At Clarity Software, we are committed to delivering a product and service which helps our customers adhere to the new GDPR regulations. A couple of months ago, we published an article introducing the six key areas of the GDPR – from a Clarity perspective. We recommend that you give this a quick read before diving into this update. Since our last article, we’ve held a number of intensive workshops – involving the developers, support team, product managers and account managers for Clarity Software. We took each of the six key areas of GDPR: Consent, data portability, customer requests for data, the right to be forgotten, documentation you must hold and the procedures for a data breach, and came up with ways Clarity Software could help to support your GDPR compliance – both with additional functionalities to the software and recommendations. Before we explore these in more detail, please be aware that although we are will do everything we can to help, any recommendations contained in this article do not constitute legal advice. To ensure you are fully compliant, please seek specialised legal advice. What this article covers: What is PII? What could be kept in Clarity that is PII? What is not considered PII? What are data controllers and data processors? New software functions to support compliance Recommendations for Clarity users to support compliance What is PII? One thing that is absolutely key to understand, is the type of data covered by the GDPR. This data is known as Personally Identifiable Information (PII). It refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for making anonymous data non-anonymous can be considered PII. What could be kept in Clarity that is PII? Standard fields: Name Role Direct phone number / mobile number Personalised products (for example business card details or a photo of someone to be printed on merchandise) Email address City Fields you may have added: Car registration Date of birth Family details Birthdays, anniversaries, holidays Hobbies Of course, name, role, company and contact details will be in your contact cards and quotes, while birthdays, family details and hobbies may also appear in your activities and notes. Perhaps if you’ve made a note to ask a customer about an event or holiday on your next call with them. If you’re not sure if something is PII or not, ask yourself ‘could this information potentially be used to identify a specific individual?’ So a company name is not PII, but along with a role, it could be. What is not considered PII? Items on quotes (as long as the product isn’t personalised) Information about products Company name Company address Non-personal company email address (such as info@ or hello@) Non-personal company phone number Any information that cannot be used to identify an individual What are data controllers and data processors? A data controller is a person or company that determines the purposes for which and the manner in which any personal data are to be processed. In relation to your business holding your customers’ data in Clarity, you are the data controller. A data processor means any person or company that processes the data on behalf of the data controller. As we do not have access to the data you hold in Clarity, or conduct any processing of this data, it’s important to note that we are not data processors. New software functions to support compliance Mandatory fields to capture and record consent Under the GDPR you must keep a record of when a customer gave you consent to process their data and contact them, the method by which you obtained the consent, the type of consent given and exactly what you told your customer. To help you achieve compliance, we will be introducing the following mandatory fields to our contact cards before the end of May this year: Date consent given Method – for example: ‘checked box on email’ Consented to contact by (multi-select checkboxes) Email Phone Mail SMS Custom field Content type – example options given but will be customisable in the system (multi-select checkboxes): Promotions Newsletters New products Consent version – this should be the version number of the privacy statement read by your customer when they gave consent. It is up to you to write a privacy statement in which consent is specific, freely given, informed and unambiguous – and to ensure that you maintain a record of the exact wording (hence the version number captured by the contact card). All fields will default to mandatory and consent will default to opted out within Clarity. Contact lists to automatically filter based on opt-in or opt-out When you create a segmented list of contacts – for marketing purposes for example, Clarity will automatically filter out any contact that has opted out of the method or purpose for which the list has been created. Recommendations for Clarity users to support compliance By its very nature as a CRM system, Clarity Software is a highly useful tool in maintaining records on the personal data you hold on your customers, keeping it up to date and moving or erasing it on request. Our first article on the GDPR includes a number of ‘how tos’ when it comes to obtaining consent, responding to customer requests for data and deleting contacts. In addition to this, we recommend the following: Following the removal of personal data in response to a customer requesting the deletion of their data, you can keep any quotes in the system through a process of anonymization – which is basically keeping the items and costs but deleting the company address and contact details. If you would like details on how to do this, please contact us on +44 (0)121 248 2448. If a customer requests their data, you can export the information in a contact card in a CSV format. If you also have PII recorded within your activities, quotes or notes, please contact us as early as possible for us to export this data. The same applies to the deletion of PII in activities, quotes or notes. You must apply passwords for every user of Clarity in your business. As an additional layer of protection, you should encourage all users to set their monitor to sleep after a certain amount of inactivity. Don’t forget… You must obtain valid consent for data collection and clearly state how you will process and use the data. Your customers have a right to access their data at any time and to check how it’s being stored and used. You will need to provide this within a month and free of charge. If you discover that personal data is inaccurate or incorrect, you must update it within 20 days. A customer can request for his/her data to be deleted if they believe that ‘personal data is no longer necessary in relation to the purpose for which it was originally collected’ or if they withdraw consent. In an event of a data breach, the relevant authority has to be informed within 72 hours. This article does not constitute legal advice on how to comply with GDPR. We encourage you to appoint a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.