A new wave of best practice is starting to gather speed Worldwide. It involves the use and security of people’s private information. Make no mistake about it, this is not a fad, fashion or new scheme that will be forgotten in a few weeks.
Following on from recent scandals involving some of the World’s largest companies, such as Facebook and Cambridge Analytica, Google and Russian and US Governments a backlash is just beginning. A new code of ethics is being designed and it is the CONSUMER holding all of the cards. Consumers of services and products can vote with their feet. Social networks now hold the key to massive changes as people demand change.
Any business in Europe that is seen to be using personal information of their employees, partners, customers or suppliers in a way that contravenes new data privacy laws can be harshly dealt with. New European laws from the Information Commission have forced companies to comply with stringent change. These new General Data Privacy Regulations (GDPR) are a reaction to the many years of abuse where private details of individuals have been sold like general commodities.
It is unlikely that other countries (USA for example) will ever go as far as the GDPR legislation, however, it is abundantly clear that changes such as this to legislation and to public opinion will only gather pace and spread World-wide.
For any business in Europe that has been forced to comply with GDPR, it has been a time of reflection and many businesses are using this time to review their whole strategy as it applies to Personal Data Management. In short, GDPR has driven efficiencies and has enabled many companies to re-structure their Personal Data Management tools. Think of it as a “spring clean” for information management.
A new breed of business is emerging. The feeling on the street is very similar to the era of the “We are green” bandwagon, where companies used the green mandate to show they care about the planet. The new mantra is “We care about your privacy and security”.
In order to empower our clients to show they care enough to do this properly, Trivaeo Cloud Services has developed a new self-service portal facility as well as important changes to digital file management and HR and CRM applications.
At this stage we must be clear. Owning software or using a new cloud service can never make your company GDPR compliant or prove you are really keeping your personal data secure. But it goes a long way to showing the World that you are one of the leaders in this new era.
Storing Personal Information
Trivaeo Crossroads uses web-based forms housed within specific applications to enter and store information about people. Because the base of the platform is a fully structured SQL database, there is an on-going notion of “single point of truth”. This means that even though information is available inside other applications, the single point of truth relating to data pairs is never moved from the original source.
There are only two places in the entire Crossroads platform (65 applications and growing) where personal data is stored:
- CRM (Traditionally Customer Relationship Management)
- HR (Traditionally Human Resources / Personnel)
The CRM application contains over 40 fields where information of all sorts can be stored. This application is used for ALL contacts that are NOT employees. It can be used to store information about clients, suppliers, partners and competitors.
The HR application is designed to store and retrieve information specific to those employed by your company.
Together, these two applications store and protect every piece of personal data your company will ever need to keep.
The information you keep about people is protected while at rest in your systems by password controlled permissions.
Only staff with specific permissions can view information about people.
All passwords are hash protected to ensure even company administrators cannot see or use passwords of others.
Forms that store information inside any application are available in two formats:
View for edit
One of the main elements inside the GDPR is the power for people to choose how the company holding the information uses it to contact them.
Contact via “open” channels such as social media are not covered here. Just “closed” channels as follows:
- Mobile phone (including texts)
- Snail mail (post)
Contacts can now choose how and when or “if” they want to be contacted for general marketing communications.
This does not cover communications related to general account management that your company must undertake in the course of your business. This relates to contact that can be seen by others as extraneous.
It is now possible to mark each of these data fields so that they clearly show (in all views) the choices of the contact. For example: A contacted that has opted out of email communication will have the email address greyed out, furthermore, when compiling lists for email campaigns, opted out contacts would automatically be eliminated. when opted out of contact via the telephone, the number will appear in red with a strike through.
The right to be forgotten
The GDPR says clearly that any contact you hold information about has the “right to be forgotten”. This in itself means that if requested, all of their data should be removed from your systems. However, the issue is not quite as simple as that. Even if a contact requests t be forgotten, your business may legally be required to hold such information for a set period. For example in Foreign Exchange transactions, your data must be retained for inspection for at least 7 years. To make this work properly, the CRM system allows you to distinguish between “Contacts” and “Clients”. Therefore even if a contact really wants to be forgotten, you may still hold (but not use) the information for any set period if the contact was marked as a “client”.
Supply and reply to information requests
The GDPR states that if any contact you hold on your systems contacts you and requests to see what information you hold about them, you have 28 days to respond and to send in an “easily usable format” the information you hold about them. You cannot charge for this service.
In most cases, it would be expected that your business must note such requests, collate all of the information relevant and send that information on email or via post to the contact.
At this stage the contact may reply asking for certain information to be corrected, verified or deleted altogether. You must do this within a 28 day period as well. This is onerous on any size of business and particularly so on any business that holds large numbers of contacts in long-term built data systems.
In the case of companies using Trivaeo Crossroads, the request could be handled as follows:
- Note the request and search the CRM / HR database for the name and email pair.
- Once located the contact can be given a “self-service” access to the system via a tick box.
- The system automatically sends an invite to connect to the contact and sets up an access via secure password for the contact.
- The contact can, then at any time, use the access to the self-service portal to see, edit or delete or amend their personal information.
- If and when the information is changed, the company “owner” of that contact can be alerted to tell them the details have been viewed / changed.
Information held within documents
In some cases the information about contacts is held inside documents such as letters and reports and files. This information is notoriously hard for larger companies to handle. Documents can often be stored in various files and on various systems.
Trivaeo Crossroads has an in-built digital file management system. Users can “tag” any documents that are created or stored there if they are “GDPR relevant”. This means that any letter or document or report specifically ABOUT this contact, once tagged’ will appear inside the self-service portal as well, alongside the structured data / information held in forms.
It is a roadmap item on the Trivaeo Crossroads development to extend the reach of Personal Data Management and of the self-service portal. Any feature requests that would help business to manage personal data more efficiently would be received with interest by Trivaeo.
Trivaeo also intends to publish CRM and HR API’s that will allow your business to connect virtually any 3rd party database system to the self-service portal. This would negate the need to change over systems, just to enable use of these fantastic new features.