GDPR - Your Business and Your Customers
Table of Contents
Note: This document has been imported from the former KB and has not yet been verified.
This page is about the tools Syncro offers to help you comply with the GDPR. If you are looking for information on how we are GDPR compliant with YOU (our users), please visit GDPR - Syncro and Your Business.
This article describes several principles of the GDPR which may apply to your use of our services.
Specific and Unbundled Consent
Under the GDPR, you may only process personal data if you have a legal basis for doing so. Although there are a number of legal bases outlined in the GDPR, consent of the data subject is often the easiest to satisfy.
In order to obtain a data subject’s consent to market to them, you cannot default any “opt-in” fields for consent to “consent.” If you want to store someone's information for general processing of their data, you should ask for that (or make sure you meet another legal basis for such processing). If you also want to use the personal data to market to them, you need to separately (unbundled) ask them to opt-in to that use.
We have provided a few features to help you track user consent, as described in more detail below.
Initial Setup & Creating a Customer
First, head to Admin > GDPR Center and click “Consent Messaging” to configure it. We have provided some sample text so you have an idea of what belongs in this message.
After you have consent messaging configured, you might notice the three fields on the “New Customer” screen.
If you don't check the first box that says you have their consent to at least store their information for normal business processes, the form won't be valid to continue.
If you do check any of these boxes and continue, a “Consent” record is stored in the database permanently for your future reference. The consent record will store the date and time, the communication method note you provide (ex; “verbally consented”), and a copy of the actual text they agreed to. To be reminded of the exact text you want them to agree to, you can hover over each field and the consent text you put in the prior step will pop up.
Modifying a Consent
You can also modify a consent in the event that a Customer contacts you and says they want to change their mind about a consent. To adjust a consent, head to the Customer Detail screen and, in the upper right, click the “GDPR” button. (This requires a new permission, only global admins have this by default.)
Modifying in Bulk
In case you've already been collecting consent outside of Syncro, or you are importing customers that have consented elsewhere, we've provided a bulk consent tool. This tool is in Admin > GDPR Center. It allows you to mass-update each type of consent for all customers in the database.
Self-Service Modifying via the Portal
Your customers can use the Portal to manage their communication settings. They will have a link in the upper right-hand corner of the Portal which will take them to a page where they can manage their “Privacy Settings - Data and Communication Settings.”
Data Portability
A person should be able to get a "portable" (machine-readable format) copy of the personal data you're storing about them whenever they desire.
We enable that in the Customer Portal. The data subject can click into the Portal, click "Privacy Settings" in the upper right-hand corner, and click to "request data." You can also easily do this for them by clicking the "Online profile" link from the “Customer Detail” screen and clicking the "request data" button.
Right to Erasure
A data subject should be able to request their personal information be erased from your systems. You should know exactly where it's being stored and be able to comply with their request. There are some exceptions to this rule.
You should read up on this requirement of GDPR to see if/when you need to actually process an erasure. In the event you want to process an erasure, we offer these tools:
First, in the Customer Portal the data subject can click "Erase Me" and it will NOT actually erase them, but it will send you a request via a ticket so you can choose how to process it.
Second, on the Customer Detail screen, when you click "GDPR," you have access to some controls on the page that are dynamic, based on what data is present on this customer.
If there are no tickets or invoices associated with the customer, there will be a button allowing you to delete them and do an actual "Purge" — this is completely irreversible.
If this customer has any tickets or invoices, the button will change to "Soft Delete - Keep financial records due to other record keeping rules." This will "erase" them in many functional ways, but the ticket/invoice data will still be in the system and discoverable. They will not be able to receive emails in this state, and will not be present in customer CSV exports, so you won't accidentally contact them in the future.
Breach Notification Policy
The GDPR requires that data controllers notify the supervisory authority of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
We don't provide a tool for this, but if Syncro is breached, you can be sure we will report to you in accordance with the GDPR. We can't offer specific legal advice here, but you may want to have a policy ready that says how you will respond to a breach.
Supporting Documentation
If you store personal information in online systems you should maintain a list of them for others to see and understand where their data is. Syncro has a list of relevant hosts and services online here. You may refer your Customers to this or create your own pages.