While we are all still waiting on the ICO’s formal codes of practice for GDPR compliance, there is enough already known for us to bring out some new functionality which will assist in ensuring compliance.
1. Grouping for Data Privacy
A major theme for GDPR is “privacy by design.” Even under the current regime, the ICO has brought several prosecutions for the inappropriate access of information by “rogue” employees. What changes with GDPR is that now your organization’s processes and systems are expected to be designed with this in mind from the outset, and your organization could be liable if not.
Most CRM and customer data systems use an “all-or-nothing” approach to access control, where an entire data record for a single person is made accessible or not. The challenge is that since almost all front office employees need at least some access, this typically defaults to a more permissive set of access than is strictly necessary or a siloed approach of independent systems with duplicated data for an individual.
SalesSeek data groups enable particular sets of information to be independently permissioned. This means for example that John Doe’s email address could be visible to sales, marketing, and support personnel, but their credit rating might only be visible to sales and finance. It’s a key requirement for “privacy by design”.
2. Element level source auditing
Whilst this is an area awaiting further clarification from the ICO, there does seem to be a common sense distinction being made between public domain data (e.g. what a person has published on LinkedIn as an example) versus data submitted by that individual, usually for a specific use (e.g. their age for an insurance price), versus data sourced elsewhere, possibly of questionable provenance (e.g. a bought-in email list). To this end, it’s important to understand not just at the record level where the information came from, but at the individual data element level.
For example, you may need to audit and understand all the information provided by a third party such as a credit agency, even though this only refers to parts of a person’s record, not the entire record itself. External data dictionaries add complication, cost, and scope for errors. By integrating a field origin source directly into the SalesSeek database, you will be assured of its accuracy and integrity.
“Right of erasure” is another important feature of GDPR, but will be source specific, since public domain data cannot be logically required to be deleted. This remains an area awaiting more detailed guidance from the ICO.
3. One touch data portability with redacting
GDPR introduces the right for data portability, and places limits and expectations on time scales, reasonableness, and costs. In general, most customer data systems hold blended content, some of which is provided by the customer personally (e.g. date of birth), and some of which is mainly comments and opinions by the organization themselves, such as account plans and upsell suggestions. Even individual items such as support tickets contain communications between the customer and the organization as well as sensitive team comments not meant for the customer (e..g “this client is being really difficult…”). We talk more about this in our recent article.
SalesSeek is in direct dialog with the ICO to understand the specific codes of practice here, but in general it is clear that in addition to providing a simple way to extract in both human and machine readable form all of a person’s data, there also needs to be a way to redact some of that data subject to commercial confidentiality. We will be introducing functionality that not only supports a “one-button” download of a person’s data, but also the ability to tag as “private notes” data that should be excluded from that export.
SalesSeek customers can rest assured we will be at the vanguard of GDPR compliance both by directly engaging with the ICO and introducing supporting functionality.