A GDPR Data Privacy solution for SuiteCRM provides companies like yours with the tools to build trust while enhancing customer experiences. This customized solution is not just about meeting GDPR Regulatory, But this solution implements best practices for data privacy into how they do business. It is an opportunity for the Company's customers to build a relationship based on trust and transparency with their own customers.
User Guide
Download Data Privacy Request Form
Admin->GDPR : Data Privacy Configuration->Download Data Privacy Request Form
Download the GDPR-Ready form for the Data privacy requests, Host it on your server/website from where your customer would ask for the Data privacy requests. The Request coming from the forms, creates a Data Privacy Request record in SuiteCRM and relates the request to a matching Contact/Leads/Prospects based on email.
This module will serve as a request received from the Data Privacy Request Webform. The information provide over webform will be processed solely for the purpose of verifying the identity and residency, identifying the information the person is requesting. The personal information will be accessed by the Data Privacy Manager only. Your proof of ID and residency will be deleted once your request has been answered.
As per the GDPR regulation, the requests needs to be preserved, with the proof of identity as the requester could be making request on behalf of the person.
Upon receiving the request, the system will automatically create a Data Privacy(DP) module record. And based on the email address provided will relate the matching contact/lead/prospect to the DP record.
Note: By default, the form is created as per the general need. But If you wish to edit any information into the form. You can edit into the code at your SuiteCRM file system. The file path is modules/ut_DP_Request/dataprivacy_requestform.html
Consent Management
There are a many ways that you can get consent from the data subjects.One of the simplest ways of getting consent is through a data capture form, on which customer can simply select the consent options like, Marketing Email, Call, SMS, Postal Marketing or Business processing.
Consent form - We have created an action in List view from where He/She can send an email with a link of the Consent Form. so, customer, themselves can select the opt-in option as per their choice. and the choice of the customer will be automatically captured once the form is submitted.You can send mass email to a list of records. Create Data Privacy record manually - When you get consent during a call or in person, you can create the data privacy record and relate the data subject(Contact/Lead/Prospect) to it, choose the Request type and set the consent. Upon completing the DP request, the data subject(Contact/Lead/Prospect) will be updated automatically with the consent choosen. It will also capture the date Consent Last updated Update Data subject manually - When you get consent during a call or in person, you can update the data subject(Contact/Lead/Prospect) record manually. By default user cannot have this option in edit view. But if your organization wants to update it manually. You just need to put those fields in Editview from studio.
Stages in Consent Management
- Pending - When the request for consent is not sent to the data subjects.
- Waiting - When the consent form has been sent and you are waiting for a reply. This options will be automatically updated to the Not Responded,If the waiting period(30 days) is over and we haven't received the decision.
- Obtained - When you have received consent from the data subject.
- Not Responded - When you have not received consent from the data subject within the waiting period defined in the Consent Settings.
Consent fields available for the Data Subject(Contact/Lead/Prospect)
- Consent Obtained: Dropdown that shows the consent received (Email Marketing/Call/SMS/Postal Marketing/Business Processing)
- Consent Last updated: Date of last consent received
- Consent Status: Dropdown that shows the current status (Pending/Waiting/Obtained/Not responded)
- GDPR Request: A Dropdown field (In progress/Complete). This field can be viewed as an color indicator to know if the person is having any open DP request
- Restrict Processing?: A Yes/No field. If is set to Yes, the person should not be contacted or processed. The person have asked to Restrict his data to be processed further.
It is the Organisation's responsibility to implement the right approach in contacting and processing the customers data. The above fields can be used in different ways to be a step closer to it. Those fields can be used to filter out the person when generating target-list for a email campaign or for calling, text messaging etc.
Data Privacy Requests (DPR):
Data Privacy Request module will serve as a request received from the Data Privacy Request Webform. The information provide over webform will be processed solely for the purpose of verifying the identity and residency, identifying the information the person is requesting. The personal information will be accessed by the Data Privacy Manager only. Your proof of ID and residency will be deleted once your request has been answered.
As per the GDPR regulation, the requests need to be preserved, with the proof of identity as the requester could be making a request on behalf of the person.
Upon receiving the request, the system will automatically create a Data Privacy(DP) module record. And based on the email address provided will relate the matching contact/lead/prospect to the DP record.
The DPM will take the necessary actions on the DP record and once the DP request gets closed, the Uploaded Proof of Identification and proof of address will be removed from the system.
Data Privacy (DP):
Data Privacy module is a main module where DPM can manage or perform certain requests by customers related to data privacy. Based on the request made several actions have been made available to DPM to help him resolve the request.
The module holds important fields from GDPR request number, Type of request, Status, Related (Contact/Lead/Prospect), Date receive, Due Date, Date Closed, etc.
There are different Types of Data Privacy request
- Request for Data Access
- Rectify Information
- Request to Erase Data
- Request for Portability
- Restrict Data Processing
- Consent to Process
Withdraw Consent For each DP request, when viewed, have several actions for the DPM to perform
Complete: This marks the request completed, and assumes the DPM would have taken the necessary actions to mark the request as Completed. This action is irreversible. And will log the Date Closed field to the current date.
Reject: There are several reasons where the request made from the customer are improper or lacks authenticity. The DPM can perform the Reject action by marking the Reason for rejection.
Request for Data Access
Once customer request for the Data access either by feeling up the GDPR Request form or by email or phone. DPM will review the request and He/She can export the data that are in PII category into the WORD or PDF format as needed. Once the request is satisfied, DPM will close the Data Privacy Request by simply pressing the complete button on the detail view of the Data Privacy record. System by default set the Closed date as current date.
Rectify Information
The DPM upon this request will verify for the change of the information asked by the client. The DPM manually makes the appropriate changes to the personal information as asked by the client and marks its as completed.
Request to Erase Data
Once DPM gets the request for Erasure. DPM will review the request and verify with Proof of Identity and Proof of Address that are provided by the customer in GDPR Data Request form. DPM will have button Erase Info on the detail view of the Data Privacy record, This gives an option to the DPM to Anonymize or Delete the records from the system. Performed action will search for Firstname, Lastname or email address of the related entities and lists outs the record from the entire system which shares the same information. The DPM can choose the persons whom he wants to anonymize or delete the data.
Once they complete the erasure process, the personal fields will have their values replaced with ****. Personal information from the audit logs will also be removed.
Anonymize: Will make the selected record(s) field(s) value as unindentifiable(Anonymize) based on the configuration made in Personally Identifiable Information (PII). The fields will be replaced with value **** Archive: Will mark the selected record(s) as deleted (soft delete). The record remains in the database but will not be visible in application. Delete: Will delete (hard delete) the selected record(s) from the database such that it is not retrievable again.
Request for Portability
The DP record for this type of request will have an action available for the DPM to fetch the Personal Identifable information (PII) of the person and have it in a downloadable format as PDF or Word file. Then after DPM can send it those file in any form via email or printed copy as per company policy or as needed. The usage of this action will be similar to "Request for Data Access"
Restrict Data Processing
Once customer request for the restriction, DPM will review the request and based on it. DPM can complete the request or reject. If DPM clicks on the complete button, It will update related records with field "Restrict Processing?" checkbox for supported module. So in future, any users can filter the records based on the flag to create Target List for Marketing Campaign or any means of follow-up to that particular customer.
Consent to Process
We have created an action in Listview from where user can send an email with a link of the Consent Form. so, customer, themselves can select the opt-in option as per their choice. and the choice of the customer will be automatically captured once the form is submitted. besides that, it will update the consent data like Date of last consent updated, Consent status like ** Pending, Waiting, Obtained and Not responded**. As a solution, we have also introduced the mechanism where if we haven't received the Consent in last 30 days after sending it, System will automatically find the records that are waiting since last 30 days and update it to Not responded.
Withdraw Consent
Similar way customer can withdraw the consent anytime by filling up the Request form with option that he/she would like to opted-out for those status, like Marketing Email, Call, SMS, Postal Marketing or Business processing. As DPM receive the request, they can process to either Complete or Reject. If DPM go with Complete. It will automtically update the releated records as per the original request for withdraw consent option that selected by the customer.
Do you have any additional question, Or not sure about any feature that are listed or wants to have addtional feature. Feel free to get in touch with us.