Commitment to GDPR
OutreachCRM provides you with transparency and control of your customer data to help with your compliance with the General Data Protection Regulation (GDPR).
WHAT IS GDPR?
The General Data Protection Regulation (or GDPR) is a legal set of guidelines for the collection and processing of personal information of individuals within the European Union (EU).
These guidelines set out the principles for data management, expanding the privacy rights of EU individuals, placing new obligations on all organisations that market, track, or handle EU personal data.
WHAT DOES IT MEAN?
Put simply, if your business is based in the EU, or if you process the personal data of individuals in the EU, then any data that you collect or control must stick to the rules, otherwise you must delete it:
You need to be upfront with using an individual's data in a lawful way and let individuals know how and why you intend to use their data.
After demonstrating transparency in how and why an individual’s data is used, you must not use the data for any other purposes.
You shouldn’t collect data that has no purpose. E.g. you don’t need to collect information about a person’s height, age or gender if it has no relevance to what your business does.
You must take every step to ensure that personal data that is inaccurate is corrected without delay, or deleted.
Don’t store data, that allows the identification of data subjects, for longer than it is necessary.
Personal data must be processed in a manner that ensures appropriate security.
A few definitions to make things clear:
WE & YOU
“We”’ or “our” or “us” or “Outreach” refers to Outreach Software Limited, and “you” or “your” or “customers” refers to any anyone (organisation or individual) that is the Licensee named in the Schedule of our OutreachCRM End User Licence Agreement. “Users” refers to nominated individuals granted permission to access your OutreachCRM by you.
The “controller”or “data controller” is the organisation (a legal person, agency, public authority, etc.) or the person which, alone or depending on the organisation and personal data processing activity, defines what needs to happen with the personal data (and also collects personal data) and obviously is key in personal data protection. This is you.
The “processor” or “data processor” is a person or organisation who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing. This is us.
In providing our OutreachCRM program to you, our customers, for the purpose of the GDPR (EU) 2016/679, Outreach Software Limited (a private company registered in New Zealand), is a data processor.
OutreachCRM Features for GDPR Compliance
The GDPR says that an organisation needs to have a lawful basis to collect and process personal information. The lawful basis can be consent (opt-in), or performance of contract (sending an invoice to a customer of your organisation), etc.
OutreachCRM has a number of features in place, and are adding enhancements making it easier for you to record consent and manage personal data:
Adding Contacts Manually
For when a contact is manually added, in the +Add dialog "Consent Given" must be checked to save the new contact record.
For when contacts are imported as a group, the Import page includes "Consent Given", recording that consent was done by import. This will be unchecked by default.
USING THE OUTREACHCRM API
For integration with your website etc, the contact API has fields allowing you to record consent, record the source of consent (e.g website), and the text they consented to. You'll need to chat with your web developer about adding this & get them to get in touch with us.
E.g 1 Web Forms
Web Forms will have an option to include "Consent Given" checkbox to record consent, along with an editable text area for stating the intent of collecting the said data.
E.g 2 Newsletter Sign Ups
Subscribe forms will have a "Consent Given" checkbox to record consent.
HOW DOES IT SHOW?
Under a contacts’ details > settings: a new Consent Record displays:
Source (how consent was given e.g API, Message (and what Message exactly), Manually, Import)
Author (if added manually or with an import)
Text (the Intent & Purpose Text the individual agreed to at the date & time stated)
For any EU contacts where you do not have specific recorded consent, then you can use this feature to send out a message, and ask individuals to re-confirm their consent for you to have them in your database. This is not just about asking for email permission. Contacts can always unsubscribe from your messages.
Add the Contacts you wish to email into a category.
Go to Messages > Create a Message > scroll down to Admin:
Check “Confirm Consent”.
Complete the Intent & Purpose Held text field.
This is where you let individuals know how and why you intend to use their data.
Be clear. Be confident.
Your Intent & Purpose text will appear at the bottom of your message, with a “Yes, I confirm” button.
When clicked, a new window will open, displaying the Intent and Purpose text again, along with a box to be checked, and "Yes, I confirm" button. When clicked, the Date, Time, and Source is recorded on each individual's record.
Please note: OutreachCRM Messages do not go to contacts who have already unsubscribed.
Personal Data Management
For some contacts, they may simply no longer wish to receive your newsletters etc. Every Message sent out from OutreachCRM includes an unsubscribe link, which recipients can click at any time. This can also be manually set under a contact’s details > settings. When set, even if a contact is in the category a message is being sent to, they will not receive it.
REPLACEMENT CODES IN MESSAGES
You can let your contacts know what information you hold on them, to ensure you are always keeping up to date records. By using replacement codes for various data fields you have set up, you can send messages to your contacts asking them to check their details are current and up to date, and let know what needs updating.
OutreachCRM has an option to restrict the export of data at different user levels.
Individual user logins mean no one has access to your organisation’s OutreachCRM data unless you invite them. Permissions can be set across user roles, and session expiry settings mean that if you leave your computer unattended for a period of time you will be automatically logged out.
USER AUDIT TRAIL
An audit trail shows where Users’ login, how often they log in, and the pages they have viewed. When records and notes are created and changed a record on the date, time and user are also tracked.
An EU citizen can request the removal of their personal data at any point in time. OutreachCRM has a permanently delete feature that can be activated by a superuser within your account.
RIGHT TO DATA PORTABILITY
An EU citizen can request a copy of their data for their own use. OutreachCRM has a Full Data export action that will provide the contact and notes information held in a .csv format.
RIGHTS RELATED TO AUTOMATED DECISION MAKING
Under the GDPR, you cannot process personal information in automated decision making or profiling without lawful basis (like consent). Good news! You cannot do this in OutreachCRM.
We reserve the right to update this Personal Data Policy at any time. Any changes will be posted to our website (www.outreachcrm.co.nz/GDPR), and we will notify our customers where appropriate.
Questions or Comments? Please contact us by email firstname.lastname@example.org
Last reviewed October 2020.