The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). This is enforceable from May 25 2018 and requires no enabling legislation so automatically becomes binding and applicable on that date.
The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.
The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
As an organisation operating in the Customer Relationship Management market, CTT Fusions has always been committed to high standards of data protection, information security, privacy and transparency.
CTT Fusions will honor our customer’s right to data privacy and protection and as such we have revised our internal policies in order to meet the requirements of the GDPR.
By doing so we will safeguard the personal information under our remit and develop a robust data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation of the GDPR.
We place a high priority on protecting and managing data in accordance with accepted standards and helping our customers use CRM technology to do the same.
CTT Fusions will be complying with the GDPR as a processor and controller of data and the company has been planning and developing a project of works that will deliver what is required by this regulation.
Our GDPR Principles
- We will process all personal data fairly and lawfully.
- We will only process personal data for specified and lawful purposes.
- We will endeavor to hold relevant and accurate personal data, and where practical, we will keep this up to date.
- We will not retain personal data for longer than is necessary.
- We will keep all personal data secure.
- We will endeavor to ensure that personal data is not transferred to countries outside of the European Economic Area (‘EEA’) without adequate protection.
Our GDPR Actions
These include but are not restricted to:
- Customer Contracts – variation notices have been issued to our managed service and support customers to address GDPR compliance within these agreements.
- Information Audit – we have undertaken a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed.
- Technology – we have reviewed our technology platforms to analyse their operation, security, compliance to make sure these meet the requirements of the GDPR
- Training & Awareness – we have undertaken training across our organisation, on the GDPR, its impact on our processes and responsibilities of our staff. Our staff Induction process has been updated to include GDPR.
- Staffing Contracts – our employee contract, staff handbook and sub-contractor agreement have been revised to clarify the expected standards and actions of our people which reflects CTT Fusions’ obligation to demonstrate GDPR compliance as a data processor and data controller.
- Process Quality Standards – we are working to build on our existing security and data protection practices and as part of this process CTT Fusions is actively working to achieve ISO 9001 certification.
- Supplier & Partner relationships: where relevant and related, we will be making all reasonable endeavors to ensure that our third-party providers and suppliers are complying with the GDPR.
- Data Breaches – we have implemented breach procedures that ensure we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possibility.
Our Responsibilities as a Data Processor
As a technical consultancy and support provider it is often necessary for us to remotely connect to our customers CRM environment. This may include, but is not limited to, a remote session that would enable us to fix a user reported problem, apply a customization to your database, configure a new process, build a new report or import a data list.
In these instances, CTT Fusions will be complying with the GDPR as a data processor and we will be processing data to fulfill our contractual responsibilities.
To meet the requirements of the GDPR, when we process the personal data that is controlled by our customers we have in place a number of systems, processes, products and services to safeguard data to meet these demands.
In undertaking these engagements CTT Fusions shall offer the following commitments:
Remote Consultancy & Support – We will require explicit consent from an authorised individual working on behalf of our customer before we can initiate a remote dial-in or screen-share session if this involves a member of our team taking control of their computer and accessing your database.
Screen Recording – In some instances, it may be helpful for us to record these sessions if further research or discussion is needed that will enable us to resolve issues or provide a solution for a new requirement. Where a recording is proposed, we will request permission in advance. This recording will only be retained for as long as necessary to implement a resolution or solution. A copy of this recording can be shared with the customer upon request.
Data Deletion – we will not delete personal data that is currently stored on your CRM system. In any instances that we receive personal data from you, for example as a spreadsheet to import into your CRM system, the source file containing this personal data shall be deleted once the requirement is completed.
CRM System Changes – if you require our team to make any changes to your system that will affect the personal data under your control, this process shall be subject to our change control process and will need to be formally approved by you.
Direct System Access – so that we can quickly and easily respond to some requirements we may propose that this work is completed remotely. This will involve a member of our team directly accessing your system from their computer. As stated above, this will be subject to our normal change control process and when logging into a customer system CTT Fusions shall only use a delegated administrator account or a specific login that is specific to CTT Fusions that will enable our representative’s actions to be tracked and audited.
Tracking Database Log-In – in each instance that we connect to your CRM environment, whether through a dial-in session or directly using log-in credentials, as stated above, CTT Fusions shall record the timing of this access.
CTT Fusions’s senior management team will continue to monitor this project through May 2018 and beyond. We will continually look at ways of improving our systems and procedures to better comply with GDPR best practice.