The new GDPR rules in the UK and Europe are fast approaching, so I have put together some information that may be useful to you along with some thoughts I have about compliance relating to GoldMine. Feel free to share and use this info. Also please feel free to add, comment and correct. The new regulations are due to start in May 2018 and all businesses have until then to become compliant. I have seen the maximum fines possible which helps focus the mind on the importance of getting your data protection in order. Breaches in the legislation can bring a maximum fine of 4% of annual global turnover or €20 Million (whichever is greater). The information below is not the complete picture but should invoke some thoughts and comments. Goldmine of course is an on-premise solution so much of the legislation goes beyond the boundaries of GoldMine and you will need to consider the wider picture within your business.
The new legislation really points to 6 main principles that I think should be focused on. Each business must understand and assure their own compliance in these areas.
- Personal information shall be processed lawfully, fairly and in a transparent manner
- Personal information shall be collected for specified, explicit and legitimate purposes
- Personal information shall be adequate, relevant, and limited to what is necessary
- Personal information shall be accurate and, where necessary, kept up-to-date
- Personal information shall be retained only for as long as necessary
- Personal information shall be processed in an appropriate manner to maintain security
1. Personal information shall be processed lawfully, fairly and in a transparent manner
In any situation where personal information is collected, it should have the demonstrable consent of the data subject. So I am pretty sure that Opt-in tick boxes will be permitted, but the regulation explicitly prohibits consent by non-action or opt-out boxes.
So in GoldMine you may wish to consider how you mark records for the double opt-in. You may wish to take care of this with your email communication tool. Many of the online emailing tools have a preference center to assist with this. This would generally take care from an email perspective but processes should be devised to flag contacts that opt out of any communication. Consider the use of Web forms and the GoldMine Web import, also 3rd party solutions such as IntelliClick.
2. Personal information shall be collected for specified, explicit and legitimate purposes
Where personal information is collected, it must be communicated to the data subject the purpose for its collection and subsequent processing.
Organisations are going to need to become much clearer with data subjects about what their personal information is going to be used for. With your GoldMine data you should consider internal processes and rules for removing data that is no longer relevant. Also be sure to communicate to your database how the information will be used, passed to 3rd parties etc. Also think about data held by employees. Do they have some old spreadsheet held on their company laptop that should not be there?
3. Personal information shall be adequate, relevant, and limited to what is necessary
When collecting personal information, the data controller must only collect personal information that is absolutely required for the specified purpose. For example, if collecting personal information to send a magazine subscription, there is no basis for the requirement of date of birth. I am pretty sure that any data held such as age and gender would be frowned upon unless you are a gender specific retailer who targets a particular age group.
With your GoldMine data revisit what information you store about contacts and why.
4. Personal information shall be accurate and, where necessary, kept up-to-date
It is now the obligation of the data controller to ensure - to the best of their abilities - that the information collected is correct. As far as I can tell the regulation is trying to address are situations where processing incorrect personal information may cause distress or harm to data subjects. I am pretty sure this will also be the section that gives the right to be forgotten.
In GoldMine you should have some method of checking and verifying the data you store. Make sure that you also have a process for removing records or users able to flag records for deletion along with a reason. If you are a B to C business, take extra care in terms of checks like the TPS or MPS.
5. Personal information shall be retained only for as long as necessary
All personal information must now have an expiration date applied appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.
I think this one is pretty hard to define and you will need to decide as a business why and how long you retain information. Perhaps reporting is the key here. Consider generating a report that looks at criteria such as creation data and record types and sales status. Consider a record scoring report or GoldMine dashboard where those that do not reach a particular score are removed. In our database every record that is kept should have a next pending activity and this activity should be in the future. Old records that have a keep in touch call that was never done should be removed or that call should be done.
6. Personal information shall be processed in an appropriate manner to maintain security
The principle that has attracted much focus, for it requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems. I am pretty sure that this is to ensure companies protect the data they have from theft or misuse by others.
Address how you access data and make sure that you comply. Do you use remote synchronisation of GoldMine and therefore hold data on a laptop? If so how are you protecting the data on that laptop if it is stolen? Consider encryption tools or other methods of accessing GoldMine. Transferring data from one place to another should be encrypted or protected in some way. What spreadsheet do employees have and are those protected?
in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)