A Deep Dive Into Data Privacy in SugarCRM
With the introduction of the GDPR laws in Europe since May 2018, almost every department has needed to make changes to be GDPR-compliant. For anyone involved in data security, including developers or IT, understanding data privacy architecture is now more important than ever. This blog post covers some basic GDPR requirements and the features in Sugar that are relevant to data privacy.
What is Consent?
In order to store and use a data subject’s information, you must have what is called a “basis for processing” or “consent”. This is your justification for using that person’s data, and you must have it before you are allowed to store the data. Consent must be established for each business purpose and can be verbal, although it is a best practice to have written consent. Consent must be explicit unless it is implied through the terminology of an existing contract, compliance, or legal obligation.
Email Opt-In is the most common use case for receiving consent to store someone’s data. This information can be stored in Sugar if you are on Sugar 8.0 or later.
Consent in Sugar
The following features have been added in relation to consent in Sugar 8.x:
- Opt-out by default
- Double opt-in tracking
- Opt-In Confirmation Links
- Ability to audit consents and opt-outs over time
The opt-out value has been added by default and can be turned on and off from the administration panel. You can access this by going to Administration → System Email Settings → Email Option → ‘Opt-out of New Email Addresses by Default’.
With GDPR, we are required to have confirmation that users want to receive an email from us (you cannot just start emailing someone because you found their email address online). This is where the double opt-in tracking is useful.
The confirmation link is something in Sugar that allows your audience to opt-in and changes their own opt-in status without an employee doing it from the interface in Sugar. There are two ways of using the confirmation link:
The first way would be to manually copy that confirmation link and send an email to the data subject (pictured below). The other option is to use an API end-point.
Consent and Processes in Sugar
The rules of GDPR cover what you do with data internally, so your basis for processing needs to be checked and re-checked whenever you start a process or resume a process because consent may be revoked at any time. That applies to Advanced Workflows or any other complex systems.
Right of Access in Sugar
Right of access indicates that data subjects must be able to provide to the person all pieces of Personally Identifiable Information (PII) that can be used on its own or with other information to identify, contact or locate a single person.
In Sugar 8 we have a new attribute for fields in Studio. It consists of a checkbox that should be checked if a field will contain PII. The fields that are checked will be available to view in the Personal Information view and will be permanently erased when a data subject requests erasure of their data.
There is a new PII View that allows Sugar users to see the PII for a given record as well as the source for that PII. The information displayed here is determined by using the Personal Information attribute mentioned previously.
Right to be Forgotten in Sugar
“Right to be Forgotten” is a user’s right to have their data permanently erased. They can indicate that they want you to remove specific information or all information. In Sugar, it is recommended not to erase whole records but rather to erase PII content from those records. Sugar now allows you to trigger erasure when requested by a user and it will delete:
- Fields marked as personal information
- Audit entry values
- Any PII data contained in the Activity Stream
While we learned a lot about GDPR and Sugar at SugarCon 2018, Data privacy and regulations will continue to be an important topic for any organization using CRM. To learn more about how to make sure your Sugar system is GDPR compliant, reach out to W-Systems today.