Priava is committed to providing innovative solutions that follow best practice standards and that, in terms of data, follow the Privacy By Design methodology. So, we have released a brand new feature known as Data Privacy that will be added to the Core Software & CRM module. Using Data Privacy, your organisation will be able to nominate one of your system administrators to become a Data Protection Officer who will be able to determine how contacts are stored in your database based on predefined Automations. Key parts of the functionality include:
Users will be able to record and monitor the fact that they have gained ‘consent to retain personal data’ for contacts that you have saved in Priava.
Your nominated Data Protection Officer will be able to configure Automations that take action on the contacts stored in your database. These Automations are a made up of "Conditions" and "Actions" and can be used to email a contact and either pseudonymise, anonymise or delete their details.
Your nominated Data Protection Officer will be able to run a report showing all of the Automations that have been configured within Data Privacy and statistics surrounding the personal data that your organisation has stored within Priava.
Below we have highlighted all of the most important points that you need to consider to ensure you can comply with GDPR and how we have addressed them by developing the Data Privacy feature:
|Principle||Description||Can you comply with this using Priava?||How will the Data Privacy feature improve this?|
|Lawfulness||Data should be processed only when there is a lawful basis for such processing (e.g. consent, contract, legal obligation).||Yes, you already can. You decide when you capture or process personal data and why.||Using Data Privacy you can configure Automations that will notify Data Subjects via email when you have collected their data or have stored it for a set period, thereby ensuring any issues can be raised by the Data Subject and rectified by your Data Protection Officer.|
|Fairness||The organisation processing the data should provide Data Subjects with sufficient information about the processing and the means to exercise their rights.||Yes, you already can. This information should be addressed in your terms and conditions. Your terms and conditions can be added to any report template using the text option in the report filter.||Using Data Privacy you can customise email templates that will be sent to Data Subjects based on predefined rules (such as when a data subjects details have been added to your system or edited within your system). These emails will also be stored in the contact record.|
|Transparency||The information provided to Data Subjects should be in a concise and easy to understand format (e.g. the purpose of consent should not be buried in a lengthy document of terms and conditions).||Yes, you already can. You control the format and content of your terms and conditions, along with any communication to your customers.||Using Data Privacy you can define rules to remind those that have given you consent in the past and/or advise those that haven’t, why you have their data in your system and what they can do to give consent for you to retain the information or to have it removed.|
|Purpose Limitation||Personal data may be collected only for specific, explicit, and legitimate purpose and should not be further processed.||Yes, you already can.You decide when you collect personal data and why.||Using Data Privacy you can configure Automations that will notify Data Subjects via email when you have collected their data, thereby ensuring any issues can be raised by the Data Subject and rectified by your Data Protection Officer.|
|Data Minimisation||The processing of personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are used.||Yes, you already can.You decide when you process personal data and why.||Using Data Privacy you can configure Automations that will automatically Pseudonymise, Anonymise or Delete a contact record based on predefined conditions, thereby ensuring the personal data in your system is maintained inline with the purpose of its collection and cannot be further processed.|
|Accuracy||Data should be accurate and kept up to date.||Yes, you already can.||By using Data Privacy to automatically inform Data Subjects about their information that you have stored, you increase your ability to maintain accurate data and this will help you to comply with GDPR.|
|Storage Limitation||Data should not be held in a format that permits personal identification any longer than necessary.||Yes, you already can.Administrators are able to delete a contact record when necessary.||Using Data Privacy you can configure Automations that will automatically Pseudonymise, Anonymise or Delete a contact record based on predefined Conditions.|
|Security||Data should be Processed in a manner that ensures security and protections against unlawful processing, accidental loss, damage, and destruction.||Yes, you already can.Priava uses Amazon Web Services (AWS) which has been built to meet the requirements of the most security-sensitive organisations. Your data is encrypted both at rest and in transit and AWS are compliant with ISO27001, ISO27002 and ISO27018.||The entire Priava application, including Data Privacy, has been built to ensure your data is safe and secure.|
|Accountability||The data controller is responsible for demonstrating compliance.||Yes, you already can.Your process and methodology should be documented.||Using Data Privacy your nominated Data Protection Officer can produce a report showing all of the active Automations (including conditions and actions) within your system and statistics surrounding the personal data that your organisation has stored within Priava.|
|Data Subjects have the right…||Can you comply with this using Priava?||How will the Data Privacy feature improve this?|
|to be informed||Yes, you already can. This can be manually created communication sent outside of Priava or sent from within Priava and thereby stored against the contact record.||Using Data Privacy you can customise email templates that will be sent to Data Subjects based on predefined rules to inform contacts that you have stored their personal details. These emails will also be stored under “Communication” in the contact record.|
|of access||Yes, you already can. When a Data Subject requests confirmation about whether or not their personal data is being processed, you can email a report to show the data you have stored for that Data Subject and why. This communication will be stored in the contact record.|
|to rectification||Yes, you already can.A contact record can be edited by a Priava User.||As Data Privacy enables automated information flow to the Data Subject, the ability to keep the data accurate is increased.|
|to erasure (the right to be 'forgotten' if the data held on them is no longer needed or if they withdraw consent or object to its use or legal reasons)||Yes, you already can. Administrators are able to delete a contact record when necessary.||Data Privacy will enable you to set rules that, based on your chosen Conditions, will automatically Pseudonymise, Anonymise or Delete a contact record.|
|to restrict processing (if contacts object to their data being collected they can object to it being held)||Yes, you already can. Administrators are able delete contact records when necessary or if you have a legal obligation to retain personal information, you can make the contact record inactive|| Using Data Privacy you can configure Automations that will automatically Pseudonymise, Anonymise or Delete a contact records based on predefined Conditions. |
If you have a legal obligation to retain the personal information, you can choose to Pseudonymise the contact record rather than simply inactivating it which will ensure that the personal data is unavailable to your users. Your nominated Data Protection Officer can reverse Pseudonymisation if/when required.
|to data portability (contacts can access their personal data for their own use)||Yes, you already can. Simply ensure your system administrator has configured the ‘Contacts List Report (Mail Merge) to be available from the ‘Actions’ button and you can email the report as a CSV file directly from the contact record (Data Subject) therefore recording when and how you provided the information.|
|to object||Yes, you already can.Administrators are able delete contact records when necessary.||Using Data Privacy you can configure Automations that will automatically Pseudonymise, Anonymise or Delete a contact records based on predefined Conditions therefore minimising the risk of retaining personal data beyond need and reducing any instances of objection.|
|not to be subjected to automated decision-making including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.||Yes, you already can.|
Q. Can Priava supply an Individual Data Processor Agreement (DPA)?
Priava cannot enter into unique DPAs with each customer, however, we will update the terms and conditions of our existing agreements to ensure all required aspects are covered.
Q. Where can I find out more information about GDPR?
A. Visit the GDPR website for more information on GDPR and how it will impact your business and data.
Q. By using the Data Privacy feature, will my organisation by fully compliant with GDPR?
A. By using the Data Privacy feature to manage the information that is stored within Priava’s CRM, your organisation can comply with the intent behind GDPR. That said, every organisation should undertake their own GDPR assessment and adopting the Data Privacy feature should only represent a part of your overall response to the introduction of GDPR
Q. What if my business is not in a country that is part of the European Union?
A. Following the lead of the European Union (EU), many countries around the world are working towards imposing regulations on data privacy and we encourage Priava users to utilise the Data Privacy feature so that they are ready in advance. Furthermore, even if the country in which your business operates isn’t part of the EU, GDPR will impact any business that has data for persons who reside within the EU. If you have an international customer base, then it is highly recommended that you adhere to the GDPR to avoid penalty.