As a Prospect customer, you are the "controller" of your own data, but as the "processor" we also have responsibilities under GDPR. Being ISO 27001 certified, we are well-placed to meet the new challenges of GDPR but are undertaking several activities to enhance our readiness for GDPR. These include:
As the data controller, you also have responsibility with regards to the personal data that you store in our platform, how you handle this data and how you keep it secure. Our new Terms & Conditions will set out the minimum GDPR responsibilities that we expect you to live up to as part of our hosting contract with you, but every customer is different and handles different forms of Personal Data for different reasons, and as such it is your responsibility to undertake your own GDPR assessments and set your own policies (while adhering to our terms as a minimum).
The following information should be considered for information purposes only - it is not legal or professional GDPR advice. It offers broad information and answers to common questions based on the key principles of GDPR.
|1||Lawfulness, fairness and transparency||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.|
|2||Purpose limitation||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.|
|3||Data minimisation||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.|
|4||Accuracy||Personal data shall be kept accurate and, where necessary, kept up to date.|
|5||Storage limitation||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.|
|6||Integrity and confidentiality||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In addition, you have an obligation for accountability to the principles above and general compliance.|
|7||Accountability||The controller shall be responsible for, and be able to demonstrate compliance with GDPR.|
Compliance with most of those principles is more about the policies, processes and training that you put in place, rather than the specific systems you use. And with such diverse range of customers in diverse industries, it's impossible for us to provide customers with pre-built policies and processes.
Below however is some useful information in the form of common questions asked by Prospect users about our software (or related software) and their own GDPR policies and processes:
Q1: What security should I implement for the CRM data?
You should of course ensure that your users have used sensible passwords. Prospect by its nature is available from anywhere on the internet so password policies and identity verification are much more important than they might be on an internal (LAN) application like ProspectSoft CRM Version 6 (running on-premise).
Prospect provides a secure but basic user authentication process out-of-the-box. We strongly recommend however that your organisation configures SSO (single sign on) with MFA (Multi-Factor Authentication) in order to ensure a much higher level of security and more centralised control of identity and password policies.
For more information on SSO, please visit our Help Centre here.
Q2: With regards to the right to be forgotten, how do I remove data if requested to do so?
You could tackle this in a number of ways. One such option you should consider would be to redact your data i.e. to keep the records in your system, but replace all identifiable data (names, email addresses etc.) with unidentifiable (dummy) data. The other common approach is of course to cascade delete the data. You should consider if this needs to involve a physical deletion rather than a flagging of data. You should also consider what your policy is with regards to copies and backups of your database.
Q3: We integrate Prospect to CommuniGator. What does CommuniGator have to say about GDPR?
CommuniGator have lots of useful information about GDPR on their site here.