Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal teams and resources to ensure they are aware of their obligations under applicable regulations.

Global Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The regulation is designed to provide individuals that are EU residents with higher protection of their personal and private data. All companies that interact with individuals that reside in the EU (regardless of whether the company is based within the EU) are impacted by this regulation and therefore must comply as of the effective date.

What does GDPR relate to?

GDPR relates to personal information about individuals; personal information can include the individuals’ name, email address, mailing address, picture, social links and IP addresses. There are further rules for sensitive information such as medical data, childrens’ data, political, racial and religious data etc. Generally, company related data does not apply to GDPR.

In the context of SugarCRM, customers (End Users) are the data controllers meaning they determine what information is captured and how the data is processed and Sugar is the software through which the data controllers manage their information. SugarCRM is the data processor as Sugar only processes data on its service that the controller wants to process.

SugarCRM today allows end users to fulfil their regulatory requirements of GDPR, however going forward with the release of Sugar 8 there will be further implementations to support users in fully complying with GDPR regulations for the end users role as a data controller.

In order to adopt a privacy by design principle, Sugar has planned features to be released in Sugar 8 (planned release date end of April 2018) that will take privacy into account throughout the whole customer lifecycle. See below some of SugarCRMs’ planned features:

Please Note: This information is not definitive and could be subject to change.

Managing Consent

Consent related custom fields will be added to Leads, Contacts and Targets modules. The fields will be hidden but admin users will have the ability to add these fields to record view via studio.

Opt-in Policy

A new global setting will be added where admin users can specify if new email addresses default to be automatically opted in or opted out. Customers who need to comply with the opt-in policy should set this default to opt-out. If an email is opted out there will be a visually clear indicator of this on the Sugar record.

Recording Data Subject Requests

Sugar will create a new module ‘Data Privacy’ in which users will be able to log items such as data subject requests or consent details. The module will by default be related to Leads, Contacts and Targets but will be configurable like any other Sugar module.

Right to Erase

Data subjects will be able to make requests for permanent erasure of some or all of their data, this request can be logged in the Data Privacy module. Sugar will create a new role called ‘Data Privacy Manager (DPM)’. Any user with this role will be able to review erasure requests and mark the relevant records for erasure. If fields are erased then they will be flagged with a “Value Erased” placeholder.

The DPM role will have an extra function called erasure. Erasure will act differently to the existing delete function whereby it will remove the data from the database in such a way that it will no longer be retrievable. Because of this, it is important that users are only given this role if they have the correct authority/responsibility to perform the erasure requests.

Right to Access

Sugar will introduce a new ‘Personal Information View’. In this view you will be able to see all related personal data and its source which you can then forward to the person requesting access to their personal data kept in Sugar. Admins can define in Studio which fields contain personal information and should therefore be included in the Personal Information View.

To learn more about Data Privacy and GDPR in Sugar, read the full blog post from SugarCRM showing you in more detail the introduced changes coming in Sugar 8 this Spring!

Chloe is Sugabytes Customer Success Manager. Ensuring our existing customers of Sugabyte continue to be successful using SugarCRM and Act-On.