The EU General Data Protection Regulation (GDPR) in, force from 25 May 2018, standardizes data protection regulation across the European Economic Area.
It is designed to govern how organizations treat personal information; putting individuals firmly in control of the way their data is used. The key drivers of the GDPR are privacy; security; accuracy; and accountability; which must be embedded into every aspect of your business. This requires businesses to review their ongoing data management practices and systems.
CRM plays a vital role in helping businesses manage their customer data; business processes; and activities; and can operate as a significant tool in managing GDPR compliance.
This document provides guidance and a suggested approach to customize and set up Maximizer CRM to fulfill this requirement. It is by no means the only approach but does provide a comprehensive set of data fields to cover the main requirements of the regulations.
N.B. Please note this guidance is based on the latest version of Maximizer CRM Live (older versions and On-premise versions may not have all options available.
GDPR at a Glance
Our recommendation is to either create a separate GDPR Key Field List at Contact and Individual level; or to add a GDPR section as part of an existing Key Field List that tracks Contact and Individual specific information.
The fields shown below are given as suggestions only. The types of fields you add; and the information you hold; will depend on your business and specific way of working.
Under GDPR; your processes and way of working should be documented and communicated clearly to staff through training.
Custom View
![](/hc/article_attachments/23134705306765)
![](/hc/article_attachments/23134705378701)
General GDPR
Under GDPR; you must have a lawful basis for processing personal data. There are 6 available lawful bases to choose from – which most appropriate basis to use will be dependent on your purpose and relationship with the individual.
![](/hc/article_attachments/23134705423245)
Lawful Basis for Processing:
- Multi-selection List Field
- Consent
- Contract
- Legitimate Interest
- Legal Obligation
- Public Task
- Vital Interest
N.B. You will also need to identify the additional lawful basis for processing Special Category or Criminal Conviction data and create custom fields accordingly.
One of the six legal bases for processing personal information on individuals is Consent. This requires positive Opt-in which needs to be recorded.
Processing Consent by:
Multi-selection Drop Down List
- Form
- Email
- Verbal
- Business Card
Processing Consent Given:
Date Field
Communications Consent
You may choose to request additional consent for communications via positive opt-in.
The opt-in should be specific to the type of information that you plan to provide and not a general catch-all/ Whist opt-in functionality is provided as standard in our software against each email address; and used for Campaigns and General messages; there may also be a need for additional opt-in fields if a third-party product is used.
![](/hc/article_attachments/23134740813965)
Contact Interest Opt-In: Multi-selection Drop Down List -used to track the information a contact or individual is interested in receiving. For example:
- No Consent Given
- Company & Products
- CRM Best Practice
- Business Growth
- Events & Webinars
- Research & Reports
First Opt-In Date: Date Field - used to track the first date that a Contact or Individual opted In.
Opt-In Last Updated: Date Field - used to rack the last time a Contact or Individual changed or updated their opt-in preferences.
Time Since Last Opt-In: Duration Field - You may decide on a limited time period before going out again for a renewal of opt-in for communication
Do Not Contact By: Multi-selection List Field
- Email
- Fax
- Letter
- Phone
- Text
Data Retention Tracking
As a business; you need to review your data collection and management processes and then decide appropriate retention times for keeping personal data.
![](/hc/article_attachments/23134740856333)
Date Last Contacted: Date Field - used to indicate the last time communication was made with a Contact or Individual.
Last Contact Engagement: Date Field - used to track the last meaningful engagement with a Contact or Individual
Contact Left Company: Yes/No Field - used to identify if a contact no longer works at a client; prospect; partner or supplier.
Date Contact Left Company: Date Field - used to track the date a contact moved from the company.
Subject Access Requests
The GDPR provides certain rights for individuals in relation to their personal data and can request a number of actions in relation to this. In Maximizer CRM; fields can be added to track these requests and the steps taken to comply with the request.
If there are doubts around the identity of the person making the request you can ask for more information. The period for responding to the request begins when you receive the additional information.
![](/hc/article_attachments/23134740915853)
Subject Access Request: Date Field
Days Since Request: Duration Field - You must act on the subject access request without undue delay and at the latest within one month of receipt. Recommended to adopt a 28-day period to ensure compliance is always within a calendar month.
Type of Request: Multi-selection List Field - used to track the type of request a contact or individual has made.
Options could include:
-
Access: Request to see the information you hold on a person
-
Erase: Request to be removed from your database
-
Object: Objection to the information held
-
Portability: Request for you to share the data you hold with a third party
-
Rectify: Request to change incorrect information you may hold on a person
-
Restrict/Supress: Request for you to restrict who has access to a person’s personal data
Request Method: List Field
- Email
- Verbal
- Verbal - Telephone
- Website
Subject Proof Requested: Date Field
Subject Proof Obtained: Yes/No Field - used to track that verification of the contact or individual identity has been undertaken.
Request Decision: List Field - Complied/Declined
Decision Notified: Date Field
Subject Request Completed: Date field
Compliance Time: Duration Field – used for reporting on compliance
Request Note: Alphanumeric Field - used to track any additional comments or information.
Data Breaches
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach; where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms; you must also inform those individuals without undue delay.
You must also keep a record of any personal data breaches; regardless of whether you are required to notify.
![](/hc/article_attachments/23134705683213)
Breach Notification: Date Field – date breach experienced or first aware of.
Individual Notification: Date Field - used to hold the date the Contact or Individual was advised about a data breach.
Breach Note: Alphanumeric Field - used to explain what steps were taken to inform the contact or individual about a breach of their data.
Further Help
If you need help in configuring your Maximizer CRM to meet GDPR Compliance please contact our CRM Experts or your Certified Solutions Provider.
More information on GDPR compliance is available on the ICO website or the Maximizer GDPR Information Hub.
CONTACT INFORMATION
Tel: +44 (0) 1344 766 900
---
If you wish to have a downloaded copy of this content; click the link below:
Maximizer GDPR Compliance Datasheet