A question many of our clients are asking is ‘How can KulaHub help us to achieve GDPR compliance?’. We’ve created this article to help answer that question in a simple, yet informative manner while also helping to educate our clients on the main aspects of GDPR. It is our interpretation of the main aspects of the legislation and how we believe that KulaHub helps to address them.
GDPR is extensive and runs to many pages of legislation so to help keep it manageable and relevant, the article is based on three important areas of GDPR:
- The main GDPR data protection principles
- Lawful basis for processing
- Individual rights
Below you will find quotes from the Information Commissioner’s Office(ICO) website about a specific aspect of GDPR within the above three areas and then our explanation of how KulaHub can help you to implement or comply with that aspect of GDPR. Text with “ ” around it is quoted mostly verbatim from the GDPR section of the ICO website.
We highly recommend reviewing the material on the ICO website as this is the government body responsible for upholding data privacy and GDPR. Their material is comprehensive and written in plain English.
Please note: Nothing in this document constitutes legal advice. While KulaHub can help an organisation to achieve GDPR compliance, it is only part of the solution and each organisation is responsible for ensuring that their systems and processes comply with GDPR.
“Personal data” – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
The main GDPR data protection principles
“Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals”
KulaHub helps to track what and how data is being processed about an individual in a centralised, secure facility. User activity logs show what activity a user has performed on an individual’s record ensuring an audit trail of user activity to an individual.
“b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;”
Many activities that a user undertakes in KulaHub are logged which helps to demonstrate what processing has taken place and therefore whether the data has been processed in the correct manner.
“c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;”
Only each client will know what is adequate and relevant in relation to their business and contacts. However, KulaHub can help to demonstrate and track what processing has taken place on a contact to show compliance with principle (c).
“d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;”
With KulaHub being a cloud-based, multi-user CRM system, it makes it much easier for each client to ensure that the data in KulaHub is accurate and up to date and to remove inaccurate data. If personal data is stored in shared spreadsheets or on paper, it makes it much more difficult to adhere to principle (d).
“e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;”
KulaHub’s comprehensive reporting features help to identify which contacts have not been updated since a specific date. Depending on your own business processes, you can then determine whether further processing of their data is warranted.
“f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This is the main area where using KulaHub can really help with your GDPR compliance:
- KulaHub requires a username and password to login to the system.
- Activity on a contact is logged showing what the activity was, who undertook the activity and when.
- KulaHub requires a secure, https connection in a web browser to access the system ensuring data is secure in transit.
- The database data is encrypted at rest, in other words, it is encrypted when it is stored in the database.
- Files, such as documents and emails, are backed up in real-time to a separate storage area. and all database transactions are logged.
- The database behind KulaHub is backed up in real-time with point in time restore for up to 28 days.
- The system is hosted in the UK in a Microsoft data centre, with the added security benefits that brings from one of the world’s largest companies.
Lawful basis for processing
“You must have a valid lawful basis on which to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. The 6 bases are:
- Legal obligation
- Vital interests
- Public tasks
- Legitimate interests”
Legitimate interests, Consent and Contract will be the three that most of our clients will use with Legitimate interest being the main one that we feel many clients will adopt.
- “Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
- Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
- There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy notice.”
“Consent basis at a glance
- The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent to processing a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.”
KulaHub has the tools to help you manage your Legitimate interests compliance and also your Consent compliance.
The GDPR provides the following rights for individuals:
a) “The right to be informed”
This is effectively your organisation’s privacy notice and is outside the scope of KulaHub. However, the ICO has issued guidance on the right to be informed
b) “The right of access
- Individuals have the right to access their personal data and supplementary information.
- The right of access allows individuals to be aware of and verify the lawfulness of the processing.”
The heart of KulaHub is a centralised contact management system, making it easy to provide an individual with information on the details your organisation holds about them. Our easy to use template merge facility can be used to easily generate a document containing the basic details you hold about the individual.
c) “The right to rectification
- The GDPR gives individuals the right to have personal data rectified.
- Personal data can be rectified if it is inaccurate or incomplete.”
An individual’s record can easily be found using our simple and fast contact search facility. Once found, it is a simple process to modify the record as required.
d) “The right to erasure
- The right to erasure is also known as ‘the right to be forgotten’.
- The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.”
We have a new ‘Right to be Forgotten’ feature which will be made live in the next few days. This feature will remove most of a contact’s record in KulaHub but will retain the basic details such as name and postcode. However, even these basic details will be ‘hidden’ from users of the system. The reason for retaining some details, rather than just deleting the record, is it allows KulaHub to make sure the record cannot be accidentally added back in, thereby helping to prevent a company from breaching GDPR compliance rules.
e) “The right to restrict processing
- Individuals have a right to ‘block’ or suppress processing of personal data.
- When processing is restricted, you are permitted to store the personal data, but not further process it.
- You can retain just enough information about the individual to ensure that the restriction is respected in future.”
We have a new feature in development, that will be a ‘Right to restrict processing’. This will retain the contact’s details but will prevent further processing. This feature will be available soon.
f) “The right to data portability”
KulaHub has a sophisticated reporting facility that allows for data to be exported to Excel and CSV that can then be provided to the contact, or to an approved third party.
g) “The right to object
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.”
KulaHub’s easy to use contact management system and email marketing tools make complying with this right much easier and streamlined. We have a simple ‘e-marketing yes/no’ option next to every contact and all email campaigns automatically include an easy unsubscribe mechanism.
Our clients can also customise KulaHub to suit their specific needs with the use of custom contact fields and custom form fields if they need to capture additional information for GDPR compliance.
h) “Rights in relation to automated decision making and profiling.”
Outside the scope of KulaHub
We will continue to track developments from the ICO. A final confirmation of compliance requirements is due to be published on 10-11 April. They are also planning an awareness-raising campaign to the public on their rights over how their data is used and stored. We will pass on any further updates as they occur.
Further information about the scope of the new legislation can be found on our earlier blog; When you absolutely should have all your eggs in one basket and on the GDPR website page
If you have any questions on how the KulaHub system helps with GDPR compliance, please email [email protected]