Is your CRM GDPR ready? | Legitimate Interests
In this series I want to unpack what the new General Data Protection Regulations (GDPR) mean for CRM. I’m writing as an entrepreneur and technologist: I want to help good people use good tech. I founded SheepCRM in 2011 to help startups, SMEs, and charities with their technology and business problems. My background is not the traditional C = Customer sales focused CRM. The C in SheepCRM is much broader: C = member, donor, supporter, employee, volunteer, attendee and customer.
The GDPR get out of jail free card?
In my view there are three interesting legal bases available for common use: Consent, performance of a contract and legitimate interests.
The Legitimate Interests basis stands out to me because it is the interests of the controller, not the subject that are being considered. So you, the data controller, get to write your own rules and decide whose data you can process? Isn’t that back to the 1998 Data Protection Act? Yes, and no and sort of.
One of my early observations about GDPR was: If you are complying properly with the current law then you’re in good shape. The legitimate interests basis does feel a lot like the 1998 DPA in miniature. You shouldn’t have been processing data without a good reason but until GDPR you could be pretty vague about the detail. Under GDPR you need to demonstrate compliance - that means keeping a record of your legitimate interests and why it applies to this person.
The ICO provides three helpful rules for conducting a legitimate interests assessment (LIA):
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
Your CRM should provide the facility to record the LIA against each person. In many cases (but not all) an individual can opt-out. If that is the case you will need to provide a mechanism to allow opt-out.
SheepCRM has fine-grained record keeping for Consent, Contracts and Legitimate Interests records (the other, lesser used, bases will be added later).
Legitimate Interests records in SheepCRM
From the perspective of the individual (self service) Sheep App
With Sheep Self Service Individuals can see exactly what consents, contracts or legitimate interests they have on record with an organisation.
Much of the discussion that I’ve heard has been focussed on consent and some people that I’ve spoken to weren’t even aware of the other legal bases. Anyone trying to operate purely on consent will quickly find themselves bound by their own restrictive rules. As the ICO states: it is the most flexible lawful basis but you cannot assume it will always be the most appropriate.
I think this is the area of GDPR that is most open to abuse but you shouldn’t over look it just because of that. Used correctly legitimate interests is a key element of your data protection policy.
- Have you identified where you will be using Legitimate Interests?
- Does your CRM support the recording of Legitimate Interests Assessments?
- How will you manage opt-outs?
If your CRM isn’t ready: talk to your provider about their plans. If you are looking to change providers please consider Sheep.
Sheep’s splendidly simple back-office solution helps not-for-profit organisations streamline their communication, membership, fundraising and event management activities.
Get ahead with our GDPR reading list
Disclaimer: I’m an entrepreneur and technologist, not a lawyer. However I’d love to chat informally and talk through how Sheep might be able to help you manage your data.
Let’s have a quick chat to see if Sheep is right for you.
Consultations are informal and usually no more than 25 minutes (we know you're busy).