GDPR and Lawful Basis
Introduction:
The General Data Protection Regulation (GDPR) became enforceable by law on May 25th, 2018. As CRM is intrinsically linked to Personal Data, it represents the most appropriate resource for managing and recording activity related to the storage and processing of personal data.
FibreCRM anticipated the impact of GDPR on CRM, and (on the back of in-depth research and analysis, feedback from clients and a focused period of software development) has integrated a new module into its CRM product:
The GDPR and Lawful Basis Module
This module is designed to cover two key aspects of the GDPR:
• GDPR Data Management: This aspect of the module facilitates and records activity where an organisation is obliged, by law, to respond to a request from a data subject
• Lawful Basis: The selection of one of the six lawful basis under the GDPR upon creation of a new Lead or Contact, and retrospectively for subject personal data already stored within the CRM system.
The guidance notes below are supported by screen shots and are a suitable tool for a first-step navigation (or training) of the new GDPR & Lawful Basis Module.
Objectives of this module are to:
• Facilitate best practice under the GDPR through a framework of “controls” and tools built into the CRM
• Facilitate the recording of a lawful basis for the processing of personal data, for every data subject that exists within the CRM
• Provide information on each of the six-lawful basis, to assist the user in reaching a conclusion on which lawful basis applies to the processing of personal data for any given data subject that exists within the CRM
• Provide an audit record/trail to evidence that due consideration was given (by the CRM user) when reaching a conclusion on which of the six-lawful basis applies to each data subject that exists within the CRM
• Facilitate amendments to the lawful basis, should the lawful basis change at any given time. For example, where Legitimate Interest might be “replaced” by Consent or Contract, due to a change of circumstance in the relationship between the CRM user and the data subject
• Record requests (by a data subject) for Subject Access, Right to Erasure and Right to Rectification, within the CRM
• Provide a record and audit trail that is both useful for the CRM user, and beneficial in the event of a challenge by the data subject (and subsequently the ICO) that due process under the GDPR was not followed
Adding Lawful Basis to a Record
Hover over Leads and select Create Lead.
For these notes we will focus on Leads, however the same process applies for Contacts:
When clicking on Create Lead, the CRM user is presented with the options below. The intention is for the user to select the Lawful Basis under which the user is creating the new Lead in the CRM. The user can select any of the 6 Lawful Basis options, or select Undecided*. The system provides a brief explanation of each Lawful Basis, as an assistance tool for selecting.
A report can be created to view those Leads/Contacts that are recorded as Undecided.
*This option is taken at the risk of the CRM user and their employer, FibreCRM is not responsible for a Lawful Basis choice not being selected
Here the user has selected Legitimate Interest. At this point the system provides a soft-prompt (with a link to ICO advice) to check the user has carried out the Legitimate Interest Assessment, and a final check that this is the correct Lawful Basis for the specific Data Subject:
The standard Lead creation screen:
The user has created the Lead of Miss Demo Client:
Click on Leads and then View Leads, and the user will be presented with a full list of all leads in their CRM:
Click on Miss Demo Client, and the following screen is displayed. Scroll down, and the Lawful Basis details are viewable. A time stamp shows when this record was created. Wherever changes are applied (such as a change of Lawful Basis) a record will be created in the Lawful Basis module:
Hover over All and the user will see 2 new options on the drop-down menu; GDPR and Lawful Basis:
The user has selected Lawful Basis in this example. The user is provided with a full list of Data Subjects for whom a Lawful Basis has been selected (and the type of Lawful Basis). It is possible (when first using the module) that existing Leads and Contacts will not have a Lawful Basis selected. This can be done retrospectively:
The user has selected Demo Client from the list of Data Subjects above. It provides an overview of the Lawful Basis details, including the date created and modified, if latterly changing a Lawful Basis to one of the other 5):
If the user clicks on Leads on the menu bar, they are presented with a list of all Leads in their CRM:
The user has selected Demo Client, and this takes the user to a new screen – which presents new options which relate directly to the GDPR module in the CRM. There are some additional tabs to consider at this stage (R2R, R2E, SAR and Lawful Basis). The first 3 represent an option to create a request under the GDPR:
• Right to Rectification
• Right to Erasure
• Subject Access Request
If you click on Actions, the Lawful Basis option allows the user to amend/update/change the current Lawful Basis:
In this instance the user is selecting SAR, as (in this scenario) we will assume that Miss Demo Client has made a Subject Access Request:
The system requires confirmation that this is a deliberate SAR request. This is important, as once confirmed Yes the time stamp is created and (under the GDPR) the DPO will have 1 month to complete the SAR:
When confirmed as Yes, the screen will show (via scroll down) confirmation of the SAR, along with a date and time the request was confirmed:
Click on GDPR from the All drop-down menu:
The GDPR page is opened, and this lists all open GDPR Requests:
When the user clicks on Demo Client, it opens a page showing details of the SAR, including when it was created (or modified) etc.:
The CRM user is now able to identify further detail on the SAR, through clicking on Investigate SAR (highlighted above). This opens a new page, where not only is the SAR detail provided – but the user can also add/attach notes or details/documents in relation to the specific SAR and see when it’s due (automatically set at 720 hours, which is the DPO’s limit).
This page facilitates a crucial audit trail for the SAR and is replicated for other types of request that a Data Subject can make (R2R and R2E).
The page also provides the user with an opportunity to Delete, Close (and Create New) or Close the Subject Access Request. You can find these options in the Actions Menu drop down. In the example screen below, the user has opted to Close the SAR – and as such the Status has changed to Completed:
Mass Updates of Lawful Basis
The CRM user can apply a Lawful Basis choice to a group of Leads or Clients, through taking the following steps (in this example we will assume the user wishes to mass update a group of Leads):
a.) Click on Leads, this creates the following page:
b.) Click in the Multi-Select Box (shown in blue below), this will Select All on the list of Leads (but only the first page. If you want to update them all, then click on the arrow and Select All):
c.) The full list of Leads has now been selected.
d.) Click on the Bulk Action drop down button, this will open a full drop-down menu select Lawful Basis.
e.) Lawful Basis has now been selected, this presents the user with the check page(s) to ensure they are selecting the correct Lawful Basis for this group of Leads:
Click Yes to confirm the chosen Lawful Basis (Legitimate Interest in this scenario):
f.) The CRM then asks for confirmation that the user wishes to create a Lawful Basis record for the XX number of leads you’ve selected:
Click OK and you’re done!
The Data Protection Officer “Persona”
Certain actions within the GDPR & Lawful Basis Module are restricted to only the Administrator and/or the DPO (Data Protection Officer) persona.
By default, an Administrator has full access rights and is (therefore) in affect acting in a DPO (Data Protection Officer) persona.
An Administrator can allocate the DPO persona to a general CRM user, by following the steps below:
Hover over Administrator settings and click on Admin & click on Role Management:
Click on DPO – You’ll now see the DPO page.
Scroll down to the bottom of the page, and click Select to determine which user you would like to appoint in a DPO persona role:
In this instance we are selecting Tim Pointon to the DPO persona:
The screen will refresh, and Tim now shows as a DPO:
Disclaimer:
a.) The GDPR & Lawful Basis Module does not (and is not designed to) guarantee GDPR compliance for your organisation (you are the Data Controller, FibreCRM is the Data Processor). It is merely a tool to support best practice and a means to creating a GDPR focussed audit trail for your organisation. FibreCRM is in no way responsible (and cannot be held accountable) for the (perceived or otherwise) GDPR compliance of CRM users (organisations and/or business entities)
b.) The responsibility for GDPR awareness within CRM using organisations lies within said organisations, and not with FibreCRM as the Data Processor
c.) There is an “Undecided” option at the point of selecting a lawful basis for a Lead/Client. Should you/your CRM user(s) choice the option “Undecided” this should not be interpreted or accepted that there is “no lawful basis” for processing (as this is not permitted under the GDPR). This option provides an opportunity to not commit specifically to one of the 6 lawful-basis at that stage. This feature is intended to provide choice for the CRM user, with the view that they return latterly to update the lawful basis to one of the 6 lawful bases.
If they do not revise this latterly it does not necessarily mean that there is no lawful basis for the processing of personal data, only that the record in the CRM does not show a lawful-basis. From a GDPR perspective it is advised that the user does choose one of the 6 lawful-basis (either from the creation of the Lead/Client or latterly), however FibreCRM has not mandated this action in the CRM because the responsibility lies with the CRM user. FibreCRM is not responsible for this action being carried out.
