GDPR FAQs

Q1: Do you have an official GDPR statement?

Yes we do - if you go to our main GDPR page here you can see our official statement. Please be aware that this may be updated from time to time.

Q2: What are the rules for GDPR?

Whilst we cannot provide legal advice to aid understanding on this, there are numerous sites available to help on this, including the ICO website here which includes some great explanations and advice.

Q3: We've been advised to remove any personal data in our CRM if they don't opt in to our marketing communications...

Everyone will have a different policy on this, but this does seem to be an extreme position to take. GDPR does definitely require you to have a valid reason for holding the data though - check out this article from our partner CommuniGator which explains this really well.

Q4: What is your Data Breach Response Process and do you have any documentation on this?

We are currently completing our full GDPR policy and are reviewing our ISO 27001 policies to ensure they are in line with GDPR.

Q5: Having created our policy, we have now identified a group of records for which we don't have a justifiable reason to retain. What shall we do about these?

You need to decide if you wish to redact or delete the records, as per your company's GDPR policy. If you wish to delete the data, you can simply use the delete function. Our general recommendation, subject to your own legal advice, is to use the delete function to flag the record, and periodically empty the recycling bin to permanently delete the records. If you're on ProspectSoft version 6 CRM, you can attempt this yourself on small amounts of data manually using the interface, or for bulk updates we would recommend you speak to your Account Manager or our Customer Services team prior to this action as emptying the recycling bin will require some technical assistance/advice. If you're on Prospect 365 however, we are currently looking at the feasibility of using the new bulk actions feature which is part of the product roadmap.

Q6: If I send out an email marketing campaign through my integrated CommuniGator to get my database of contacts to double opt-in and they don't respond, am I still able to email them?

We advise you refer to CommuniGator's GDPR material on this - we've added a link right here. The ICO also have a page on their website here which may help you clarify the opt in rules for your business' data.

Q7: If we want to send out an email marketing Campaign, how will we be able to record unsubscribes/opt-ins?

In Prospect 365 CRM, there is an Email flag with 'Yes'/'No' options, and there is a double-opt in within CommuniGator. We are currently reviewing with the CommuniGator technical team the flag integration and purpose within the two systems.

Q8: Would any data held within a ProspectSoft system ever be processed outside of the EEA?

Our data is either hosted in the EU, or for a very small subset of our suppliers where data is held in the US, we have confirmed that they have a privacy shield in place. We have confirmed that data they are holding is not highly sensitive personal data.

Q9: Please indicate where subject access requests should be sent to with respect of data held within a ProspectSoft system.

For data where ProspectSoft is the Data Controller, we will be providing a GDPR web form for such requests. We would suggest that for data where you are the controller and we are the processor, you provide a similar service as part of your GDPR policy.

Q10: Have you got details of your retention policy as a Data Controller in consideration of any personal or sensitive data about our business or staff as your customer?

We are currently completing our full GDPR policy and are reviewing our ISO 27001 policies to ensure they are in line with GDPR - we will be able to answer this in due course.

Q11: Do I need to do anything with back-up copies of our CRM or accounts data held by ProspectSoft that we have supplied for support or consultancy work?

ProspectSoft will not keep the data beyond the purpose for which its supplied.

Q12: What should I do if I am asked to delete someone's data?

Exactly what you choose to do depends on your own company GDPR policy and procedures. Simply clicking 'delete' in the application is not necessarily enough as data can be restored. There are two ways customers are currently tackling this - either you can ask our Customer Services desk to purge the data with a script (which would be a chargeable service). Or, you can keep the data, but redact names and personally identifiable data.

Q13: Do we need to delete sales history?

If you delete or redact the data, this won't always delete sales history, although sales history won't necessarily contain personally identifiable data. However, you should review your own sales history data and company GDPR processes to verify this.

Q14: How does GDPR affect my ProspectSoft integrated GatorMail and GatorLeads?

You can find out exactly how GDPR is affecting our partner CommuniGator's core products by reading this article or visiting their GDPR page here.

Q15: How would we cope with a situation where a contact requested to be removed from our database, and then some time later, with GDPR justifiable reason, was re-added to the database and requested proof of the audit trail of the data.

That is a really good question - our records have a creation date and time stamp and there would be a request (with a date) if they were added later with GDPR justifiable reason.