General Data Protection Regulation (GDPR) is a regulation adopted by the EU Parliament and Council which protects personal data of EU citizens . It was passed into legislation on May 2016 and will be moving into full force starting May 25, 2018.
While this is not the first law aimed at protecting personal data in EU, GDPR consists of regulations which are changing the privacy landscape dramatically. The regulation applies any organization or body operating in EU but it also includes any worldwide organization or entity that operates with EU citizen’s private data. GDPR also defines expensive fines for any breach of compliance – €20 million or 4% of a company’s global turnover, whichever is higher. It’s no wonder with these 2 facts alone that the regulation has attracted a lot of attention.
This document is created to help organization using vTiger prepare for GDPR compliance. It covers the vTiger software and describes how to use vTiger features to perform preparation activities and routine tasks needed for GDPR compliance. However, it does not describe processes inside your organization which needs to be performed both at preparatory stage and thereafter. This whitepaper is based on the UK Information Commissioner’s office recommendations and checklist.
You can also find more information about GDPR at the EU GDPR Portal.
This section provides guidance for performing actions required by GDPR for both before and after May 25, 2018 when the regulation goes into effect.
GDPR guides and checklists recommend performing an organizational data audit in order to identify all components and systems used in your organization that store and process personal data. By its nature, the vTiger software collects, stores and processes personal data of your customers. Your organization needs to discover and document the systems, components and physical elements of your infrastructure which store personal data of your customers. That is why we documented these software components for your convenience.
vTiger use the following entities to store personal data:
There are also special cases like:
- Web tracking – this feature can collect different data including personal data. The exact content depends on the scripts used by organization so please consider a close review of your web tracking scripts to understand if your instance of vTiger tracks personal data.
The specific structure of these entities depends on the particular configuration of your vTiger instance. You can use the Entity management feature or CRUD form to inspect the content of each entity.
During data audit, we advise you to set the property Auditable to True for all entities containing personal data. This will enable data audit trails for tracking personal data changes inside your vTiger.
All data for vTiger entities is stored in the database (MySQL or PostgreSQL – depending on the specifics of your deployment).
Web server access logs, as well as any other system logs configured by your organization’s sysadmins, can also contain personal data as a part of a request or query so these logs must also be reviewed during the audit.
vTiger uses different integrations with identity providers and services, e-marketing sending systems, e-commerce and help-desk systems . This means that vTiger can perform personal data exchanges with these systems so you need to define which data is sent, provide this information to users (if requested) and develop a process for coordinating user’s requests with this systems (e.g. deleting personal data).
Collect, store and present user’s consent for personal data
Collecting consent in vTiger
vTiger does not allow users to create their own record so it is the responsibility of the person who creates a new record in the CRM to collect consent from your customer for the storing and processing of their personal data.
However, existing vTiger data may contain where user consent needs to be collected before May 25 2018. We recommend creating a Segment containing such users (e.g. citizens of EU country) and sending them an email using our Marketing campaign feature. All replies consenting to storing and processing their information must be handled by your team. The way to store customer consents in vTiger is described in the next section.
Storing and reporting collected consents
In order to store and present user’s consent for personal data processing, you need to create the additional boolean field for every module listed in the module manager section. This can be done using the module manager -> Create field feature. We recommend using checkbox type. We also recommend setting field properties Show on view and Auditable to Yes.
Since this field’s default settings is No, a person creating a new record with personal data must explicitly set it to Yes if consent is given by the owner of this personal data.
Having this field added to all modules storing personal data will enable your organization to create a report for GDPR compliance.
Exercising user rights
In the following sections, we will provide CRMTiger’s recommendations for executing actions from user requests for exercising all personal data protection rights declared in GDPR.
Right to access
Under the GDPR regulation, a person has the right to confirm if his/her personal data is stored and processed. The person also has the right to get access to this data including information about exact data structure. This right can be requested in many different ways.
vTiger supports easy-to-use yet powerful search capabilities which help find all modules records related to the particular person requesting personal data information. You can use the vTiger Reports or Export option from module to inspect, collect and export information about personal data stored.
Right to rectification
GDPR protects the right for an individual to correct personal data if it is incorrect or outdated. This can be done by a special request. vTiger search and CRUD tools are perfect for fulfilling these requests. Your personnel responsible for user data management can rectify the personal data in the system.
Right to data portability
One of the newest requirements in privacy protection is the right of individuals to obtain and reuse personal data in the other system or organisation.
From a technical point of view, this means that your organisation must be able to export personal data into a machine-readable format. While the exact format is not yet defined by regulators, vTiger is able to export any entity into CSV format using the standard Export feature. CSV format is currently a suitable format for personal data portability.
Right to erasure
GDPR outlines that a person can ask for their personal data to be deleted from informational systems.
The task of personal data erasure has many different aspects. Here are the points to execute and consider:
Deleting standard modules
vTiger stores personal data in entities described in the Data Audit section of this document. All records in entities containing personal data can easily be found using the Search feature in our system. All entities supports deletion of a record making it simple for authorized users.
Systems connected via integrations
You need to request data erasure from systems and integrations connected to your vTiger instance using the communication procedures developed during data audit.
The Webtracking feature of vTiger is a highly flexible and powerful tool for collecting and analysing data received from connected sites. Because of the highly customized nature of tracking scripts, we recommend to check tracking events for the presence of personal data which has to be erased.
At the moment GDPR does not contain any direct requirements to cleanup backups which can be a technical challenge . However, keep in mind that a system failure and DB restore can happen right after data removal which will cause the restoration of deleted data. This is why we recommend keeping requests for erasure open until the next cycle of a DB backup process and check if the personal data has actually been deleted before closing this request.
Here is an example of a process where a system backup is made every night outside of business hours:
- Operator deletes personal data from vTiger but keeps request open.
- On the next morning, the operator or operator’s controller/supervisor checks open requests for erasure personal data in vTiger and closes request if erasure confirmed.
It is also good idea to develop procedures for restoring databases using backups older than regular ones (e.g. if your organisation decides to rollback the database and restore a 2 month old backup).
Other checkpoints to pay attention to
Transferring personal data outside of your organization
GDPR strictly prohibits the transfer of personal data outside of the EU. If your company is a US-based company with technological centers located outside of the EU. That is why we ask you to obfuscate any production data (like DB dumps, reporting, etc.) to minimize the spreading of sensitive data.
vTiger by it’s business function does not handle any module containing personal data which can have a kind of expiry date. Your organisation can consider cleaning contacts and other entities using any criteria through our filtering capabilities. In addition, it is recommended for users to proactively check if the data they collect is necessary for the business. Identifying unused data can reduce risk and the amount of work for purging data.
In order to be compliant with GDPR your organisation needs to perform preparation steps to be ready for GDPR enforcement on May 25, 2018 and implement routine processes that address GDPR requirements.
Things to do with vTiger before May 25
- Perform a data audit.
- Add a data field for consent to store in vTiger modules.
- Create and run email marketing campaigns to collect consent for personal data that’s already stored and processed from existing users.
- Update records for those who gave consent.
- Delete records for those who have not provided consent.
- Develop procedures and scripts for DB exports to support personal data obfuscation.
Are you in tense ? or needed further help ? CRMTiger is always here to help you.
Drop an email to us on firstname.lastname@example.org OR contact us on Skype: CRMTiger
Do You Need More Information ?