Skip navigation
All Places > Data Privacy & Sugar > Blog

Perhaps you’ve been in the camp of believing that the tech industry’s heightened focus on data privacy and GDPR is a little overblown? If so, I understand. At times, GDPR compliance has seemed like a major inconvenience and nothing more.


It’s easy to fall into that mindset until something significant happens. Well, this week’s bombshell allegations of data misuse against Facebook demonstrate that the concerns about personal data are real and the consequences for companies that burn their own customers’ trust are very serious.


Companies like Facebook, Google, and many others have a business model in which users willingly offer their personal information to these companies in exchange for enhancing their experience in using the company’s products or services (or getting to use them for free). The company turns around and uses or sells that information without the user’s knowledge because the “user is the product.”


This is less than ideal for consumers and they do have every right to expect companies like Facebook to put in best practices for data protection. However, the user should at least understand they are assuming a risk by agreeing to share (via a convenient checkbox) their personal information. Furthermore, they do have options to better protect their personal data.


For the CRM industry our challenge is different. Companies utilize CRM to build better business relationships and deliver value to both current and potential customers. Part of the process involves the gathering and organization of the personal information of individuals, often without their knowledge. The onus falls on the company using the CRM to quickly obtain consent to use this data and to use it in a responsible way. Companies that use CRM must also understand that it’s critical to put policies in place so that valuable personal data about their customers is never compromised. With CRM, the customer should never be treated like the product.



I agree with Aaron. And though more government regulation is likely coming, this heightened focus on data protection and privacy is a more than just a compliance issue. It’s an opportunity for SugarCRM to help our customer base implement best practices for data privacy into how they do business.


This is why we are excited to be putting the finishing touches on a series of data privacy and data protection enhancements for both our Sugar and Hint products. These new features will help companies that use SugarCRM products carry out their data privacy responsibilities as solid corporate citizens (and enable compliance along the way). Stay tuned for details coming very soon.


Originally posted on March 21, 2018: A Few Thoughts on Facebook, Data Protection and CRM

Personal data is valuable, and it’s easier than ever to obtain. Since the onset of the digital revolution, consumers have made it very easy for companies to sweep up a great detail of data about themselves and their activities.


While all this data has been a boon to companies’ sales and marketing efforts, it’s created some bad corporate habits. While some companies are open about their data practices, many seem to operate under the motto: “it’s better to ask for forgiveness than permission.” Some of the biggest companies in the world keep their users in the dark about how personal data is used and they often collect data they have no immediate use for, reasoning that it might be valuable in the future.


This leads us to CRM. What does a CRM system do? It captures and organizes data about a company’s customers. The company uses that data to build better business relationships and to improve the experience they offer to their customers. That’s the premise, anyway.


With so much personal data being collected, stored and accessed inside the system – you really need to trust your CRM vendor.


Openness and integrity have long been SugarCRM core values. Our approach to data privacy has always been a key functional area where we have always heavily invested, which has helped us stand out when talking to potential customers. Helping our own customers manage the personal data of their customer base in a responsible way builds trust. And trust is the catalyst for a productive business relationship.


That’s why we see data privacy in general, and GDPR in particular, as an opportunity. It’s not just about meeting regulatory compliance. It’s an opportunity to help the organizations around the world that rely on Sugar implement best practices for data privacy into how they do business. It’s an opportunity for SugarCRM customers to build a relationship based on trust and transparency with their own customers.


This is why we are excited to be putting the finishing touches on a series of data privacy and data protection enhancements for both our Relationship Management and Relationship Intelligence product lines. These new features will help companies that use SugarCRM products carry out their data privacy responsibilities as solid corporate citizens (and enable GDPR compliance along the way).


Data privacy related functionality is planned for general availability in the Spring ‘18 (Sugar 8.0) release of Sugar and will be included in all editions and for on-premise, cloud and OEM customers. This release is expected to be available at the end of April.


Before you go any further, if you’re just getting caught up on GDPR, you may want to review our recent blog post of GDPR definitions.


Enhancements Related to Data Subject Requests


Recording Data Subject Requests – In Sugar 8.0, we are adding a new Data Privacy module. This module is sort of a command center where Sugar users can manage certain requests by customers related to data privacy. The module will also serve as a record of actions taken to address those requests.


This Data Privacy module will be configurable just like any other module. The module will be related to the leads, contacts and targets modules out-of-the-box, it can also be related to all other (including custom created) modules.


Right to Erasure (Right to be Forgotten) – This is one of the most talked about portions of GDPR. Every person with an email account has experienced continuous emails from a company that they haven’t done business with in years. GDPR allows consumers to request permanent erasure of some or all of their data from a company’s databases, and in turn put a stop to marketing communications.


When a right to erasure request comes in, it can be logged in the Data Privacy module. To help with these requests, we are adding a new Sugar admin role called Data Privacy Manager (DPM). Organizations can assign one or more designated Sugar users to this role. The DPM will be able to review requests and mark records for erasure. They may also select specific fields containing personally identifiable information (PII) for erasure and not erase the whole customer record. Once the DPM completes the erasure process, the selected PII fields will have their values removed. We will also remove the personal information from the audit logs.


Right to Access – GDPR entitles a person (i.e. a data subject) to request access to the personal data that a company has on file about them. In response, we are planning to introduce a Personal Information Log (PI Log) feature. The PI Log captures a snapshot of a subject’s latest personal information and the source from which the data came. The contents of the PI Log are then sent to data subjects when they request access to their personal data.


Admins will define what fields in a record are considered PII (Personally Identifiable Information) in Studio. The PI Log will then display those PII fields.


Right to Object to Processing – People may object to the processing of their personal information by a company. For instance, a company may be marketing to a person who is not yet a customer. That person can object to being part of those marketing campaigns. In this case, the records in Sugar will be marked by a customer service agent so they are not available for processing.


Sugar users will be able to add a custom flag to a customer or lead record that says this record is not to be processed or used in profiling for automated decision making. This field can then be used as a filter in campaigns, reports or other business processes.


Enhancements Related to the Lawfulness of Data Processing


Managing Consent – With Sugar 8.0, organizations (data controllers in GDPR speak) that manage customer data, will be able to manage the process of a person providing “consent” to the storing and processing of their personal data. Consent-related fields can be added to the leads, contacts and targets modules in Sugar. Sugar customers will also be able to leverage these consent-related fields in web-to-lead forms to manage consent flags from individuals.


Consent can also be withdrawn by the data subject. All changes to consent over time will be tracked in the Data Privacy management module.


Opt-in Policy – In the past, Sugar’s default policy for collected email addresses was “opt-in,” meaning they immediately could be used for email communications. GDPR changes all of that. It requires that collected email addresses be placed in an “opt-out” status initially. Emails can only be sent when the individual opts-in.


In Sugar 8.0, a new global setting will be added where admins can specify if new email addresses should default to opted-out, or opted-in. Here’s why we give you the option: if a customer is based in the USA, you may want to make opt-in the default. If he or she is based in Europe, they definitely need to be defaulted to opt-out. Organizations that are 100% confident they are not subject to GDPR regulations can set the global default setting to opted-in.


Further, if an email address is set to opt-out, a clear visual indicator will be provided wherever the email is displayed in Sugar. Individual users can still send business-related emails to their customer, but these customers should not be included in email marketing communications.

Data Minimization – Businesses should only process data that is relevant to their business purposes. We understand the temptations of “more is better,” but good data privacy practices mean that personal data that is not relevant should be removed. These unneeded fields can easily be removed via Studio (Sugar’s configuration console for admins).


We’ve talked a lot about GDPR in this post, but it is important to remember that GDPR is just the beginning. We expect many other countries around the world to enact similar rules or laws in the future. With Sugar 8.0, our goal isn’t to make product enhancements just so organizations can get in compliance. Rather, we are dramatically improving the breadth of our data privacy features, so our customers can be ready no matter what legislation comes their way. Our goal is to help our customers build productive, trustworthy relationships with their customers.


If you have questions, please send an email to


(Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only.

This material contains forward-looking statements relating to SugarCRM’s expectations and plans regarding our products. These statements are based on the current expectations and beliefs of SugarCRM’s management as of the date this material is issued).


Let’s start this post with some good news: GDPR won’t be the end of data-driven marketing. In fact, it may help companies be more effective because they’ll more often be working with people that have indicated they are “ok” with sharing personal data with your company. If an individual understands why they’re opting into your messaging – and can see the value they’ll gain, that is the beginning of trustful relationship.


However, the new GDPR rules limit the amount of data that marketers can collect about Europeans, who now have more options about what data companies can see about them. Marketers will need to implement new processes and technology when working with customer data. Here are some of the key things to think about:


The Double Opt-in

According to most GDPR experts, the recommended policy for marketing communications is through what is called “double opt-in.” By default, the individual is not to receive communications. They need to first provide an expressed interest in “opting in” to communications. This can be done via a web form where they explicitly state that they are opting in. Once an active opt-in request is received, the company can send a follow-up communication to confirm their opt-in requests (double opt-in). Until receiving the confirmation, personal data cannot be used for any marketing communications.


Furthermore, details about the opt-in should be recorded in the system so that there is proof.


(Note – Opt-In is different from consent. Consent means you have permission to store or process data for the purposes you provide in your policy. Opt-in means that you have permission to send marketing communications. The consumer may have given consent to store and process data, but not opt-in for communication).


Transparency is the key

GDPR requires marketers to be as transparent as possible with customer data. You need to demonstrate that an individual’s data is being treated with respect and held securely. Furthermore, you should demonstrate why you are collecting data (what is the purpose) and only collect what you need.


Simply put: tell your customers what you’re planning to do with their data and why (see article 13 of GDPR information rights for more details). Valid reasons for holding personal data may be: helping customers find what they’re looking for; making better recommendations; notifying customers of important matters (such as payments due or software updates).


You should also ask: Is all this data necessary, or are we falling into the trap of more is better? For example, with a website sign-up form, only ask for what you need. For B2B marketers, full name, email address and name of their company is usually enough.


The power now lies with the customer (as it should be)

With all the fretting about compliance, it’s easy to forget the purpose of GDPR is to protect and empower individuals. GDPR gives people more control over how their data is collected and used – including the ability to access or request removal of it.


The right to erasure (or right to be forgotten) is one of the most talked about aspects of GDPR. It gives people the right to have all personal data removed. As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.


Of course, there is another way of looking at this. A majority of right to erasure requests will come after an unpleasant experience with the company. So, marketing responsibly and providing a good customer experience is just as important as putting in right to erasure mechanisms.


GDPR is forcing companies to become more creative and more detail-oriented in how they interact with customers. Again, this isn’t necessarily a bad thing. Sure, it can be a bit unsettling to change your standard way of doing things, but anything that gives power to customers and helps companies better define their audience is a good thing.


To get started, read our new eBook: Getting Ready for GDPR – A Practical Guide.


Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only.


The entire piece of GDPR legislation is more than 250 pages long and is probably most appropriate of your legal team. However, even shortened and “dumbed-down” GDPR guides contain many terms that you need to understand to implement a compliance strategy. So, we’ve created glossary of key terms to know to help you decide which of the obligations of GDPR apply to your organization.


As we get closer to GDPR, many posts on this blog will use the terms below. Feel free to bookmark this one for future referral.

Consent – of the data subject means any freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.


Data Controller – the entity (organization) that determines the purposes, conditions and means of the processing of personal data.


Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.


Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.


Data Processor – the entity that processes data on behalf of the Data Controller

Side Question: What’s the difference between a data controller and data processor?

A: Control, rather than possession, of personal data is the determining factor. The data controller is the organization that determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). A data processor could include storage of the data on a third party’s servers, or appointing a data analytics provider.


Data Subject – a person whose personal data is processed by a controller or processor


Personal Data – any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person


Pseudonymous Data – Unlike personal data, pseudonymous data is personal data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a “key” that allows the data to be re-identified.


Right to Access – also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.


Please note that the terms and definitions below are qualified in their entirety by the GDPR text itself, which can be found here. SugarCRM disclaims any responsibility to update the terms and definitions below and the list below is not intended to be a comprehensive list of key terms. You should consult your counsel and/or compliance team regarding GDPR.


Originally posted on February 14, 2018: GDPR 101: The key terms you need to know | SugarCRM Blog

GDPR: Does it Apply to Me?

Posted by astaples Employee Apr 10, 2018

If you have followed the tech headlines (or regularly read this blog) you are aware the GDPR is coming.


If not, here is a quick refresher: the General Data Protection Regulation (GDPR) creates drastic and broad-sweeping changes to data privacy for anyone who is in the EU (not just citizens, but visitors and immigrants, as well) and for any company that retains EU customer data. The purpose is to provide people with greater control over their own personal data; including the right to actively consent to every use of personal data, the right to limit that use, and the right to be forgotten. Companies have until May 25, 2018 to ensure they are in compliance with GDPR mandates.


Obviously, GDPR impacts all European companies and organizations that process personal data.


The same goes for U.S.-based multinational enterprises that do business with EU citizens. If you fall into either of those categories, we hope you are well on the way to complying with GDPR. But what about companies that have no direct business operations in Europe? They have nothing to worry about, right?


Not true. GDPR applies to any company or organization that targets individuals residing in the EU. Said more simply: if you have a Website or market your products or services via the Internet (and who doesn’t) you need to be aware of GDPR. Here’s a handy chart that will help you determine if you are affected by GDPR:

One additional point: small businesses need to be aware of GDPR just like the big guys. Thankfully, the new rules recognize that smaller businesses lack the same legal and IT resources as larger enterprises. The compliance requirements aren’t quite as rigorous and there may be leniency for violations for companies with less than 250 employees. However, even if you are a small business, it’s much easier to work on getting compliant than figure out how to avoid GDPR all together.


To get started, read our new eBook: Getting Ready for GDPR – A Practical Guide.

Originally posted on January 22, 2018: GDPR: Does it Apply to Me? | SugarCRM Blog

Filter Blog

By date: