How will the Sugar product address GDPR requirements?
Data Privacy has always been a strategic differentiator for SugarCRM, and GDPR is no different. We are excited about the changes to the core Sugar product in order to further enable our customers to carry out their data privacy responsibilities as controllers. We believe we have an industry-leading solution.
The data privacy related functionality is available starting in the Spring 2018 (Sugar 8.0) release of Sugar and is included in all editions (Professional, Enterprise and Ultimate) and for On-Premise, Cloud and OEM customers.
Below are some capabilities that may help controllers comply with GDPR. We reserve the right to make changes to the final product, and the solutions listed below are subject to change at our sole discretion.
Lawfulness of Processing
Controllers will now be able to record if consent has been received and for what business purposes. Consent related custom fields have been added to the leads, contacts and targets module. These fields are hidden and can be added to the record view by admins via Studio. Customers can also add custom fields and include them in web-to-lead forms to manage consent from individuals.
Consent can also be withdrawn by the data subject. All changes to consent over time will be tracked in the data privacy management module.
Opt in Policy
GDPR requires that collected email addresses be automatically opted-out of receiving marketing emails. Emails can be opted-in only by request of the individual. Customers who capture leads electronically on web forms should default email address to opted-out.
By default, Sugar creates an implicit opt-in for all new email addresses, which would violate the regulation. A new global setting has been added where admins can specify if new email addresses default to opted-out or opted-in. Customers who need to comply with the regulation should set the default to opt-out.
Further, if an email is opted out, a clear visual indicator is provided wherever the email address is displayed in Sugar. Users can still send business-legitimate emails but should not send send marketing materials.
Customers should only process data that is relevant to their business purposes. Any data on individuals that is not relevant should be removed. These unneeded fields can easily be removed via Studio.
Data Subject Requests
Recording data subject requests
A new module is available called Data Privacy where users can log data privacy events such as data subject requests or consent and also record the resulting actions taken.
Right to Access
We have introduced a Personal Information View which displays the latest personal information and the source.. The contents of the view could be used to send to data subjects when they request access to their personal data.
Right to Erase
Data subjects can request permanent erasure of some or all of their data. The request is first logged in the Data Privacy module.
Once they complete the erasure process, the selected personal fields will have their values removed. Personal information from the audit logs will also be removed.
Fields that are erased through this flow will be flagged with a “Value erased” placeholder pill. These fields will still be editable, assuming that users have received the appropriate consent to re-enter information about data subjects.
The existing delete functionality is still available to users. Erasure behaves differently than deletion in that:
Right to Rectify
Users can correct information using existing functionality. Changes to personal data will be maintained in the audit log.
Right to Portability
Users can export the personal information from the list view using the Export option and email it to the data subject.
Right to Object to Processing
Data subject may request that they object to processing of information. In such a case, the records should be marked so that they are not available for processing.
What are the specific product changes in Sugar?
Here are the key product capabilities that are available in Sugar to help address Data Privacy requirements.
- A new module to capture all Data Privacy Activity, including consent and data subject rights
- A new role out of the box - Data Privacy Manager (DPM)
- Data Subject Rights
- Right to Erasure/ Forgotten –DPM can permanently erase a person record or select personal information (including in audit log)
- Right to Access – Personal information view that displays all personal information including source of data
- Receipt of consent - record that consent has been received and for what business purposes
- Withdrawal of consent – record which consent has been withdrawn per request
- Opt in/out
- New email addresses will default to Opt in or Opt Out based on a new global setting set by customer
- Visual indicator if email is opted out