Prospect CRM

Prospect eCommerce

Version 6 CRM customers

As a version 6 customer, you are both the 'controller' and 'processor' of your own data. Your data is hosted on your own network (on your server). ProspectSoft do not have access to this server, except by invitation. 

If you use a hosted network, or if a third party manages your server, you will need to consider whether that third party is a 'processor' for GDPR. ProspectSoft does not however consider itself to be the 'processor' or 'controller'. 

Version 6 customers who have an eCommerce site with ProspectSoft

If you have a website with us, then there is an element of your system that we control, but you still have full control of your data. As such you are the 'controller' of this data. Through managing the datacentre, we are considered a 'processor'.

Our ISO 27001 certification already covers much of the requirements of a data 'processor' and is being updated to ensure compliance with GDPR. 

Your use of Version 6 CRM as a data controller

As the data controller, you have substantial responsibilities under GDPR for the data you hold in your CRM. The following information should be considered for information purposes only - it is not legal or professional GDPR advice. It offers broad information and answers to common questions based on the principles of GDPR.

Principles relating to processing of personal data (Article 5 GDPR)

1 Lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. 
2 Purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3 Data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4 Accuracy Personal data shall be kept accurate and, where necessary, kept up to date.
5 Storage limitation Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
6 Integrity and confidentiality Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In addition, you have an obligation for accountability to the principles above and general compliance.
7 Accountability The controller shall be responsible for, and be able to demonstrate compliance with GDPR.

Information and Q&A on Version 6 and the principles of GDPR

Compliance with most of those principles is more about the policies, processes and training that you put in place, rather than the specific systems you use. And with such diverse range of customers in diverse industries, it's impossible for us to provide customers with pre-built policies and processes. 

Below however is some useful information in the form of common questions asked by Version 6 users about our software (or related software) and their own GDPR policies and processes:

Q1: What security should I implement for the CRM data?

You should of course ensure that your users have used sensible passwords. Version 6 does not enforce strong passwords, however the security of your Version 6 data actually relies upon the security of your LAN. If properly setup, the data on your servers is not accessible to anyone who cannot access your LAN, and therefore securing your LAN is the key to your CRM data protection, and to the fifth principle of GDPR. So, in short, to ensure your CRM data is secured, make sure your LAN is secure. 

Q2: With regards to the right to be forgotten, how do I remove data if requested to do so?

You could tackle this in a number of ways. One such option you should conside would be to redact your data i.e. to keep the records in your system, but replace all identifiable data (names, email addresses etc.) with unidentifiable (dummy) data. The other common approach is of course to cascade delete the data. You should consider if this needs to involve a physical deletion rather than a flagging of data. You should also consider what your policy is with regards to copies and backups of your database.

Q3: We integrate our ProspectSoft Version 6 CRM to CommuniGator. What does CommuniGator have to say about GDPR?

CommuniGator have lots of useful information about GDPR on their site which is available here.