Jetpack CRM and GDPR

Last Updated – 22nd May 2020

What is GDPR?

GDPR stands for General Data Protection Regulation. It is the new regulation enacted in 2018 that affects anyone in the EU. Similar regulations can be found around the world.

GDPR impacts ANY website that might be touched / visited / interacted with by someone from the EU.

Yes, that means YOU.

Jetpack CRM and GDPR

Part of the good news about Jetpack CRM is that we personally are not responsible for  the data you hold in your CRM. That lies with you. While this may make you think there’s more work because you “host your own CRM” in essence even with just having your own website – you’ll (probably) need to comply with GDPR anyway.

If you’re thinking, man, I don’t want to have to comply, let’s shift operations to an online SaaS CRM that has to comply (and not me) well, then again you’re most likely wrong.

You’ll be either a data controller or a data processor irregardless of who hosts your CRM (you or someone else).

A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you are currently subject to the UK’s Data Protection Act, for example, it’s likely you will have to look at GDPR compliance too.

Privacy Concerns

I’m sure you’ve seen the news about Facebook and Cambridge Analytica – trusting your data with a “big online company” means you don’t have the control that you do while running your own data. However, through using Jetpack CRM you’ll be self hosting your data, and as such you’ll be a data controller (and processor).

This is true regardless of where your data physically sits. If you were tempted to use an “online” CRM like Zoho, then you may think you’re free of the rules and it’s up to Zoho. Wrong. You’ll still be controlling and processing data – you’ll just be doing that on their platform rather than your own.

So, wherever you host your CRM you’ll need to be aware of your duties with GDPR.

Hosting your own CRM means you have more control over this and importantly only have yourself to blame about any breaches (vs a 3rd party company who houses your data, selling it out – like Facebook allowed).

Our Handy GDPR Checklist

We have sourced a checklist* for “GDPR” and have added comments in bold as to how you can comply with this, while still using Jetpack CRM.

Your data

  • Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it – This goes wider than just your CRM, although you can directly see your lists of data in the CRM (contact view, invoice view, transaction view). We also maintain the Date Added and also the “Date Last Contacted”. It’s up to you do define how long you keep the data (and what you do with it)
  • Your company has a list of places where it keeps personal information and the ways data flows between them – Perfect, just like above, the CRM has the list of places and you’ll be able to see the way data flows. For example, if you use Jetpack CRM and Gravity Forms with our Connector to collect leads, then those leads you automatically add to your MailChimp list then you have the following flow
    • Website (Data captured via Gravity Form)
    • Data flows into Jetpack CRM via the Form (and stored)
    • Data then flows over to MailChimp for email processing
  • Your company has a publicly accessible privacy policy that outlines all processes related to personal data.  – If you have a privacy policy already, then great. If you don’t then you can use a template from here. You can view our own policy here.
  • Your privacy policy should include a lawful basis to explain why the company needs to process personal information – Covered by above.

Accountability and management

  • Your company has appointed a Data Protection Officer (DPO) –This one is easy to put in place, but then make sure they understand their duties.
  • Create awareness among decision makers about GDPR guidelines – This is a general team / company / Entrepreneurial standpoint.
  • Make sure your technical security is up to date – This includes your extensions and any plugins that you’re using. If you’re not up to date, then the risk is on you and you could be in breach of the regulations.
  • Train staff to be aware of data protection –  Take a course on it or read a book 🙂
  • You have a list of sub-processors and your privacy policy mentions your use of this sub-processor – See what “Jetpack CRM Uses” here.
  • If your business operates outside the EU, you have appointed a representative within the EU.
  • You report data breaches involving personal data to the local authority and to the people (data subjects) involved – If you do suffer a breach, then you need to report it. There’s plenty of guides on what to do in your region. Google a guide for your locale. We don’t list them here.
  • There is a contract in place with any data processors that you share data with – i.e. you have agreed to their T&Cs and read their privacy policy too.

New rights

  • Your customers can easily request access to their personal information – through Jetpack CRM you can easily connect your CRM notes with a contact form. So any access request attach to the record and then providing the data is super easy.
  • Your customers can easily update their own personal information to keep it accurate – this is super easy with Jetpack CRM and the Customer Portal. They can login and update their details from the  portal easily.
  • You automatically delete data that your business no longer has any use for – we have an automation for that, but also you can delete the data in bulk through deleting a contact (from the list view) and choosing delete all related objects.
  • Your customers can easily request deletion of their personal data – A contact form linked to Jetpack CRM is easy enough.
  • Your customers can easily request that you stop processing their data – as above.
  • Your customers can easily request that their data be delivered to themselves or a 3rd party – as above
  • Your customers can easily object to profiling or automated decision making that could impact them again, through a simple form is enough

Consent

  • Ask consent when you start processing a person’s information – this in in T&Cs, Privacy Policies and checkboxes
  • Your privacy policy should be written in clear and understandable terms –  We have our detailed Privacy Policy here.
  • It should be as easy for your customers to withdraw consent as it was to give it in the first place – a contact form is fine.
  • If you process children’s personal data, verify their age and ask consent from their legal guardian – we don’t process children’s data
  • When you update your privacy policy, you inform existing customers – we do this via our newsletter

Follow-up

  •  You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to. – we have a process in place to review our providers quarterly and update our policies.

Special cases

  • Your business understands when you must conduct a DPIA for high-risk processing of sensitive data. – if you have any, read about what a Data Protection Impact Assessment involves.
  • You should only transfer data outside of the EU to countries that offer an appropriate level of protection

*checklist sourced from: https://gdprchecklist.io/