This is a follow up to Michael Och’s post which provided a general overview of GDPR and how you can use Dynamics 365/CRM as part of you GDPR planning and strategy. In this post, I’m going to answer questions more specific to Cobalt’s existing Membership Dynamics and Certification Dynamics customers. We have been working with many of our customers to help them navigate GDPR, and if you have any last minute questions, we are here to help.
Is there anything that I should be doing leading up to the May 25th deadline?
The first step is to read Mike’s post. If you feel like you are concerned that you need assistance or guidance with GDPR as it relates to your specific website and/or portal, please reach out to Cobalt so we can help you with a plan of attack. Don’t panic if you’re behind the curve; the primary goal is to eliminate bad actors, not target organizations looking to send updates to their members. That said, every group should at least have a plan in place sooner rather than later.
I think I found a hole in my consent process; what do I do?
If you believe that your profile setup and/or update processes need to be updated, please reach out to Cobalt support to discuss how we can help.
What do I do with all of the people already in my system?
If you feel that you received legitimate consent previously, even if it doesn’t meet the new standards for explicit consent, you can email these people to send them to a form to receive explicit consent. If you are using ClickDimensions or another email marketing platform, they have all recently implemented new features that make it easier to get this consent. Obviously, if you have people that have already opted out, do not email them fishing for consent.
Should I treat people/contacts in the US, Canada, the EU, and other countries differently?
We’ve seen examples of companies that have a wide range of forms, depending on the country the customer is from, to meet the minimum requirements. We think this is a bad idea for two reasons. First, it’s a lot more work to build and maintain the forms. Second, and more importantly, we feel that you should implement the highest standards so that your customers/prospects/members trust you with their data. As I mentioned earlier, GDPR, CAN-SPAM, and other regulations are looking for bad actors. You definitely don’t want to be or even resemble a bad actor.
What is Cobalt putting into its products to make this easier for me?
In our upcoming 3.4 release (scheduled for release this summer), we will be including a few new features that will make GDPR compliance easier. The biggest improvement will be full control of all forms, including account setup and profile update. This will allow you to easily add custom questions, including explicit consent. In addition to this, Cobalt is researching the creation of an add-on to Dynamics CRM/365 that will allow you to forget customers. A few other Microsoft partners have created or are in the process of launching similar tools, so we are also evaluating them to see if another tool is necessary.
I’m nervous that I don’t have automated processes to handle all of the regulations. Is this putting my organization in jeopardy?
One key element to remember is that you don’t need to have a pre-built report to comply with the data portability regulation or a one-click button to forget a customer; you need a process to comply with the requests if they are made. For both of these items, you can use Cobalt as your backup. If you need a customer forgotten, you can open up a support ticket and we will write the necessary scripts to help you comply. If you need a full dump of all the data related to a specific customer, we can assist with that as well. Long-term, we will have more automated processes to handle all of these requests, but the fact that that process is manual does not mean you’re non-compliant. For a more comprehensive guide to complying with data subject requests, refer to the Microsoft Dynamics 365 Data Subject Request GDPR Documentation. Please note that this guide includes information related to all of the Dynamics 365 products. Cobalt customers should focus on the Dynamics 365 for Customer Engagement sections. This is relevant to both online and Cobalt-hosted customers.
If there’s one thing I should do before May 25th, what is it?
This is an easy question. Read Mike’s post and make sure that you have proper consent mechanisms, including explicit terms and conditions on your website, and document how you store and process personally identifiable information. If you see any areas that look like they would lead to non-compliance, document your plan for compliance. This doesn’t have to be expensive or fancy. Mohamed Mastafa recently joined the nz365guy’s podcast to discuss GDPR and had a great suggestion to start with a simple spreadsheet that includes four columns to track the personally identifiable information:
- Entity/Field – The location and name of the field.
- Why – Why are you collecting the data? Is there a legal or business obligation to keep the data?
- Who – Who can access the data (both inside and outside of your organization)?
- Where – Where can you access the data (e.g. on mobile devices, offline, integrations, backups, etc.)?
OK, that’s three or four things to do, but they are not as daunting as they sound. Remember, please reach out to your account/project manager or firstname.lastname@example.org if you have questions or need assistance with GDPR.