Managing Lawful Bases for Data Processing
Table of Contents...
- Switch on GDPR Compliance options
- The Lawful Bases
- Applying Lawful Bases with Zoho CRM
- Change lawful basis for records.
- View Details and History of data processing basis
- Dashboard to view the data processing bases for all the records.
Under compliance settings, you need to first switch on GDPR compliance settings if it applies to your business. Users with the Manage Compliance Settings profile permission can enable and view the features available under Setup > Users and Control > Compliance Settings.
To switch on GDPR compliance options
- Click Setup > Users and Control > Compliance Settings.
- In the Compliance Settings page, toggle on the enable button for Compliance Settings.
- From the Enable GDPR compliance for modules drop-down list, select the modules that contain data subject's information.
You can edit this later from Setup > Users and Control > Compliance Settings > Preferences.
- Click Save.
The fundamental principle for handling personal data is that data must be processed lawfully and in a transparent manner. GDPR defines six lawful bases to process data. It is important to understand all of them as no one lawful basis is better than the others. Choosing the most appropriate basis depends on the purpose of data processing and your business requirements.
- Consent - When you have consent from the data subject to process their personal data. There must be a deliberate action on the part of the data subject to opt in or give consent.
Example: Collecting and processing personal data for marketing purposes or for sending newsletters.
- Contract - When you have a contract with an individual to supply goods or services requested by them. In this case, you process data to fulfill the contract.
Example: During a contract, when the customer asks for more information via email, the organization processes their personal data to respond to the request.
- Legal Obligation - When you have to process the data to comply with the law.
Example: An employee's salary details are needed by a government institution or an investigation requires the processing of the personal data.
- Vital Interests - When you need to process data to protect someone's life or in an emergency situation.
Example: Collecting personal details of the people to ensure their safety during an emergency or a fire.
- Public Tasks - When you need to carry out tasks in the public interest, usually as a government institution, political party, etc.
Example: As a public authority who processes data for scientific research, surveys, or public health studies.
- Legitimate Interests - When your organization holds a genuine, legitimate reason to process data and the purpose does not harm the data subject's rights.
Example: A customer has not paid their invoice and so the company needs to process the customer's data to collect payment. Or, for administrative purposes, when an organization processes an employees' personal data for payroll.
By default, all the records in the Leads, Contacts, and Vendors modules will have the Data Processing Basis set to Not Applicable when you enable GDPR from Setup > Users andControl > Compliance Settings. Once this is enabled, each record will have a Data Privacy section with the data processing basis details. You can change this based on your discretion and business cases.
Once GDPR is switched on in your Zoho CRM account, each record will have a Data Privacy section where the data processing basis details are available. If Consent is the lawful basis, the options to send a consent form and update consent details manually will also be available. A new field called Source in the record's details page will also be available, which will store the data sources such as Web forms, APIs, Integrations, etc.
Any user who has the permission to view the record will be able to view and edit the Data Processing Basis section. If you use portals and the data processing basis is Consent, people who have access to the portal, will be able to see the Data Privacy section. They can update their consent details.
If your business is running on Zoho CRM, you can process data based on any of the lawful bases mentioned earlier. Consent requires a deliberate action to opt in on the part of the subject matter. It is therefore mandatory for the controller to keep a proper consent management system in place to obtain consent from the data subjects.
Zoho CRM's consent management system helps you obtain consent from your prospects and customers.
Consent management in Zoho CRM has the following options.
- Define Consent Settings
- Set up the consent form
- Add consent link in email template
- View the status of consent request
You can change the lawful data processing basis in the following ways:
- Select an individual record and update the details under Data Privacy.
- Create a list view to filter out the records and click the More icon > Update Data Processing Basis.
- Create a workflow rule to automate the process of updating lawful basis for records that met certain criteria.
Use the Data Processing Basis field to define the criteria.
You can view the details of the Data Processig Basis chosen for a particular data subject. Further, any changes that takes place in this section will be logged under history, chronologically.
For example, to send marketing related emails to your customers, you need their consent. Hence, you send a consent form via email and when it's submitted, the consent details are automatically updated in your CRM account and can be viewed in the Details section. History displays the list of actions carried out in a record pertaining to data processing basis, right from creation of a record.
To view details and history
- Click open the data subjects record in your CRM account.
The record could be in the Leads, Contacts, Vendors or any other custom module for which GDPR Compliance is enabled.
- Click Data Privacy.
- Under the Data Processing Basis section, switch between Details and History.
Go to Setup > Users and Control > Compliance Settings > Overview, to view the dashboard that gives you the following details:
- Number of records that have the lawful basis marked as Not Applicable.
You can also view these records and update their lawful basis.
- Number of records that have been updated with one of the lawful bases.
The records are categorized as Consent or Other Basis. You can also view these records and update their lawful basis.
- Chart that displays the consent status - Pending, Waiting, Obtained.
Click on the status to view the records.
1. What are the lawful bases the data controller can use to process customer data?
The data controller can choose from the following six data processing bases:
- Contract - This applies, when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
- Legal Obligation - This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
- Vital Interests - This applies to urgent matters of life and death, especially with regards to health data.
- Public Task- This applies to activities of public authorities.
- Legitimate Interests - Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
- Consent - Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
2. What is LIA?
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary.
An LIA is split into three steps:
- The assessment of whether a legitimate interest exist.
- The establishment of the necessity for processing.
- The performance of the balancing test.
3. Who or what is a DPO?
A Data Protection Officer (DPO) assists you to monitor internal compliance, informs and advises you on your data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs), and acts as a contact point between data subjects and the supervisory authority. A DPO also serves as the point of contact between the company and any Supervisory Authorities (SAs) who oversee activities related to data processing. It is recommended to every organization to have a DPO.
4. How can GDPR be enabled for existing customers?
You can enable GDPR for existing customers by clicking Setup > Users and Control > Compliance Settings, turning compliance settings on, and selecting the modules for which compliance will be applicable.
5. What will happen to my existing data in Zoho CRM after GDPR takes effect?
After GDPR takes effect on May 25, all existing records in your Zoho CRM account will need to be marked under the appropriate lawful processing basis. You can do this through:
- The Overview page
- List View of the relevant module
- Individual records
Note: The content presented herein is not to be construed as legal advice. Please contact your legal advisor to know how GDPR impacts your organization and what you need to do to comply with the GDPR.