GDPR - A practical view on legal ground(s) for processing personal data
Under Article 6 of the European Union's GDPR there is an obligation to ensure that you have lawful grounds to process personal data.
The regulations define six legal grounds for processing personal data:
1. Consent given freely and unambiguously by the data subject
2. Processing is necessary for the performance of a contract to which the data subject is a party
3. Processing is necessary for compliance with a legal obligation of the data controller
4. Processing is necessary to protect the vital interests of the data subject
5. Processing is necessary for the performance of a task carried out in the public interest
6. Processing is necessary for the purpose of legitimate interests pursued by the data controller or third party, except where such interests are overridden by the interests or rights and freedoms of the data subjects
Organisations need to know on what ground(s) they are processing personal data and they need to maintain relevant documentation on processing activities.
As CRM solutions tend to be the data hub for customer and prospect information, CRM is the obvious place to record legal ground(s) and other processing data information.
At Workbooks, we have gone all out to support our customers in addressing this aspect of GDPR. We have reviewed how CRM could enable organisations to meet some of the new legislation requirements and we have created a ‘compliance record’.
Workbooks Compliance Records
Compliance records are a new Record type in Workbooks that is related to People & Lead records. From a Compliance record you can:
- Record the legal grounds e.g. Consent.
- Record the start and expiry date of Consent. (Best practice when using consent is to expire it after a reasonable period - the ICO in the UK recommend 2 years.)
- Record what the purpose of Consent was. E.g. Consent to process the data to receive details of a specific product or service.
- Record the method by which Consent was obtained. E.g. Web form, phone, etc.
- Add attachments so you can store additional information or upload screenshots or images if appropriate.
Compliance records have been given statuses of True or False: True for when their compliance is active and False for when inactive. For example, if you have a Compliance record that shows that consent was given, but it has since expired or was revoked by a User, then the status of the Compliance would change from True to False.
It is possible to have multiple Compliance records against a Person or Lead Record. This records a history of compliance you have been given, with the most recent record taking precedence. The Status of these can be seen on the Person or Lead Record (see below).
You can of course report and segment based on the information stored in the compliance record. For example, you can create mailing lists within Workbooks that contain only the People or Leads that you are able to demonstrate compliance for.
You can also tailor the Compliance record to your own processes by adding Custom Fields etc. And if you are not using Workbooks CRM, you can take a similar approach using custom objects or fields.
We recently ran a webinar to discuss lawful grounds for processing data and how to track and remain compliant. To access the recording, click here.