The General Data Protection Regulation ("GDPR") will be enforced starting May 25, 2018, and Syncro is committed to being compliant and providing our clients with the tools they need to also be compliant.
This page is about how Syncro is helping you to be compliant with your Customers. If you are looking for information on how we are GDPR compliant with YOU (our users), please visit this page: GDPR - Syncro and Your Business
GDPR can be broken down into some primary categories that you should address to be compliant:
- Specific and Unbundled Consent
- Data Portability
- Right to Erasure (aka Right to be Forgotten)
- Breach Notification Policy
- Supporting Documentation
Specific and Unbundled Consent
You cannot default any "opt-in" fields for consent to market to "consent". If you want to store someone's information for general processing of their data, you should ask for that. If you also want to market to them, you need to separately (unbundled) ask them to opt-in to that.
To reliably track consent in Syncro, we have provided a few new features.
Initial Setup & Creating a Customer
First, you can now head to the GDPR Center in the Administration section and configure your consent messaging. We have provided some sample text so you have an idea of what belongs in this message.
After you have that configured, you might notice the three new fields on the "New Customer" screen, where the old "opt-in" checkboxes were.
If you don't check the first box that says you have their consent to at least store their information for normal business processes, the form won't be valid to continue.
If you do check any of these boxes and continue, a "Consent" record is stored in the database permanently for your future reference. The consent record will store the date and time, the communication method note you provide (ex; "verbally consented"), and a copy of the actual text they agreed to. To be reminded of the exact text you want them to agree to, you can hover over each field and the consent text you put in the prior step will pop up.
Modifying a Consent
You can also modify a consent in the event that a Customer contacts you and says they want to change their mind about a consent. To adjust a consent, head to the Customer Detail screen and look for the new "GDPR" button. (This requires a new permission, only global admins have this by default.)
Modifying in Bulk
In case you've already been collecting consent outside of Syncro, or you are importing Customers that have consented elsewhere, we've provided a bulk consent tool. This tool is in Admin -> GDPR Center. It allows you to mass-update each type of consent for all Customers in the database.
Self-Service Modifying via the Portal
Your Customers can use the Portal to manage their communication settings. They will have a new link in the upper right-hand corner of the Portal which will take them to a page where they can manage their Privacy Settings - Data and Communication Settings.
A person should be able to get a "portable" (machine-readable format) copy of the personal data you're storing about them whenever they desire.
We enable that in the Customer Portal. They can click into the Portal, click "Privacy Settings" in the upper right-hand corner, and click to "request data." You can also easily do this for them by clicking the "Online profile" link from the Customer Detail screen and clicking the "request data" button.
Right to Erasure
A person should be able to request their personal information be erased from your systems. You should know exactly where it's being stored and be able to comply with their request. There are some big exceptions to this rule for what the language calls "future legal defense" and also "where deleting the data would conflict with any other legislation." More on this later.
You should read up on this requirement of GDPR to see if/when you need to actually process an erasure. It seems there are possibly reasons you would want to decline, but in the event you want to process this for them we give you these tools.
First, in the Customer Portal they can click "Erase Me" and it will NOT actually erase them, but it will send you a request via a Ticket so you can choose how to process it.
Second, on the Customer Detail screen, when you click to "GDPR", you get some controls on the page that are dynamic, based on what data is present on this Customer.
If it's just an empty Customer, with no Tickets or Invoices, there will be a button allowing you to delete them and do an actual "Purge" - this is completely irreversible.
If this Customer has any Tickets or Invoices, the button will change to "Soft Delete - Keep financial records due to other record keeping rules." This will "erase" them in many functional ways, but the Ticket/Invoice data will still be in the system and discoverable. They will not be able to receive emails in this state, and will not be present in Customer CSV Exports, so you won't accidentally contact them in the future.
At the bottom of this image:
Breach Notification Policy
You are required to report a breach once discovered within no more than 72 hours except where the notification could result in a risk to rights or freedoms to others. There are requirements to what that notification includes and you can easily write something up based on the legislation text found here.
We don't provide a tool for this, but if Syncro is breached you can be sure we will report to you per the GDPR rules. We can't offer specific legal advice here, but you may want to have a policy ready that says how you will respond to a breach. We feel it's a little unclear if every small business needs to build all these policies.
If you store personal information in online systems you should maintain a list of them for others to see and understand where their data is. American companies that store data are registering with PrivacyShield.org.
Syncro will publish a list of relevant hosts and services online here. may refer your Customers to this or create your own pages. We are not 100% clear what would make you compliant in this regard.
- U.S. Department of Commerce Privacy Shield Website: https://www.privacyshield.gov/welcome.
- Directive 95/46/EC: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l14012.
- General Data Protection Regulation (GDPR): http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
- The International Association of Privacy Professionals: https://iapp.org.
- United Kingdom Information Commissioner’s Office’s “Preparing for the GDPR”: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.