Under article 25 of GDPR there are obligations to ensure personal data is adequately protected. Under article 28, as the controller*, you have the obligation to ensure that data processors** (for example subcontractors who may be processing personal data on your behalf) have the right technical measures in place to protect that data.
For many organisations, CRM is used to record a large amount of information relating to people, organisations, suppliers, cases, emails, transactions etc. All this information is stored in one platform, which makes CRM the obvious place to implement processes to help you be compliant with GDPR. Let’s show you how.
The time to act is now!
It is imperative that you have procedures in place to review your suppliers and that you can evidence that you have been assessing those suppliers regularly. CRM is an ideal tool to help you manage that. You can keep track of suppliers’ information and manage your supplier assessment process through simple workflows.
By May 25th 2018, you’ll need to know who your suppliers are and whether they have been assessed as ‘fit for purpose’ to manage personal data on your behalf. In Workbooks CRM you can keep track of all your suppliers on ORGANISATION records and this means you have all the relevant information in one place instead of in a jungle of spreadsheets or paper. You are able to tailor the organisation record to include information that will ultimately help you keep track of your supplier assessment, such as GDPR data processor status, what type of data they are processing – if any, duration of processing, approval status and when the next assessment should be.
You can then use an ACTIVITY record in Workbooks to help you keep track of the progress of those assessments, you can attach files as evidence of their compliance and create reminders for when the next assessment is due – making sure you remain compliant overtime.
For management it is important to be able to have a real time overview of the supplier management process. By creating a simple dashboard, you are able to see approved suppliers and when their next review is due, colour coded by their assessment status.
You can easily identify suppliers that are awaiting review, enabling you to prioritise and ensure that you remain compliant at all times. It helps keep you on track and ultimately ensures you can evidence to your customers or the ICO the processes you have in place, should you need to.
The GDPR specific fields and processes presented in this blog can be configured by customers themselves or you can contact us to leverage our GDPR packaged services where we’ll do all of the set-up for you.
We recently ran a webinar to discuss Supplier Assessments, Data Subject Access Requests and Data Breaches in the context of GDPR. To access the recording, click here.
*data controller: means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
**data processor: in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
For more detailed information on data controller and data processor, click here.