Stay GDPR compliant with Zoho CRM
Mere protection of a customer's personal data is not enough. GDPR requires that you are transparent and secure in handling their personal data. Make your data collection and data processing comply with GDPR using Zoho CRM.
Here's how we can help you
- Track data sources and ensure double opt-in
- Obtain and manage consent
- Encrypt and secure personal data
- Address data subject requests easily
- Control the information shared with other applications
Keep track of the sources for your customer data, and validate your customer's interest in your service before you start processing their information.
With multiple sources for customer data (webforms, imports, manual creation, APIs, or third-party integrations), keep track of it all under the customer's record details. In the case of webforms, additional details like form name and IP address will be captured.
Enable the double opt-in mechanism for webforms so customers who submit their information will have to confirm their submission before their data is pushed into Zoho CRM. Double opt-in helps you get quality leads, and lets you dedicate time and resources on people who want to hear from you.
Ensure lawful and secure processing of your customer's personal data. Stay accountable by documenting the processing activities done on a customer's data.
Identify, categorize, and mark customers based on one of the six lawful bases for data processing: Legitimate Interest, Consent, Performance of a Contract, Legal Obligations, Vital Interest, or Public Interests.
Based on the type of customer and the personal information being processed, you must ask for their consent. Easily obtain consent through a customizable form, which you can email to your customers.
Mark fields that contain personal information and decide if the information is sensitive or not. Based on the preferences under the Compliance Settings, you can restrict information in these fields from being processed during exports, APIs, and connected services.
Zoho CRM uses one of the strongest and most robust ciphers - AES (Advanced Encryption Standard) - to encrypt your sensitive data. In addition to protecting data during transit, Zoho CRM secures data stored in servers using AES-256 encryption standard to ensure anonymity of customer information, in case of a leak or a breach.
Monitor your team's activities with audit logs, so you can track who did what and when. For example, all actions done by your users with respect to record deletion and modifications will be audited.
Data Subject Rights
Customers can exercise various rights they are entitled to under GDPR at any time. Keep track of these requests and address them in a timely manner.
Access (Right to Access)
Let your customers access their data through the Customer Portal. Or let them know they can access it by sending them an email, which you can create by inserting the required merge fields in a template.
Rectify (Right to Rectify)
Export customer information with ease, send to them for rectification, and update it in CRM. If customers have access to the Customer Portal, they can view their information there and update it themselves, when necessary.
Export (Right to Data Portability)
Export customer information as a CSV file, which is directly attached to an email, and then sent to the customer. This export ensures that no information is stored on external devices.
Stop Process (Right to Restrict Processing)
When this right is exercised, the customer's record gets locked automatically to prevent any further processing of the information.
Erase (Right to be Forgotten)
You can easily delete a customer's information from Zoho CRM when a "Right to be Forgotten" is requested. Once deleted, the record will be moved to a blocklist to warn users when the same record is being pushed into the system again.
- Data Subject- Any person whose personal data you collect or process.
- Data Controller- The person who determines the purpose and methods for processing the data.
- Joint Controllers- Two or more controllers who jointly determine the purposes and methods of processing data.
- Data Processor- The person or company who processes data on behalf of the controller.
- Data Sub-Processor- A third party individual or business which performs data processing for other companies, and is accountable for the processing of data.
- Supervisory Authorities- Public authorities who monitor the application of GDPR.
- 1. Contract- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
- 2. Legal Obligation- This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
- 3. Vital Interests- This applies to urgent matters of life and death, especially with regards to health data.
- 4. Public Task- This applies to activities of public authorities.
- 5. Legitimate Interests- Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
- 6. Consent- Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
- The assessment of whether a legitimate interest exists.
- The establishment of the necessity for processing.
- The performance of the balancing test.
A DPO also serves as the point of contact between the company and any Supervisory Authorities (SAs) who oversee activities related to data processing. It is recommended to every organization to have a DPO.
- The Overview page
- List View of the relevant module
- Individual records
Data source tracking- Zoho CRM records the source of the data (direct sources like web forms and indirect sources like the UI, imports, APIs and other third-party integrations), and additional details, if any (eg. URL, IP address), in the record's Details page. These details are shared with the customer, on request.
Marking personal fields- Users have the option to mark those fields containing personal data and also mark the sensitive fields.
Data subject rights- Your customers also have the right to ask to access, rectify, delete, export and restrict their data from being processed. As the data controller, you need to perform those actions.
- The Right to Access- Customers have the right to know exactly what information is held about them and how it is processed. (GDPR Article 15)
- The Right to Rectify- Individuals/customers have the right to get their personal data rectified, in case it is inaccurate or incomplete. ( Article 16)
- The Right to Portability- Customer-specific information can be exported, attached to an email, and sent to customers in a machine readable format (CSV), without being downloaded onto your device (Article 20).
- The Right to Restrict Processing- Individuals have the right to limit the purposes for which the controller can process their data. (Article 18)
- The Right to Erasure- Also known as "The Right to be Forgotten," individuals have the right to have their personal data deleted or removed whenever they want. (Article 17).
They can be fined 2% of their annual global turnover, or 10 million euros (whichever is higher), for not having their records in order, not notifying the supervisory authority and customer about a breach, or not properly conducting an LIA.
Some of these transfer mechanisms are the Binding Corporate Rules (Article 47), Privacy Shield and Model Contractual Clauses, among others. So if you have data in the US (zoho.com) and have signed the Data Processing Addendum (DPA), your data is safe.
The DPA, which references the EU Model Contractual Clauses will still help in the transfer of data from non-EU countries. If you'd like us to send you your updated DPA, send an email to firstname.lastname@example.org and clearly mention if you've signed up in zoho.com or zoho.eu
However, if you really need to migrate your data to the EU DC, you can send an email to email@example.com mentioning all the services you are using. This email will be forwarded to the relevant product teams.
- About supervisory authorities- https://www.i-scoop.eu/supervisory-authorities-consistency-and-data-protection-authorities-dpas/
- EU Data Protection Supervisor- https://edps.europa.eu
- Website of EU GDPR- https://gdpr.eu/
- Rules for businesses and organizations- https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
- Your organization's guide to GDPR- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Go to Setup > Customization > Modules and Fields
- Hover your mouse pointer over the module that has the data subjects' personal information.
- Click Manage Personal Fields from the drop-down list.
- In the Manage Personal Fields section, click Mark Personal Field.
- Select the data type as either Normal or Sensitive.
- Click Done.
- Go to Setup > Developer Space > Webforms > Create Web Form.
- Drag and drop the fields that you want in your web form.
- Click Next Step. In the Form Details page, enter the relevant form details.
- In the Manage Personal Fields section, click Mark Personal Field.
- Select the Enable Double Opt-In slider and save the changes.
- Restrict Data Transfer to Zoho Apps/ Integrations
- Restrict Data Access through API
- Restrict Data in Export
- Restrict Data Access to Third Party Apps
- Go to Setup > Users and Control > Compliance Settings.
- Click on the Preferences tab.
- Under Personal Data Handling, select where you would like to restrict data transfer (Zoho Apps, Third-party apps, APIs, Export)
Disclaimer : The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.