Personal data is valuable, and it’s easier than ever to obtain. Since the onset of the digital revolution, consumers have made it very easy for companies to sweep up a great detail of data about themselves and their activities.
While all this data has been a boon to companies’ sales and marketing efforts, it’s created some bad corporate habits. While some companies are open about their data practices, many seem to operate under the motto: “it’s better to ask for forgiveness than permission.” Some of the biggest companies in the world keep their users in the dark about how personal data is used and they often collect data they have no immediate use for, reasoning that it might be valuable in the future.
This leads us to CRM. What does a CRM system do? It captures and organizes data about a company’s customers. The company uses that data to build better business relationships and to improve the experience they offer to their customers. That’s the premise, anyway.
With so much personal data being collected, stored and accessed inside the system – you really need to trust your CRM vendor.
Openness and integrity have long been SugarCRM core values. Our approach to data privacy has always been a key functional area where we have always heavily invested, which has helped us stand out when talking to potential customers. Helping our own customers manage the personal data of their customer base in a responsible way builds trust. And trust is the catalyst for a productive business relationship.
That’s why we see data privacy in general, and GDPR in particular, as an opportunity. It’s not just about meeting regulatory compliance. It’s an opportunity to help the organizations around the world that rely on Sugar implement best practices for data privacy into how they do business. It’s an opportunity for SugarCRM customers to build a relationship based on trust and transparency with their own customers.
This is why we are excited to be putting the finishing touches on a series of data privacy and data protection enhancements for both our Relationship Management and Relationship Intelligence product lines. These new features will help companies that use SugarCRM products carry out their data privacy responsibilities as solid corporate citizens (and enable GDPR compliance along the way).
Data privacy related functionality is planned for general availability in the Spring ‘18 (Sugar 8.0) release of Sugar and will be included in all editions and for on-premise, cloud and OEM customers. This release is expected to be available at the end of April.
Before you go any further, if you’re just getting caught up on GDPR, you may want to review our recent blog post of GDPR definitions.
Enhancements Related to Data Subject Requests
Recording Data Subject Requests – In Sugar 8.0, we are adding a new Data Privacy module. This module is sort of a command center where Sugar users can manage certain requests by customers related to data privacy. The module will also serve as a record of actions taken to address those requests.
This Data Privacy module will be configurable just like any other module. The module will be related to the leads, contacts and targets modules out-of-the-box, it can also be related to all other (including custom created) modules.
Right to Erasure (Right to be Forgotten) – This is one of the most talked about portions of GDPR. Every person with an email account has experienced continuous emails from a company that they haven’t done business with in years. GDPR allows consumers to request permanent erasure of some or all of their data from a company’s databases, and in turn put a stop to marketing communications.
When a right to erasure request comes in, it can be logged in the Data Privacy module. To help with these requests, we are adding a new Sugar admin role called Data Privacy Manager (DPM). Organizations can assign one or more designated Sugar users to this role. The DPM will be able to review requests and mark records for erasure. They may also select specific fields containing personally identifiable information (PII) for erasure and not erase the whole customer record. Once the DPM completes the erasure process, the selected PII fields will have their values removed. We will also remove the personal information from the audit logs.
Right to Access – GDPR entitles a person (i.e. a data subject) to request access to the personal data that a company has on file about them. In response, we are planning to introduce a Personal Information Log (PI Log) feature. The PI Log captures a snapshot of a subject’s latest personal information and the source from which the data came. The contents of the PI Log are then sent to data subjects when they request access to their personal data.
Admins will define what fields in a record are considered PII (Personally Identifiable Information) in Studio. The PI Log will then display those PII fields.
Right to Object to Processing – People may object to the processing of their personal information by a company. For instance, a company may be marketing to a person who is not yet a customer. That person can object to being part of those marketing campaigns. In this case, the records in Sugar will be marked by a customer service agent so they are not available for processing.
Sugar users will be able to add a custom flag to a customer or lead record that says this record is not to be processed or used in profiling for automated decision making. This field can then be used as a filter in campaigns, reports or other business processes.
Enhancements Related to the Lawfulness of Data Processing
Managing Consent – With Sugar 8.0, organizations (data controllers in GDPR speak) that manage customer data, will be able to manage the process of a person providing “consent” to the storing and processing of their personal data. Consent-related fields can be added to the leads, contacts and targets modules in Sugar. Sugar customers will also be able to leverage these consent-related fields in web-to-lead forms to manage consent flags from individuals.
Consent can also be withdrawn by the data subject. All changes to consent over time will be tracked in the Data Privacy management module.
Opt-in Policy – In the past, Sugar’s default policy for collected email addresses was “opt-in,” meaning they immediately could be used for email communications. GDPR changes all of that. It requires that collected email addresses be placed in an “opt-out” status initially. Emails can only be sent when the individual opts-in.
In Sugar 8.0, a new global setting will be added where admins can specify if new email addresses should default to opted-out, or opted-in. Here’s why we give you the option: if a customer is based in the USA, you may want to make opt-in the default. If he or she is based in Europe, they definitely need to be defaulted to opt-out. Organizations that are 100% confident they are not subject to GDPR regulations can set the global default setting to opted-in.
Further, if an email address is set to opt-out, a clear visual indicator will be provided wherever the email is displayed in Sugar. Individual users can still send business-related emails to their customer, but these customers should not be included in email marketing communications.
Data Minimization – Businesses should only process data that is relevant to their business purposes. We understand the temptations of “more is better,” but good data privacy practices mean that personal data that is not relevant should be removed. These unneeded fields can easily be removed via Studio (Sugar’s configuration console for admins).
We’ve talked a lot about GDPR in this post, but it is important to remember that GDPR is just the beginning. We expect many other countries around the world to enact similar rules or laws in the future. With Sugar 8.0, our goal isn’t to make product enhancements just so organizations can get in compliance. Rather, we are dramatically improving the breadth of our data privacy features, so our customers can be ready no matter what legislation comes their way. Our goal is to help our customers build productive, trustworthy relationships with their customers.
(Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only.
This material contains forward-looking statements relating to SugarCRM’s expectations and plans regarding our products. These statements are based on the current expectations and beliefs of SugarCRM’s management as of the date this material is issued).