As a Prospect 365 customer, you are the "controller" of your own data, but as the "processor" we also have responsibilities under GDPR. Being ISO 27001 certified, we are well-placed to meet the new challenges of GDPR but are undertaking several activities to enhance our readiness for GDPR. These include
1. Where possible moving third party services (for code storage, performance analytics etc.) to Europe, or where this isn't possible establishing relevant GDPR safeguards and providing openness by publishing a list of the sub-processors.
2. Updating our Hosting Terms of Service to clearly demonstrate our GDPR compliance as a processor, and to set out the minimum we expect from our customers as data controllers.
3. Updating our existing ISMS policies to reflect certain implementation details of GDPR, including actions such as:
a). Implementing mandatory MFA (Multi-Factor Authentication) across our Azure hosting platform, CRM data and Microsoft Office applications.
b). Updating our policies for notifying customers of data breaches.
c.) Providing additional information to customers on our security measures and policies.
As the data controller, you also have responsibility with regards to the personal data that you store in our platform, how you handle this data and how you keep it secure. Our new Terms & Conditions will set out the minimum GDPR responsibilities that we expect you to live up to as part of our hosting contract with you, but every customer is different and handles different forms of Personal Data for different reasons, and as such it is your responsibility to undertake your own GDPR assessments and set your own policies (while adhering to our terms as a minimum).
The following information should be considered for information purposes only - it is not legal or professional GDPR advice. It offers broad information and answers to common questions based on the key principles of GDPR.
|1||Lawfulness, fairness and transparency||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.|
|2||Purpose limitation||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.|
|3||Data minimisation||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.|
|4||Accuracy||Personal data shall be kept accurate and, where necessary, kept up to date.|
|5||Storage limitation||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.|
|6||Integrity and confidentiality||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In addition, you have an obligation for accountability to the principles above and general compliance.|
|7||Accountability||The controller shall be responsible for, and be able to demonstrate compliance with GDPR.|
Compliance with most of those principles is more about the policies, processes and training that you put in place, rather than the specific systems you use. And with such diverse range of customers in diverse industries, it's impossible for us to provide customers with pre-built policies and processes.
Below however is some useful information in the form of common questions asked by Prospect 365 users about our software (or related software) and their own GDPR policies and processes:
Q1: What security should I implement for the CRM data?
You should of course ensure that your users have used sensible passwords. Prospect 365 by its nature is available from anywhere on the internet so password policies and identity verification are much more important than they might be on an internal (LAN) application like ProspectSoft CRM Version 6 (running on-premise).
Prospect 365 provides a secure but basic user authentication process out-of-the-box. We strongly recommend however that your organisation configures SSO (single sign on) with MFA (Multi-Factor Authentication) in order to ensure a much higher level of security and more centralised control of identity and password policies.
For more information on SSO, please refer to the relevant product documentation: http://docs.prospect365.com/?q=SSO
Q2: With regards to the right to be forgotten, how do I remove data if requested to do so?
You could tackle this in a number of ways. One such option you should conside would be to redact your data i.e. to keep the records in your system, but replace all identifiable data (names, email addresses etc.) with unidentifiable (dummy) data. The other common approach is of course to cascade delete the data. You should consider if this needs to involve a physical deletion rather than a flagging of data. You should also consider what your policy is with regards to copies and backups of your database.
Q3: We integrate our ProspectSoft Version 6 CRM to CommuniGator. What does CommuniGator have to say about GDPR?
CommuniGator have lots of useful information about GDPR on their site which is available here.