Basics of GDPR

What is GDPR?

General Data Protection Regulation (GDPR) is a data privacy regulation enacted by the European Parliament, European Commission and the Council of the European Union. The regulation provides significant protections for privacy of personal information of EU residents. The regulation is effective May 25, 2018. All companies that are impacted by this regulation are required to comply with the regulation as of the effective date. Failure to do so will result in significant fines of up to 4% of annual revenue or € 20 Million, whichever is more.

Who does the GDPR affect?

GDPR affects any organization that offers goods or services to EU residents, or processes data on EU residents including monitoring of behaviour, regardless of the organization’s location.

What is the scope of GDPR?

GDPR impacts personal information about people. Personal information can include, without limitation, name, email address, mailing address, picture of person, social links and IP address. The regulation also has strict rules for sensitive information such as medical history as well as for children’s data. Sensitive personal information under GDPR also includes such data elements as the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, sexual life, and criminal background.

GDPR generally does not apply to company data or any other non-person data e.g Company Revenue.

What is the difference between a data processor and a data controller?

A ‘controller’ is a  natural or legal person, entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A ‘processor’ means a natural or legal person, entity, public authority, agency or other body which processes personal data on behalf of the controller.

In the context of SugarCRM, our customers are the data controllers. They determine what information to capture on their own prospects or customers (data subjects), and how the data will be processed. Sugar is the software application through which the data controllers manage information. SugarCRM is the data processor as it only processes data on its service that the controller wants to process.

Under GDPR, data controllers and data processors have separate responsibilities and obligations for the protection and privacy of personal data.

What is data processing? 
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What are the responsibilities of Sugar customers as data controllers ? 
SugarCRM customers are the data controllers and are required to have their systems and processes in place to comply with GDPR. SugarCRM is not responsible for customers' obligations as data controllers. The complete text of the GDPR is publicly available here for reference. The items below are headlines for various GDPR requirements. We encourage you to reach out to your counsel and/or compliance group to ensure your organization complies with GDPR.

Lawfulness of processing

  • Purpose Limitation and Data Minimization
  • Accurate data
  • Storage limitation
  • Confidentiality
  • Accountability
  • Consent to processing
  • Opt in Opt Out policy
  • Processing of special categories of data
  • Processing of children’s data

Data Subject Rights 

  • Right of information (Article 13 and 14)
  • Right of access to personal information (Article 15)
  • Right to rectify personal information (Article 16)
  • Right to erasure or right to be forgotten (Article 17)
  • Right to restriction of processing of data (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to object to automated decision making, including profiling (Article 22)

Organization and Processes

  • Record of processing activities (Article 30)
  • Appointing a DPO
  • Technical and Organizational Measures