In the last post in the series we looked at 'Updating your privacy policy'. This time I'll walk you through some considerations to update your systems to be GDPR-friendly.
The work we did for our clients systems was made 'easier' because our clients use HubSpot and so a lot of the updates were based on the changes that HubSpot made to their CRM, Sales, Marketing, and Website packages. There was a lot of detail that went into the new features so I'm going going to go into all of that detail, as I'll cover that in future posts, so for now I'll give you a summary, which will be helpful no matter what systems you're using (i.e. these are the updates you should be thinking of in the systems you're using).
The features your systems should include to make it easier to be GDPR-friendly
Lawful basis of processing
You need to have a legal reason to use data. That reason could be consent (opted in) with notice (at the point of capturing data), performance of a contract (e.g. a customer and you want to send a bill), or what the GDPR calls “legitimate interest” (e.g. a customer, and you want to send relevant product information).
The systems you use should have a multiselect property to track lawful basis. The property should be editable manually or via automation. For example, you might configure an automated workflow to set the lawful basis property when a contact signs a contract.
In addition, you should be able to track and audit the grant of lawful basis so you can prove the history of that property for each contact.
Consent
One type of lawful basis of processing is consent with proper notice.
In order for a contact to grant consent under the GDPR, a few things need to happen:
- They need to be told what they're opting into. That’s called “notice.”.
- They need to affirmatively opt-in (pre-checked checkboxes aren’t valid). Filling out a form alone does not implicitly opt-in to everything your company sends.
- The consent needs to be granular, meaning it needs to cover the various ways you process and use data (e.g. marketing email or sales calls). You must log auditable evidence of what each contact consented to, what notice you gave, and when consent was given.
Your systems should include features to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.
Three of the most common ways that might be needed is when you acquire new contacts through Forms and Live chat. These are different channels through which a contact might initially engage with you.
You should provide proper notice to each contact before they provide information to you (such as using text boxes on forms), and you should be able to easily collect the appropriate consent when it's given.
An additional detail on notice: my 'non-legal' advice is that it seems ok to include a link to your main privacy policy as part of the notice, that way the 'notice' doesn't have to ruin your nicely designed forms.
Once a contact submits their information, your systems should automatically store a copy of the notice that was provided, information about which consent was provided, and the timestamp of the interaction.
Alongside that change, you should also make it easy for your contacts to choose their own communication preferences such as one-to-one sales emails, marketing emails, sales offers, and customer updates etc. One reason why the HubSpot Growth Stack makes this simple is because all CRM, Sales, Marketing, and Website are in one platform so it's super easy to give you and your contacts complete control over their subscription preferences in one simple page. NICE!
Withdrawal of consent (or opt out)
Your contacts need the ability (as data subjects) to see what they signed up for, and withdraw their consent (or object to how you’re processing their data) at any time. In other words, withdrawing consent needs to be as easy as giving it.
Your systems should make it easy for each contact to withdraw their consent through a simple subscription preferences page. Alternatively, if you receive a 'manual' withdrawal of consent request, you should be able to modify the lawful basis contact property I mentioned above and update their communication preferences.
In addition, this isn't just about your marketing emails. You should consider your one-to-one emails. Do they include unsubscribe links?
Cookies
Your website visitors and contacts need to be given notice that you're using cookies to track them (in language they can understand) and they need to consent to being tracked by cookies.
*** One note from HubSpot was that they know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. You need to make sure your systems providers are responsive to future changes and make it easy to help you comply.
Deletion
Your contacts have the right to request that you delete all the personal data you have about them. The GDPR requires the permanent removal of a contact from your systems, including email tracking history, call records, form submissions and more.
In many cases, you’ll need to respond to the request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply. You might want to take our free GDPR consultation might be a good idea before seeking legal advice.
Your systems should make it easy to perform a GDPR-compliant permanent delete. I'll cover this more in a future post.
Access and Portability
Just as your contacts can request that you delete their data, they can request access to the personal data you have about them. Personal data is anything identifiable, like their name and email address. If they request access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
Your contacts can also request to see and verify the lawfulness of processing (see above).
You systems should enable you to grant any access/portability request by easily exporting a contacts record into a machine-readable format.
You should also be able to easily verify each contact's lawfulness of processing using the associated contact property I mentioned above.
Modification
Just as your contacts can request to delete or access their data, they can also ask your company to modify their personal data if it’s inaccurate or incomplete. If and when they do, you need to be able to accommodate that modification request.
Ideally, you should have a central system that makes it easy to change each contact's information plus some automated syncing setup to keep all other systems updated. More on this in future posts.
Security Measures
The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.
We use HubSpot so here's some detail about their updates (that you should look for in your providers). As part of HubSpot's approach to the GDPR, They've strengthened their security controls across the board. In addition to industry standard practices around encryption, HubSpot's infrastructure teams are also improving their systems for authentication, authorization, and auditing at a massive scale to better protect their customer's data. On this topic, you should make sure all your systems providers do the same and you might want to look at part 1 of this blog post series that includes links to the sort of policies that you should look for.
Some additional thoughts
What forms do you have on your website? Do they all give the correct notice, link to your privacy policy, include consent options to encourage 'opt-ins', and link directly with your CRM so you can automatically capture and audit the consent and notice.
That's it for this post. Keep an eye out for the next post where I'll be looking at the best way to synchronise data between your systems.
