDPR:

• Lawful, fair and transparent

• The purposes must be specified, explicit and legitimate

• The data held must be adequate, relevant and limited to the extent necessary for the processing

• It must be accurate and up to date

• It mustn’t be kept for longer than necessary and must be in a form which permits identification of individuals

• Security (integrity, confidentiality and availability) must be ensured


Accountability

The GDPR requires that the controller must be accountable and be able to demonstrate compliance with these principles.

Transparency & Information notices

In essence, this will mean that the controller is able to demonstrate that it has made available to the individuals whose data is on the CRM system, the necessary information requirements from the GDPR. This will typically be through an enhanced information notice (aka privacy policy or notice).

Note that where details are collected other than directly from the individual concerned, the controller will need to provide the information to the individuals concerned on or prior to first communication and in any event within 1 month.


Processing grounds

Any processing of personal data through the CRM system needs to meet one of the GDPR conditions in order to be lawful.

These include:

• Consent

• Necessary for performance of a contract with the individual

• Legitimate interest of controller

For special categories of data (eg race, religion, health) then there are different and stricter grounds, - this includes explicit consent


Consent

Where consent is used as the basis for processing on or through the CRM system, then that consent has to be freely given, specific, informed and unambiguous – it must be a clear and affirmative action.

Silence or pre-ticked boxes not enough. And it has to be demonstrated. So the CRM system should record how and when the consent was given. Note also that consent can be withdrawn at any time.

Therefore does the controller have processes in place to make sure that a withdrawal of consent is promptly recorded in the CRM system?

Note that children under 16 (currently) cannot give consent –will need a parent or guardian to do it.


What Marketing Managers/Sales Managers should pay particular attention to

Making sure that the data on the CRM system complies with the GDPR principles – so look at

• Making sure the information notices actually and specifically reflect the reality of what is being done on the CRM system (note – profiling, next slide)

• Processes for ensuring accuracy and retention periods

• Ensuring that they can demonstrate that processing done through the CRM system is GDPR compliant – in essence recording the basis of what is done

The GDPR also requires that organisations must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities – so for example:

• Staff training – are all staff who handle personal data aware of their responsibilities?

• data minimisation - is it necessary for all staff members to have full access to the CRM system, or can different staff be allocated different access?


What Marketing Managers/Sales Managers should pay particular attention to

• Consider also pseudonymisation – i.e assigning ID’s to individuals on the CRM system and only allowing access to the IDs rather than the full personal data (and then keeping the key to the ID’s secure)

• Where there is any “high risk” processing activity being considered, the GDPR requires that a “privacy impact assessment” (PIA) should be conducted so that any risk mitigation measures can be put in place and compliance ensured.

• Where the CRM system is to be used to profile (use of processes to analyse/predict behaviour) individuals then this must be based on the individual’s explicit consent.

• Be aware that individuals have enhanced rights with regard to their personal data – rights to erasure (to be forgotten) being the most high-profile new. So the organisation needs to have processes in place to log and action requests from customers when they come in.

Finally, given the new mandatory breach notification requirement under the GDPR requiring that organisations report the breach to the ICO within 72 hours of becoming aware (and perhaps individuals too), CRM system stakeholders should be aware of their role and responsibilities within any incident response plan.

GDPR Considerations for CRM owners

• Will your CRM solution be GDPR compliant?

• What in-built CRM security controls can be used to hide sensitive data and

control access permissions?

• Integrated CRM and email marketing will make GDPR compliance easier

• How good is your data quality, and how can it be cleansed?

• Are your processes for collecting, managing and storing personal data GDPR

compliant?

What are the next steps?

What do ‘we’ have to do?

Lets define the GDPR ‘we’

The ‘Board’Why do we need to do this?

They need to be aware of the importance of GDPR

They need to know the £ cost and the

REPUTATION cost of getting it wrong

You need their support and buy-in

The ‘Practitioner’the buck stops here

‘Someone’ will have the responsibility to make sure the organisation is compliant

Could be the business owner, a director/senior manager?

Could be you?

Whomever they are, they need to know everything that has to be done (and why)

‘Foundation’Why (how) did I get this job?

‘Someone’ will actually have to do this

Could be the business owner, a director/senior manager?

Could be you?

Whomever they are they need to know exactly what they have to do and how to do it

‘Staff’What's this then?

Everyone who works in the business needs to understand the basics

Basic knowledge is both required and makes things so much easier

What next? – the challenge

GDPR at 11:38 am on 1st September

194,000 results in last 30 days.

97,000 results in last 7 days

96 results in last 24 hours

So much information

Guess what?

Where do you start

What is relevant

Who do you trust

How much is this going to cost

Who has the time to plough through all of it and make decisions

We have done it for you!!

And to help you even more Clayden Law will

provide a free 30 minute consultation to

customers, answering any questions you may have after completing the online course

Using Clayden Law’s specialist knowledge and Me Learning’s experience of eLearning we brought everything together

one simple, comprehensive, up-to-date, cost-effective e-learning suite delivered via an auditable Cloud Based training portal

COURSE Core

(all employees)

Foundation

(executing the

policies)

Practitioner

(leading the

project)

Board

1. GDPR – Introduction and Background ✔ ✔ ✔ ✔

2. GDPR – Definitions and Principles ✔ ✔ ✔

3. GDPR – Individual Rights ✔ ✔ ✔

4. GDPR – Consent and Conditions for Processing ✔ ✔

5. GDPR – Steps to Compliance ✔ ✔ ✔

6. GDPR – The Accountability Principle ✔

7. GDPR – Sanctions, Remedies and Liabilities ✔ ✔

8. GDPR – Information (Privacy) Notices ✔ ✔

9. GDPR – Breach Management and Notifications ✔ ✔

10. GDPR – Supply Chain Management ✔

11. GDPR – Data Sharing ✔

DURATION 1h 30m 3h 30m 5h 30m 1h 30m

The e-learning suite

E-learning Demonstration

Use e-learning to save money and time

Foundation / Practitioner classroom training course of 2 to 4 days costs £995 to £1,795 per person.

E-learning means you don’t have to attend a classroom course.

SME’s typically spend £3,000 to £4,000 on legal fees.

E-learning plus a free 30 minute consultation from Clayden Law will reduce those legal fees.

Don’t waste time searching the Internet and disseminating information.

Clayden Law and Me Learning have done it for you.

Keep an auditable record of everyone's online training to help demonstrate compliance.

As a Me Learning and Clayden Law customer, you’ll be in good company

www.claydenlaw.co.uk

[email protected] 339 640

www.melearning.co.uk


www.preact.co.uk


Register for email updates at www.melearning.co.uk/gdpr

Free GDPR Awareness course – contact Me Learning for more info

Request monthly GDPR newsletters – [email protected]

Thank you for attending

Q&A

www.claydenlaw.co.uk


www.melearning.co.uk


www.preact.co.uk


gdpr: the impact on crm & how to prepare your workforce

Business