Assessment of SuperOffice CRM compliance by DLA Piper
Our products have all undergone external reviews to confirm that our products are functioning according to, and supports the GDPR requirements. Below you will find the results of an audit that the global law firm DLA Piper has made on behalf of SuperOffice. The report looks at the requirements set out in the GDPR and evaluates how the SuperOffice products support the various requirements from a practical and legal perspective. The main conclusion confirms that SuperOffice is compliant and have taken all measures necessary to meet the GDPR requirements.
You can read the report here; DLA Piper review of SuperOffice CRM.
As you surely are aware – the “R” in the term CRM stands for “Relationships”, and relationships only exist between people.
To maintain relationships, a CRM system typically contains information about customers and people in some way related to a company, as well as a history of activities of the marketing, sales and service teams. Moreover, in a CRM system, quite a lot of data about persons is registered in different ways and in several contexts.
SuperOffice CRM is designed to assist you in staying compliant with the GDPR legislation in the ways you store and process (use) private data in your CRM system. By using the built-in privacy features in SuperOffice, you will be guided to process personal data of your customers and prospects in a lawful way.
Many businesses today consider personal data to be the “new gold”. Secure storage, lawful collection of personal data and providing privacy data lifecycle management is vital to today’s and future productive and modern ways to do business.
Access to personal data about relations, transactions, digital footprints, etc. is the foundation for an intelligent and personalized automation. By analyzing personal data and turning results into actions, you will be able to automate many of your marketing, sales and customer service processes. Therefore, it’s no surprise that most businesses today consider process automation to be a pre-requisite for running a successful and competitive business in the future.
This section provides an overview of what new functions are implemented in SuperOffice CRM to support the users and administrators of the system when dealing with privacy data. The section also describes how the SuperOffice Product Development team has implemented the principle of Privacy by Design in all phases of product development.
1. Privacy by Design
It is a requirement in GDPR that products containing (storing and using) personal data, must take privacy into consideration when product designs are made. This means that the design of the product must ensure that the storage and usage of personal data are in line with the GDPR legislation.
In addition, the product should not in any way prevent the company, its customers or an individual person from exercising their obligations and rights that come with GDPR. We highlight this requirement because systems that are not being designed for privacy very often will, as a result, prevent required access and insights to personal data.
Our goal in SuperOffice is not only to “be GDPR compliant”, but also to make the way our customers collects and uses personal data as easy as possible.
SuperOffice has always had a strong focus on usability, and we can clearly see now that our existing core functionality allows us to easily implement the new privacy management features in our products.
Every day the users of SuperOffice, who work in sales, marketing, customer service or in any other role, have other things on their minds when it comes to their job. Let’s admit, being “GDPR compliant” is not going to be a priority for those trying to do a good sales or marketing job every hour of every day. That’s just how it is. And we understand this.
The SuperOffice ambition is to guide and help users of SuperOffice CRM to collect and use CRM data in the way that automatically protects privacy. That is why we have built automation and control into our product to assist the users.
The new rules are partly GDPR-related and partly defined by the company itself and are called “Privacy Settings”. In this way, the users of SuperOffice CRM can basically keep on working in their normal and efficient way without having to deal with time-consuming or complex “privacy issues”. What we want to achieve is to not only provide legislation compliance, but also to offer a good user experience.
The first step in building an application that supports key GDPR requirements is to create a specific mind frame at the stage of software development that ensures that all aspects of privacy management are taken care of.
The key idea here is that privacy is not something that is added onto an existing application, but something that’s inherently built into the core architecture and functionality. In the same manner, as we are designing technical security, performance, stability, and usability, we are now also putting our attention to how personal data is actually stored and managed in SuperOffice CRM.
We are very proud that this Privacy by Design focus is built into all phases and processes of our software development and has become an integral part of our development culture.
2. Privacy Rights Management
At the center of the new regulation (GDPR), you will find a set of basic rights given to individuals that protect their private lives and control the use of the digital traces they leave behind when using internet-based applications and services.
These rights are meant to create openness, offer control and build trust between the persons giving away their data and the company using it for a specific purpose.
SuperOffice CRM offers dedicated functionality to support the fulfillment of these rights. Sometimes this is also referred to as “Privacy Data Lifecycle Management ” and it means that SuperOffice will protect and manage personal data from the time it is created in SuperOffice until it is deleted or removed.
All personal data must be stored in a secure way. It should also be accessible on request by individuals, as well as managed and used according to the company’s Privacy Policy. When a justified need for storage and/or use is no longer present, the personal data shall be automatically deleted or anonymized. How SuperOffice supports these rights is described in more details later.
3. Consent Management
According to GDPR, you must always have a defined purpose for collecting information about persons. A purpose must be supported by a legal basis. For every person you store in your CRM system, you must provide documentation about the purpose and the legal basis for doing it.
The legal basis is found in GDPR Article 6 that lists 6 different legal grounds (a-f). In some cases you also need to collect and document consent from each person for specific processing and communication purposes. Here are a few examples of such purposes: sending marketing emails, sharing personal data with other companies, collecting data from other sources, tracking a person’s behavior on your website, profiling, etc.
SuperOffice offers data fields on the Contact Card for documenting the purpose, legal basis, source, when the data was collected and by whom. SuperOffice CRM will, of course, help you set these fields automatically when possible.
On each person, you are able to specify what legal basis you have for all your purposes:
- Purpose (e.g. direct sales, marketing, contractual obligations, profiling, etc.)
- Legal basis (GDPR Article 6)
- When (the date this legal basis was set/updated)
- Updated by (e.g. the person who entered the contact to CRM, another SuperOffice user, another system.)
- The source (e.g. via a web form, an email, a service request, imported from ERP, manually registered)
To make sure that you process data in a GDPR-compliant way, some features in SuperOffice CRM will by default only be executed if a documented legal basis is set for a specific purpose. For example, mailings will only be sent to persons with a registered and valid legal basis, which, in practice, is a consent to be sent marketing messages.
In the new Privacy Center in the Settings and Maintenance module, you are able to centrally define and maintain:
- List for purposes and legal bases that your company have defined.
- Default legal basis to be set when a new person is added to the system.
- Activate the possibility to automatically send an email to ask for marketing consent when a new person is added in SuperOffice CRM.
The possibility to set the legal basis for different purposes is also available through an API. This functionality allows you to share and collect legal bases through integrations with other systems.
4. Subscription Management
In line with the GDPR requirements, only persons who have given their explicit consent to receive mailings from you will be handled in the Mailing module in SuperOffice (this can be overridden, but at your own risk).
We have expanded the possibilities to set preferences on content for each person in SuperOffice Mailings. This means that each contact in your CRM database can now set his or her own preferences about receiving content and either opt in or opt out from certain types of communication. This feature is available in the links in emails (“Maintain my subscriptions” link) or in our Customer Center.
For example, this feature will allow a person to say: I do not want to receive emails about “Product news”, but I would like to receive “Invitations to events”. This comes in addition to the possibility to fully opt out of all mailings.
Here is how it works. In the module called ‘SuperOffice Forms’, you will be able to define and design web forms that can be placed (embedded) on your web page or triggered from a link in an email you send to your contacts. These forms will help you collect data from visitors to your website and ask them for a consent to all purposes you need. The data collected in these forms will update your SuperOffice database directly and automatically.
This is a great and helpful functionality for collecting consent for marketing subscriptions.
5. Access Control in SuperOffice
5.1 Confidentiality and Integrity
GDPR clearly defines what confidentiality of personal data should mean to software vendors – keeping personal information protected from unauthorized access.
The SuperOffice Access Management module is enhanced to cover private information of data subjects in all CRM fields. Meaning that you can now configure the standard SuperOffice data authorization system to protect private data in your database from any unauthorized access. You are able to assign security and accessibility levels using the following features in SuperOffice CRM: roles, rights, visible for and security plugins.
5.2 Privacy by Default and Access Rights
GDPR requires that the “Privacy by Default” principle is applied to all data processing software. This means that all personal information should not be shared or distributed unnecessarily, and that the strictest privacy settings should automatically apply. GDPR demands that software systems should block unauthorized processing of data.
For example, CRM users who are not in the marketing team should not be able to send mailings. SuperOffice CRM makes it easy to set up such restrictions, using roles and function rights.
SuperOffice CRM can block sharing of sensitive personal information via roles, so that only authorized users can see the information, while unauthorized users cannot. For example, your secretary may have access to a person’s address and phone number, but their bank account number will be blocked from view.
Privacy by Default also implies that personal information should only be kept as long as it is necessary. When a relationship with a customer ends, any related personal information should be deleted.
To meet this requirement and the GDPR “right to be forgotten”, SuperOffice can automatically classify customers and remove expired personal information. You are able to define a retention policy for how expired personal information should be handled.
6. Incident (breach) Management
GDPR mandates that personal data incidents are reported and handled promptly. That is why it is paramount to have an incident management plan encoded in the data processing software.
SuperOffice Service system can set up a plan for handling incidents and notifying the affected people. In fact, our Service module delivers “Incident Management” functionality out-of-the-box as part of the SuperOffice Service user plan.
An incident can range from small – a mis-addressed email containing personal information, to large – unintended exposure of all personal information.
Detecting the incident is outside the scope of what SuperOffice can handle. However, people outside your organization will often report incidents. Incident reports can get easily lost in a busy inbox, until they appear on the front page of your local newspaper.
And this is where SuperOffice can help you: the request management system in SuperOffice Service can help you catch and track these incident reports.
Our incident management system tracks what is being done, who is affected, and makes sure you fulfil your GDPR obligations. If a breach involves sensitive personal information, you must notify the persons affected, as well as the authorities. And SuperOffice Service can help you perform these steps with due diligence.
7. Migrating Existing Data into “GDPR Compliance”
All companies that start their journey towards GDPR compliance face the same dilemma: What are we going to do with our existing database that contains information on customers and prospects?
To meet GDPR requirements, companies have to come up with a way to migrate their existing data into such a state where all the data is stored and handled according to the new regulation. And if there is private data in their database today, that is no longer allowed to be there according to GPPR – the companies need to clean it all up.
Those who already use SuperOffice CRM will have to “migrate” their database to the latest version of SuperOffice that will provide additional database fields and functions to ensure integrity, confidentiality and availability – according to GDPR requirements. The latest version of SuperOffice CRM provides tools for analyzing your existing data and converting it to the new GDPR-ready structures.
Every business is different in the scope of their activities, and so is every business’ customer database. Companies have their own privacy rules and policies that affect the way they do business and collect information. That is why, SuperOffice CRM offers flexible tools that could be to a large extent standardized and automated.
Moreover, SuperOffice offers consulting services and works according to a best practice implementation method, helping our existing customers to migrate their existing SuperOffice database into a GDPR compliant state.