YapCRM Logo


YapCRM's aim is to assist our clients with compliance with GDPR and other legislation; we have expanded and are adding new features to achieve this goal. Below you can find 4 key areas we have highlighted that make up our recommended GDPR workflow, an outline of the development plan to fully support these key areas and an FAQ to help answer questions you might have.

You can find a copy of our current GDPR workflow here; if you would like us to go over this with you from the perspective of your business please give us a call. We will publish a guideline document and video on the 27th March 2018 once all features we wish to include are released to all clients.


Managing Data

When working with data you need to ensure that you have the ability to meet applicable "rights" required under legislation.

  • The right of access/portability - we provide a tool to export records or provide a secure web interface for clients to review records.
  • The right of rectification - updating a record in the CRM or giving clients access to the web interface allows this.
  • The right of erasure - we provide a "hard delete" option that removes the record from the system and CRM backups.
  • The right to restrict processing - allow records to be "paused" so they can not updated for a period of time.
  • The right to object - this is covered by our granular opt out system for communications.

Importing/Refreshing Existing Data

To improve data validity when creating new records or importing new data users have three key areas they need to complete to ensure the audit trail is correct; we will be adding the functionality to satifisy this requirement.

  • Identify the source of the data. (ie Public, Customer, Imported, Staff etc).
  • Purpose for your company proccessing the data. (ie Legimate Interest, Consent, Contract etc).
  • Communication preferences for records. (ie Emails, Letter, Phone, SMS).

Sharing Data

When sharing data with contacts or 3rd Party companies it is required that you keep an audit trail and do so securely. Yap helps you comply with this requirement.

  • Yap automatically keeps a log of all exports for audit reasons
  • Exports can be password protected in Excel if required
  • Exported data is automatically grouped and stored for historical purposes and logged on to the client record
  • Personal data 'Obfuscate' facility on exported data for use in data analytics.

Security Enhancement

As part of our review of Yap we have also put in place a number of new features to allow the client to have more granular security and privacy of data.

  • Document tools that allow limited access to contact data within a company.
  • New data encryption options.
  • Automatic user deactivation if unused for X days.
  • Expanded Login security options.



Development Pipeline Q1 2018 for GDPR

Privacy 6th Februrary 2018
  How to restrict contact access within a CRM to certain users. New Documentation
  Ability to restrict access of some data to select users (emails/phones etc). Live
  History will store who views records, not just edits. Live
Marketing Consent Management 20th February 2018
  Granular consent for each Method (Email, Phone, Post) and the Purpose of consent (Legitimate Interest, Contract etc) . Live
  Improved web interface for opt out/opt in & mini site. Live
Compliance 30th March 2018
  Set a designated Data Controller in the account settings. Live
  Data Portability - export all data regarding a client in readable format. In Development
  Data Rectification/Access - enable a client to review and update their record via a web page. Live
  Right to Erasure - Hard Delete and Obfuscate options for records/history/backups Live
  Right to Restrict Processing - Pause on edits to a client record for X days Live
  Make exports in the Historical Logs visible Live
Tools & Reports 30th March 2018
  New Reports Live
  Bulk Tools for marking consent, type and other GDPR fields. Live
GDPR Guide 3rd April 2018
  Our best practice guide that highlights existing and new features to help with legislation compliance. Live
Security 30th April 2018
  New Encryption Options & Password protected export options New Feature
  Optional 2 Factor Authentication for accounts/systems New Feature
  Randomize CRM tool for testing/training database New Feature
  Automatic User Deactivation Live
  Backend Account Edit Logs Live



Who, What, When, Where and Why...?

What is GDPR?
GDPR is the European Union's General Data Protection Regulation. In short, it is a series of regulatory articles outlining how personal data is stored, accessed and can be used. Although the GDPR does not directly apply to B2B it does apply to personal information held on employees of companies (such as a personal gmail account, rather than corporate).

Why is it needed?
Things have moved on a bit since the UK enforced the Data Protection Act 1998 and this has made the rules the same across the EU regarding what companies do with individual's personal data, offering clear ways that data is processed and fines for non-compliance and breaches.

Does GDPR just apply to EU companies?
No, it applies to any company that holds data regarding subjects residing within the European Union.

When does GDPR come into force?
25th May 2018

What about Brexit and GDPR?
GDPR will come into force before Brexit so your business will need to comply before then. When Brexit occurs, any businesses that hold data on EU subjects will still need to comply.

Processing Data

What constitutes personal data?
Any data that can be used to identify a person, be it directly or indirectly. This could include, a name, an email address, an IP address, a photo, or telephone number.
By itself the name John Smith may not always be personal data as there are many individuals with that name, however where the name is combined with other information such as an address or telephone number, this will usually be sufficient to identity one individual and therefore is classed as personal data.

When can personal data be processed under the GDPR?
It must be processed lawfully, transparently, and for a specific purpose. Once the purpose has been fulfilled and the data is no longer required it should be deleted. 

What does the GDPR mean by "Lawfully"?
There are several defined reasons for lawfully processing data, and at least one of these must apply in order to process data. It could be lawful if the subject has given consent for their data to be processed, or alternatively if the data is processed to comply with a contract or legal obligation, or to protect an interest that is "essential for the life of" the subject, or if processing the data is in the public interest or in the controller's legitimate interest.

What rights do individuals have under GDPR?
There are now 8 fundamental rights that individuals have:
- The right to be informed - how their data is being used
- The right of access - to know what information is held and how it is being processed
- The right of rectification - entitled to rectify the data if inaccurate or incomplete
- The right of erasure - right to have their data deleted or removed
- The right to restrict processing - right to block or suppress processing of their data
- The right to object - they can object to their data being used for direct marketing etc.
- The rights of automated decision making and profiling - the GDPR is putting in place safeguards to protect individuals against decisions being made without human intervention, so individuals can choose not to be the subject where a decision is made based on automatic processing.

How can YapCRM help you comply with GDPR?
A CRM provides a structure that can help you comply with GDPR; helping in areas such as security, audit trails, compliance and data privacy.



Business Responsibilities

Does my business need to appoint a Data Protection Officer (DPO)?
The GDPR only specifies that you must appoint a DPO if you:
- are a public authority
- carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions or offences.
If your business doesn't fall into these then you don't have to appoint a DPO. However, your organisation must ensure that you have sufficient staff and skills to meet the obligations of the GDPR.

What happens if there is a data breach?
A data breach includes being hacked, an employee leaving their laptop on a train or any data being altered or lost without permisson. GDPR requires that breaches that may affect the rights and freedoms of the individuals are reported within 72 hours to the Information Commissioners Office (ICO) and to the affected individuals "without undue delay".

Are there any penalties for non-compliance with GDPR?
Yes, applying to both Data Controllers and Data Processors. Businesses could be fined up to 4% of annual global turnover or a maximum of 20 million Euros, whichever is greater for the most serious infringements. There are also tiered fines for other infringements such as not notifying the ICO and data subjects about a breach, not having records in order etc. of 2% annual turnover. 

What is the difference between a data processor and a data controller?
> Data Controller - An entity that controls the data, such as a TV station that has a list of clients.
> Data Processor - An entity that process data on behalf of the controller, such as a marketing company targeting a TV station's clients on their behalf.