Priava is committed to providing innovative solutions that follow best practice standards and that, in terms of data, follow the Privacy By Design methodology. Our Data Privacy feature is part of the Core Software & CRM module. It enables your organisation to nominate a Data Protection Officer who will be able to determine how contacts are stored and managed in your database based on predefined Automations. Key parts of the functionality include:
Users can record and monitor the fact that they have gained ‘consent to retain personal data’ for contacts that you have saved in Priava.
Your nominated Data Protection Officer can configure Automations that take action on the contacts stored in your database. Automations are a made up of "Conditions" and "Actions" which can be used to email contact and either pseudonymise, anonymise or delete their details.
Your nominated Data Protection Officer can run a report showing all of the Automations configured within Data Privacy and statistics surrounding the personal data that your organisation has stored within Priava.
Below we have highlighted all of the most important points that you need to consider to ensure you can comply with GDPR and how we have addressed them by developing the Data Privacy feature:
|Principle||Description||Can you comply with this using Priava?||How does the Data Privacy feature improve this?|
|Lawfulness||Data should only be processed when there is a lawful basis for such processing (e.g. consent, contract, legal obligation).||Yes, you can. You decide when you capture or process personal data and why.||Using Data Privacy, you can configure "Automations" that will notify Data Subjects via email when you have collected their data or have stored it for a set period. This approach will ensure Data Subjects can raise any issues, and your Data Protection Officer can rectify these issues as required.|
|Fairness||The organisation processing the data should provide Data Subjects with sufficient information about the processing and the means to exercise their rights.||Yes, you can. This information should be addressed in your terms and conditions which can be added to any report template using the text option in the report filter.||Using Data Privacy, you can customise email templates that will be sent to Data Subjects based on predefined rules (i.e. you can send an email when a Data Subject’s details have been added to or edited within your system). These emails are stored in the contact record.|
|Transparency||The information provided to Data Subjects should be in a concise and easy to understand format (i.e. the purpose of consent should not be buried in a lengthy document of terms and conditions).||Yes, you can. You control the format and content of your terms and conditions, along with any communication to your customers.||Using Data Privacy, you can define rules to remind those that have given you consent in the past and/or advise those that haven't, why you have their data in your system and what they can do to provide consent for you to retain the information or to have it removed.|
|Purpose Limitation||Personal data may be collected only for a specific, explicit, and legitimate purpose and should not be further processed.||Yes, you can.You decide when you collect personal data and why.||Using Data Privacy,you can configure "Automations" that will notify Data Subjects via email when you have collected their data. This approach will ensure Data Subject can raise any issues, and your Data Protection Officer can rectify these issues as required.|
|Data Minimisation||The processing of personal data should be adequate, relevant and limited to what is necessary for the purposes for which the data is being used.||Yes, you can.You decide when you process personal data and why.||Using Data Privacy,you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined conditions. This approach will ensure that all personal data stored in your system is maintained inline with the purpose of its collection and cannot be further processed.|
|Accuracy||Data should be accurate and kept up to date.||Yes, you can.||Using Data Privacy, you can automatically notify Data Subjects when you have stored their information. This approach will help you to increase your ability to maintain accurate data and comply with GDPR.|
|Storage Limitation||Data should not be held in a format that permits personal identification any longer than necessary.||Yes, you can.Administrators can delete a contact record when necessary.||Using Data Privacy,you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."|
|Security||Data should be processed in a manner that ensures security and protections against unlawful processing, accidental loss, damage, and destruction.||Yes, you can.Priava uses Amazon Web Services (AWS),which has been built to meet the requirements of the most security-sensitive organisations. Your data is encrypted both at rest and in transit and AWS are compliant with ISO27001, ISO27002 and ISO27018.||The entire Priava application, including Data Privacy, has been built to ensure your data is safe and secure at all times.|
|Accountability||The Data Controller is responsible for demonstrating compliance.||Yes, you can.Your process and methodology should be documented to demonstrate what you have implemented in Priava and other applications that you use across your organisation.||Using Data Privacy your nominated Data Protection Officer can produce a report showing all of the active "Automations" (including "Conditions" and "Actions") within your system and statistics surrounding the personal data that your organisation has stored within Priava.|
|Data Subjects have the right…||Can you comply with this using Priava?||How does the Data Privacy feature improve this?|
|to be informed||Yes, you can. This can be manually created communication sent outside of Priava or sent from within Priava and thereby stored against the contact record.||Using Data Privacy, you can customise email templates that will be sent based on predefined rules to inform Data Subjects that you have stored their personal details. These emails will be stored under "Communication" in the contact record.|
|of access||Yes, you can. When a Data Subject requests confirmation about whether or not their personal data is being processed, you can email a report to show the data you have stored and why. These emails will be stored under "Communication" in the contact record.|
|to rectification||Yes, you can.A contact record can be edited by a Priava User.||As Data Privacy enables automated information flow to the Data Subject, it increases the potential for data accuracy.|
|to erasure (the right to be 'forgotten' if the data held on them is no longer needed or if they withdraw consent or object to its use or legal reasons)||Yes, you can. Administrators can delete a contact record when necessary.||Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."|
|to restrict processing (if contacts object to their data being collected they can object to it being held)||Yes, you can. Administrators can delete contact records when necessary. Alternatively, if you have a legal obligation to retain personal information, you can make the contact record inactive.|| Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."|
If you have a legal obligation to retain personal information for a specific Data Subject, you can choose to pseudonymise the contact record rather than inactivating it. This approach will ensure that the personal datafor the Data Subject is not available to Priavausers. However, your nominated Data Protection Officer can reverse the pseudonymisation if/when required.
|to data portability (contacts can access their personal data for their own use)||Yes, you can. A CSV file containing all of the Data Subject’s information can be emailed to them directly from the contact record, therefore recording when and how you provided the information.|
|to object||Yes, you can.Administrators can delete contact records when necessary.||Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions." This approach minimises the risk of retaining personal data beyond need and reducing any instances of objection.|
|not to be subjected to automated decision-making, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.||Yes, you can.|
Q. Can Priava supply an Individual Data Processor Agreement (DPA)?
Priava cannot enter into unique DPAs with each customer.
Q. Where can I find out more information about GDPR?
A. Visit the GDPR website for more information on GDPR and how it will impact your business and data.
Q. By using the Data Privacy feature, will my organisation by fully compliant with GDPR?
A. By using the Data Privacy feature to manage the information you have stored within Priava’s CRM, your organisation can comply with the intent behind GDPR. That said, every organisation should undertake their own GDPR assessment.
Adopting the Data Privacy feature should only represent a part of your overall response to the introduction of GDPR.
Q. What if my business is not in a country that is part of the European Union?
A. Following the lead of the European Union (EU), many countries around the world are working towards imposing regulations on data privacy, and we encourage Priava users to utilise the Data Privacy feature so that they are ready in advance. Furthermore, even if the country in which your business operates isn’t part of the EU, GDPR will impact any company that has data for persons who reside within the EU. If you have an international customer base, then it is highly recommended that you adhere to the GDPR to avoid penalty.