GDPR and Zoho CRM
On this page, we'll be taking a look at what the new rules in GDPR are and how Zoho CRM can help you comply with them. We'll also help you understand how to protect your customers’ data.
General Data Protection Regulation (GDPR) is a new set of rules designed to provide EU residents control over how their personal data can be used by companies across the globe. At its core, these rules aim to protect the data of its EU residents. This means organizations need to be well aware of the impact that this will have on individuals and businesses who deal with EU residents' personal data. One also needs to be well-prepared to follow consistent data protection compliance requirements.
First, let's get familiar with Controllers, Processors, and Data Subjects. It is essential to understand and identify the difference in the roles of each.
- Data Controller - Someone who controls the purpose and means of processing personal data. The controller defines how the data should be put to use and why it should be used. Often, data controllers use an external service or another organization to process the data. This is where data processors come in. In this case, control over collected personal data remains with the data controller and is not passed on.
- Data Processor - Organizations that process personal data on behalf of the controller are known as the data processors. They do not have control over what is done with the data nor can they change the purpose of data collection. Processors get limited rights to process the data as per the instructions provided by the controller.
- Data Subject - The person whose personal information you collect are the data subjects. In a business, data subjects tend to be your customers and employees. You collect information from them, such as their name, address, phone number, and email address, to process and contact them for business.
Zoho as a Data Processor
A data processor must have a secure system, tool, and method to collect and store personal data. Zoho CRM is equipped to comply with the GDPR as a data processor. There are many options in Zoho CRM that are designed to help you safeguard your customers' data and meet the security and privacy standards set in GDPR.
Data security and privacy are two different terms that are often used interchangeably. However, they have specific meanings:
- Data privacy revolves around the lawful collection and usage of personal data.
- Data security is having the physical, technical and administrative safeguards in place to protect your customer's data.
As a result, we've introduced options in Zoho CRM that will both:
- help you abide by the privacy rules, and
- provide you a secure platform to protect your customer’s data.
Permission Required: Users with the Manage Compliance Settings profile permission can view the features available under Setup > Users and Control > ComplianceSettings.
To switch on GDPR compliance, go to Setup > Users and Control > Compliance Settings.
Users with the Manage Compliance Settings profile permission can enable it.
After you switch on the GDPR compliance, you need to select the modules that contain data subject's information and for which GDPR compliance is required. Along with Info and Online sections, Data Privacy section will be available for the records in these modules and you can select a lawful basis to process the data.
By default, all the records in the selected modules will have the Data Processing Basis set to Not Applicable when you enable GDPR Compliance setting from Setup > Users and Control > Compliance Settings. You can change this based on your discretion and business cases and update the lawful bases for the records. See Also Change Lawful Basis
- Customize the consent form from Setup > Users and Control > Compliance Settings > Consent Form. See Also Customize Consent Form
- Include a link for the form in an email template. You can use this email template to send emails and get the consent details updated from the customers. You can also add the link to the form while composing an email and send it to the recipients. See Also Add Consent Link in an Email Template
Go to Setup > Users and Control > Compliance Settings > Overview, to view the dashboard that gives you the following details:
- Number of records that have the lawful basis marked as Not Applicable.
- Number of records that have been updated with one of the lawful bases.
- Chart that displays the consent status - Pending, Waiting, Obtained.
GDPR requires us to state the purpose and get clear consent when collecting personal information. There are features in Zoho CRM that will make the process of data collection and getting proper consent from the data subjects much easier and streamlined with the other processes and data within your CRM system.
Lawful Bases for Data Processing | Data Source Tracking | Consent Form | Double Opt-in Mechanism
Consent management plays a major role while processing all the data subject's personal data in your Zoho CRM account. Along with it you also need to make sure that the personal information (normal or sensitive) is not being processed and shared with third party. Use the features in CRM for consent management and to provide security to your customer's data by marking sensitive fields and using EAR.
Mark Personal Fields | Consent Management | APIs for GDPR Compliance
Data Subject Rights
We need to be prepared when customers exercise their rights to have access to their data and when they what to know what is being done with their personal data. They might also request you to stop processing data or demand that their data be erased. These options are handled in CRM in a way that you can manage and keep track of all these various requests.
Right to Access | Right to Rectification | Right to Portability | Right to Erasure | Right to Stop Processing
1. What is GDPR, and how will it impact organizations?
The General Data Protection Regulation (or GDPR) is a new regulation developed by the European Union (EU) which involves the protection and free movement of personal data and the rights of individuals, including children. It is a set of rules which will replace the existing Data Protection Directive (Directive 95/46/EC), and will be enforced across the EU. GDPR will empower EU residents by putting them directly in control of how they want their data to be processed, and will protect their data privacy.
2. Who will GDPR apply to?
GDPR will apply to companies located in the EU, as well as companies who do business with residents of the EU, irrespective of the company's location.
3. What kind of data does GDPR apply to?
GDPR applies exclusively to personal data. Personal data as, "any information that relates to an identified or identifiable, person, or a data or subject." This includes the data subject's (customer's) name, email address, location, and other online identifiers, such as IP address, social media profile, and types of website cookies.
4. Will GDPR compliance be applicable to all modules in Zoho CRM?
GDPR compliance is applicable only for the people-related modules in the organization. In Zoho CRM, GDPR applies to the Leads, Contacts, Vendors, and custom modules.
5. Who are the key stakeholders in GDPR?
Zoho CRM can help you in the GDPR compliance journey in the following ways:
- Data source tracking- Zoho CRM records the source of the data (direct sources like web forms and indirect sources like the UI, imports, A Pis and other third-party integrations), and additional details, if any (eg. URL, IP address), in the record's Details page. These details are shared with the customer, on request.
- Marking personal fields- Users have the option to mark those fields containing personal data and also mark the sensitive fields.
- Data subject rights- Your customers also have the right to ask to access, rectify, delete, export and restrict their data from being processed. As the data controller, you need to perform those actions.
Note: The content presented herein is not to be construed as legal advise. Please contact your legal advisor to know how GDPR impacts your organization and what you need to do to comply with the GDPR.