Data Privacy and GDPR in Sugar

Document created by Deepak Deolalikar Employee on Feb 28, 2018Last modified by Deepak Deolalikar Employee on Mar 15, 2018
Version 6Show Document
  • View in full screen mode

This material contains forward-looking statements relating to SugarCRM’s expectations and plans regarding our products. These statements are based on the current expectations and beliefs of SugarCRM’s management as of the date this material is issued.  


Our roadmap could change substantially from what is presented here due to a variety of factors, some of which are beyond our control.  Such changes can be made by us without updating these forward-looking statements.





Basics of GDPR 


What is GDPR?

Global Data Protection Regulation (GDPR) is a data privacy regulation enacted by the European Parliament, European Commission and the Council of the European Union. The regulation provides significant protections for privacy of personal information of EU residents. The regulation is effective May 25, 2018. All companies that are impacted by this regulation are required to comply with the regulation as of the effective date. Failure to do so will result in significant fines of up to 4% of annual revenue or € 20 Million, whichever is more.


Who does the GDPR affect?

GDPR affects any organization that offers goods or services to EU residents, or processes data on EU residents including monitoring of behaviour, regardless of the organization’s location.


What is the scope of GDPR?

GDPR impacts personal information about people. Personal information can include, without limitation, name, email address, mailing address, picture of person, social links and IP address. The regulation also has strict rules for sensitive information such as medical history as well as for children’s data. Sensitive personal information under GDPR also includes such data elements as the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, sexual life, and criminal background.


GDPR generally does not apply to company data or any other non-person data e.g Company Revenue.


What is the difference between a data processor and a data controller?

A ‘controller’ is a  natural or legal person, entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A ‘processor’ means a natural or legal person, entity, public authority, agency or other body which processes personal data on behalf of the controller.

In the context of SugarCRM, our customers are the data controllers. They determine what information to capture on their own prospects or customers (data subjects), and how the data will be processed. Sugar is the software application through which the data controllers manage information. SugarCRM is the data processor as it only processes data on its service that the controller wants to process.

Under GDPR, data controllers and data processors have separate responsibilities and obligations for the protection and privacy of personal data.


What is data processing?
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Sugar Product Capabilities


How will the Sugar product address GDPR requirements?

Data Privacy has always been a strategic differentiator for SugarCRM, and GDPR is no different. We are excited to be planning for changes to the core Sugar product in order to further enable our customers to carry out their data privacy responsibilities as controllers. We believe we have an industry-leading solution.


The data privacy related functionality is currently planned for general availability in the Spring 2018 (Sugar 8.0) release of Sugar and will be included in all editions (Professional, Enterprise and Ultimate) and for On-Premise,  Cloud and OEM customers. This release is expected to be available end of April.  


Below are current plans for how Sugar products may help controllers comply with GDPR. We reserve the right to make changes to the final product, and the solutions listed below are subject to change at our sole discretion.


Lawfulness of Processing




Managing Consent

Controllers will be able to record if consent has been received and for what business purposes. Consent related custom fields will be added to the leads, contacts and targets module. These fields will be  hidden and can be added to the record view by admins via Studio. Customers will also be able to add custom fields and include them in web-to-lead forms to manage consent from individuals.

Consent can also be withdrawn by the data subject. All changes to consent over time may be tracked in the data privacy management module.

Opt in Policy

GDPR requires that collected email addresses be automatically opted-out of receiving marketing emails. Emails can be opted-in only by request of the individual.  Customers who capture leads electronically on web forms should default email address to opted-out.

By default, Sugar creates an implicit opt-in for all new email addresses, which would violate the regulation.  A new global setting will be added where admins can specify if new email addresses default to opted-out or opted-in. Customers who need to comply with the regulation should set the default to opt-out.
Customers who are not under the purview of the regulation can set the global setting to opt-in.

Further, if an email is opted out, a clear visual indicator will be provided wherever the email address is displayed in Sugar. Users can still send business-legitimate emails but should not send send marketing materials.

Data Minimization

Customers should only process data that is relevant to their business purposes. Any data on individuals that is not relevant should be removed. These unneeded fields can easily be removed via Studio.



Data Subject Requests




Recording data subject requests

A new module will be available called Data Privacy where users can log data privacy events such as data subject requests or consent and also record the resulting actions taken.

This module will be configurable just like any other module. The module will be related to leads, contacts and targets module out-of-the-box, but it can be related to any other module including any custom modules.

Right to Access

We will introduce a Personal Information View which displays the latest personal information and the source.. The contents of the view could be used to send to data subjects when they request access to their personal data.

Admins will be able to  define what fields are considered personal information in Studio. The Personal Information View will then display fields that are marked personal information. 

Right to Erase

Data subjects can request permanent erasure of some or all of their data. The request is first logged in the Data Privacy module.

We are adding a new role called Data Privacy Manager (DPM). Customers can assign their designated Data Privacy users to this role.

The DPM will be able to review requests and mark relevant records for erasure. They may also select individual personal information fields for erasure. e.g remove social links.

Once they complete the erasure process, the selected personal fields will have their values removed. Personal information from the audit logs will also be removed.

Fields that are erased through this flow will be flagged with a “Value erased” placeholder pill. These fields will still be editable, assuming that users have received the appropriate consent to re-enter information about data subjects.

The existing delete functionality is still available to users. Erasure behaves differently than deletion in that:

1. Erasure permanently removes the data from the database such that it is not retrievable again.

2. Erasure can only be performed by users with the DPM role.

The audit log will maintain which fields were removed so that it can be referenced later.

Right to Rectify

Users can correct information using existing functionality. Changes to personal data will be maintained in the audit log.

Right to Portability

Users can export the personal information from the list view using the Export option and email it to the data subject.

Right to Object to Processing

Data subject may request that they object to processing of information. In such a case, the records should be marked so that they are not available for processing.

Customers can add custom fields e.g. a flag that says this record is not to be processed or used in profiling for automated decision making.  This field can then be used as a filter in campaigns, reports or other business processes.



What are the specific product changes in Sugar?

Here are the key product capabilities that are planned to address Data Privacy requirements. 

  • A new module to capture all Data Privacy Activity, including consent and data subject rights
  • A new role out of the box - Data Privacy Manager (DPM)
  • Data Subject Rights
    • Right to Erasure/ Forgotten –DPM can permanently erase a person record or select personal information (including in audit log)
    • Right to Access – Personal information view that displays all personal information including source of data
  • Consent
    • Receipt of consent - record that consent has been received and for what business purposes
    • Withdrawal of consent – record which consent has been withdrawn per request
  • Opt in/out
    • New email addresses will default to Opt in or Opt Out based on a new global setting set by customer
    • Visual indicator if email is opted out


Below is a short video that demonstrates the product features. 



For Administrators Only  
What admin settings or configurations are needed?


  • Data Privacy Module
    Enable this module in the admin section under “Display Modules and Subpanels”. The DP module is related (M:M) with the leads, contacts and targets module. The module can also be related to other modules, including custom modules.  
    Note: The status field is a dropdown list of value and should not be modified or removed.

  • List of Values - Type
    Sugar provides the type of data privacy activity that are relevant under GDPR such as data subject rights, consent receipt and consent withdrawal.  You can customize the labels in this list of values. The only restriction is that the following types cannot be removed (label can be changed) -
    • RIght to Erase Information
    • Consent to Process
    • Withdraw Consent


  • Consent fields
    Two consent fields are included for leads, contacts and targets respectively. To use these fields, add them to the record view layout.
    One of the consent fields is a multi select field for business purposes. The default values are suggestions. Actual values will be based on policy and should be customized accordingly.  


  • Mark fields as personal information
    In studio, each field can be marked as personal information. This is used for the personal information view and for the erase process. Sugar has marked specific fields in the Leads, Targets and Contacts module as personal information by default.  
    Note that fields can only be marked as personal information if the module is auditable.

  • Email Opt In/ Out
    In Email settings in administration, set the global default for email opt in or opt out. In general EU customers should set this to Opt out. New email addresses will default to this global setting.

  • Assigning users to DPM
    The Data Privacy Manager (DPM) role is included out of the box. Designated users who will perform data privacy related tasks should be assigned to this role. Users in the DPM role will be able to perform tasks such as erasure. By default, DPM's are also module admins for leads, contacts and targets module. 

Data Protection on Cloud

How is personal information protected on Sugar cloud?
SugarCRM has put in place plans to protect our customers’ data in the cloud and has the processes necessary to perform our obligations as data processor.

  • We have implemented policies, and plans to continue to implement further policies and reasonable measures, necessary for securing personal data and for mitigating potential negative consequences for data subjects.
  • In the event of a data breach, we will have policies and procedures in place to notify our customers.  
  • We are implementing the necessary technical and organizational measures, including logical access, physical access, intervention control, transfer control, input control, separation control, availability controls, change management, logging, monitoring, restoring and encryption.
  • We intend to process the personal data as necessary to perform our obligations in accordance with GDPR. We further plan to document all records of processing activities such as backups and its maintenance, logging, monitoring and testing activities.


Data Controller Responsibilities

What are the responsibilities of Sugar customers as data controllers ?
SugarCRM customers are the data controllers and are required to have their systems and processes in place to comply with GDPR. SugarCRM is not responsible for customers' obligations as data controllers. The complete text of the GDPR is publicly available here for reference. The items below are headlines for various GDPR requirements. We encourage you to reach out to your counsel and/or compliance group to ensure your organization is ready to comply with GDPR.


Lawfulness of processing

  • Purpose Limitation and Data Minimization
  • Accurate data
  • Storage limitation
  • Confidentiality
  • Accountability
  • Consent to processing
  • Opt in Opt Out policy
  • Processing of special categories of data
  • Processing of children’s data


Data Subject Rights

  • Right of information (Article 13 and 14)
  • Right of access to personal information (Article 15)
  • Right to rectify personal information (Article 16)
  • Right to erasure or right to be forgotten (Article 17)
  • Right to restriction of processing of data (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to object to automated decision making, including profiling (Article 22)


Organization and Processes

  • Record of processing activities (Article 30)
  • Appointing a DPO
  • Technical and Organizational Measures



What if I have more questions?

Should you have more questions, please send an email to 



Full text of the regulation



End User


SIG: GDPR Roundtable

6 people found this helpful