General Data Protection Regulation impacts every company that processes personal data from EU regardless of the company's location. The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
1. Consent has to be given - A voluntary, specific and informed indication of consent should be given by an individual before his personal information can be processed by a business.
2. The right to access - This entitles individuals the right to request access to their personal data that a company has on file about them. The Company must provide a copy of the personal data, for free and in electronic format if requested.
3. The right to be forgotten - If consumers are no longer customers, they can request a permanent erasure of some or all of their data from a company’s databases and in turn put a stop to marketing communications
4. The right to be informed - Individuals must be informed about the collection and use of their personal data. Information like purpose of data processing and retention periods should be disclosed.
5. The right to restrict processing - Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
6. The right to object - Individuals can object on processing their data and request to stop any business process involving their personal data. This right must also be made clear to individuals at the start of the communications.
7. The right to be notified - If there has been a data breach which compromises an individual’s personal data, then the individual is entitled to be notified within 72 hours of first having become aware of the breach.
Data Privacy Module – The Sugar 8.0 update will include a Data Privacy Module. It will serve as a center for certain requests regarding data privacy. Also, it will be a log for all the efforts made in response of the requests.
Data Privacy Manager – A new Admin role called Data Privacy Manager(DPM) is be added. DPM/s will be responsible for reviewing requests and mark fields that needs erasures.
Personal Information Log – For the Right to Access requests, a Personal Information Log or PI Log will be introduced. It will capture a snapshot of the requester's latest information and indicate the source of the data. The PI Log will only display the PII fields.
Data Processing Objection Flag – A person who objects on the processing of their data by a company can now be marked as not available for processing nor used in profiling for automated decision making. The flag can be applied to exclude the customer or leads in campaigns, reports, or other business processes.
Opt Out Default Setting – Customer communications can now be set to either "opted-in" or "opted out". If an email address is set to opt-out, a clear visual indicator will be present.
Consent Management – Organizations now manage within Sugar the process regarding consents, storing and processing of customers personal data. Consent withdrawal request will be recorded within the Data Privacy Module.
Limiting Data Collection- Admins can easily remove unneeded fields via Studio (Sugar’s configuration console for admins), preserving only relevant personal data.