Sugar Product Capabilities

How will the Sugar product address GDPR requirements?

Data Privacy has always been a strategic differentiator for SugarCRM, and GDPR is no different. We are excited about the changes to the core Sugar product in order to further enable our customers to carry out their data privacy responsibilities as controllers. We believe we have an industry-leading solution.

The data privacy related functionality is available starting in the Spring 2018 (Sugar 8.0) release of Sugar and is included in all editions (Professional, Enterprise and Ultimate) and for On-Premise,  Cloud and OEM customers. 

Below are some capabilities that may help controllers comply with GDPR. We reserve the right to make changes to the final product, and the solutions listed below are subject to change at our sole discretion.

Lawfulness of Processing

Requirement

Solution

Managing Consent

Controllers will now be able to record if consent has been received and for what business purposes. Consent related custom fields have been added to the leads, contacts and targets module. These fields are hidden and can be added to the record view by admins via Studio. Customers can also add custom fields and include them in web-to-lead forms to manage consent from individuals.


Consent can also be withdrawn by the data subject. All changes to consent over time will be tracked in the data privacy management module.

Opt in Policy

GDPR requires that collected email addresses be automatically opted-out of receiving marketing emails. Emails can be opted-in only by request of the individual.  Customers who capture leads electronically on web forms should default email address to opted-out. 

By default, Sugar creates an implicit opt-in for all new email addresses, which would violate the regulation.  A new global setting has been added where admins can specify if new email addresses default to opted-out or opted-in. Customers who need to comply with the regulation should set the default to opt-out.
Customers who are not under the purview of the regulation can set the global setting to opt-in.


Further, if an email is opted out, a clear visual indicator is provided wherever the email address is displayed in Sugar. Users can still send business-legitimate emails but should not send send marketing materials.

Data Minimization

Customers should only process data that is relevant to their business purposes. Any data on individuals that is not relevant should be removed. These unneeded fields can easily be removed via Studio.

Data Subject Requests

Requirement

Solution

Recording data subject requests

A new module is available called Data Privacy where users can log data privacy events such as data subject requests or consent and also record the resulting actions taken. 

This module is configurable just like any other module. The module is related to leads, contacts and targets module out-of-the-box, but it can be related to any other module including any custom modules.

Right to Access

We have introduced a Personal Information View which displays the latest personal information and the source.. The contents of the view could be used to send to data subjects when they request access to their personal data.

Admins can define what fields are considered personal information in Studio. The Personal Information View displays fields that are marked personal information. 

Right to Erase

Data subjects can request permanent erasure of some or all of their data. The request is first logged in the Data Privacy module. 

We have added new role called Data Privacy Manager (DPM). Customers can assign their designated Data Privacy users to this role. 

The DPM are able to review requests and mark relevant records for erasure. They may also select individual personal information fields for erasure. e.g remove social links.


Once they complete the erasure process, the selected personal fields will have their values removed. Personal information from the audit logs will also be removed.


Fields that are erased through this flow will be flagged with a “Value erased” placeholder pill. These fields will still be editable, assuming that users have received the appropriate consent to re-enter information about data subjects.


The existing delete functionality is still available to users. Erasure behaves differently than deletion in that:


1. Erasure permanently removes the data from the database such that it is not retrievable again.

2. Erasure can only be performed by users with the DPM role.

The audit log will maintain which fields were removed so that it can be referenced later.

Right to Rectify

Users can correct information using existing functionality. Changes to personal data will be maintained in the audit log.

Right to Portability

Users can export the personal information from the list view using the Export option and email it to the data subject.

Right to Object to Processing

Data subject may request that they object to processing of information. In such a case, the records should be marked so that they are not available for processing. 

Customers can add custom fields e.g. a flag that says this record is not to be processed or used in profiling for automated decision making.  This field can then be used as a filter in campaigns, reports or other business processes.

What are the specific product changes in Sugar?

Here are the key product capabilities that are available in Sugar to help address Data Privacy requirements. 

  • A new module to capture all Data Privacy Activity, including consent and data subject rights
  • A new role out of the box - Data Privacy Manager (DPM)
  • Data Subject Rights
    • Right to Erasure/ Forgotten –DPM can permanently erase a person record or select personal information (including in audit log)
    • Right to Access – Personal information view that displays all personal information including source of data
  • Consent
    • Receipt of consent - record that consent has been received and for what business purposes
    • Withdrawal of consent – record which consent has been withdrawn per request
  • Opt in/out
    • New email addresses will default to Opt in or Opt Out based on a new global setting set by customer
    • Visual indicator if email is opted out