A presentation from a dedicated webinar on GDPR with Carmel Granahan & Andrea Manning from OnePageCRM and special guest Data Protection and Privacy Law specialist Philipa Jane Farley. Key areas of focus include: - An overview of GDPR and what it means to your business - How to utilize fields in OnePageCRM to enable you to implement better GDPR compliant processes - How to do a legitimate interest assessment and - The most frequently asked GDPR questions.

1. GDPR, OnePageCRM and Your Business
Tackling GDPR - one bite at
a time
Please wait. The webinar will start shortly....

2. Carmel Granahan
Head of Customer
Success, OnePageCRM
Your speakers today….
Philipa Jane Farley
Data Protection and Privacy Law
Specialist
Andrea Manning
GDPR Lead, OnePageCRM

3. WE’VE SPENT A LOT OF TIME WITH GDPR AND LIKE TO THINK WE’VE BEEN THOUGHTFUL ABOUT
ITS INTENT AND MEANING. BUT THE APPLICATION OF GDPR IS HIGHLY FACT-SPECIFIC, AND
NOT ALL ASPECTS AND INTERPRETATIONS OF GDPR ARE WELL-SETTLED.
AS A RESULT, THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND
SHOULD NOT BE RELIED UPON AS LEGAL ADVICE OR TO DETERMINE HOW GDPR MIGHT APPLY
TO YOU AND YOUR ORGANISATION. WE ENCOURAGE YOU TO WORK WITH A LEGALLY
QUALIFIED PROFESSIONAL TO DISCUSS GDPR, HOW IT APPLIES SPECIFICALLY TO YOUR
ORGANISATION, AND HOW BEST TO ENSURE COMPLIANCE.
DISCLAIMER

4. Welcome
Today’s Agenda
❏ An overview of GDPR, the roles, lawful processing of
data, consent v’s legitimate interest
❏ How to utilize fields in OnePageCRM to enable you to
implement better GDPR compliant processes (demo)
❏ How to do a legitimate interest assessment
❏ Most frequently asked GDPR questions
❏ Live Q & A

5. GDPR requirements and OnePageCRM
Individual rights
❏ The right to access information (subject access request) - Export
data
❏ The right to erasure - Delete the data from OnePageCRM (option in
bulk / individually) & also delete your account
❏ The right to data portability - Export data
❏ The right to rectification - Edit contact and update user profile

6. Lawful processing and OnePageCRM
1. Explicit consent (Marketing)
How to achieve with OnepageCRM? Webform > OnePageCRM (custom fields)
2. Performance of contract
How to achieve with OnepageCRM? (Status labels)
3. Legitimate interest
How to track with OnepageCRM? (Status labels, lead source, date created, custom fields)

7. Repermissioning
Step 2
Existing list (Mailchimp & OnePageCRM integration connected)
Step 1

8. WELCOME
DOES GDPR APPLY TO YOU?
▸ The GDPR is applicable to the processing of personal data by businesses
established in and operating outside the European Union (“the EU”). If your
company is established in the EU, the provisions of the GDPR are
applicable to your processing of personal data in the context of the activities
of your EU establishment(s).
▸ If your company is not established in the EU, the new law is applicable to
your processing of the personal data of individuals in the EU with
regard to the offering of goods or services (regardless of whether payment
is involved) and to the monitoring of an individual’s behaviour (in so far as
that behaviour takes place within the EU).
▸

9. CONTROLLER VERSUS PROCESSOR
The Yellow Hat Company
CUSTOMER/DATA SUBJECT
PROCESSORCONTROLLER
PROCESSOR

10. GDPR AND YOU
ONEPAGECRM - YOUR PROCESSOR
1. Processor needs to be GDPR compliant
2. The data processor can’t bring in other data processors unless he has notified the Controller, and has permission to do so
3. There also must be a contract between the data processor and data controller that should clearly mention the subject-matter, duration, nature and purpose
of the involved data processing
3. Keep records of all processing and provide secure processing
4. Common duties and shared liability
5. Assist the Controller in meeting their responsibilities

12. GDPR &
YOUR CRM

13. GDPR AND YOU
TELL YOUR SALESPEOPLE
1. Gather only data you need and make
sure you have lawful grounds to
process this
2. Be open about your actions and
prepare for data subject requests
3. Keep the data safe and delete it when
you’re finished with it

14. TRANSPARENCY
GDPRBUILD
TRUST
THROUGH
TRANSPARENCY
Article 12: Transparent information, communication and
modalities for the exercise of the rights of the data subject
Article 13: Information to be provided where personal
data are to be collected from the data subject

15. TRANSPARENCY
6 Principles
▸ PURPOSE - Disclose your purpose for processing, current and future
▸ LEGITIMATE INTEREST - Disclose your grounds for legitimate interest
▸ RETENTION PERIODS - Disclose your expected data retention periods
▸ 3RD PARTY PROCESSORS - Disclose where you’re sending the data
▸ DATA SAFEGUARDS - Disclose the data safeguards you have in place to secure and protect your user’s data
▸ EASY OPT OUT - You must make it easy to opt out

16. TRANSPARENCY
RETENTION
PERIODS
▸ Disclose your
expected data
retention
periods
HOW
‣ PRIVACY POLICY
‣ ADD DATE FIELDS TO TRACK WHEN
CONTACT WAS ADDED, LAST
CONTACT
‣ BULK UPDATE FOR HOUSEKEEPING
‣ GENERAL GUIDELINE:
- CUSTOMERS = 12 MONTHS
- PROSPECTS = 3-6 MONTHS

17. TRANSPARENCY
MECHANISMS FOR TRANSFERRING DATA OUTSIDE OF THE EU/EE

18. LAWFUL
PROCESSING
GDPR
PICK
ONE
ONLY

19. TRANSPARENCY
LAWFUL
PROCESSING
1. Explicit consent for each purpose of
use
2. Performance of Contract
3. Legal Obligation
4. Vital Interest of Individual
5. Public Interest - Official Authority
6. Legitimate Interest
Article 6: Lawfulness of processing

20. TRANSPARENCY
CONSENT
1. Explicit consent for each purpose of use
2. Unambiguous
3. Freely Given
4. Informed
5. Clear affirmative action
6. As easy to withdraw as it is to provide
7. Maintained as proof that it was provided
Article 7: Conditions of Consent

21. LEGITIMATE INTEREST
Would the person
receiving this
reasonably expect to
receive this?

22. PERSONAL
DATA
GDPREVERY PIECE
OF DATA THAT
CAN BE USED
TO UNIQUELY
IDENTIFY A
PERSON

23. TRANSPARENCY
PERSONAL DATA
1. Name
2. Email
3. ID numbers
4. Physical address
5. Other location data
6. IP address and cookies
(online identifiers)

24. INDIVIDUAL
RIGHTS
GDPR
STRENGTHENED
INDIVIDUAL RIGHTS

25. TRANSPARENCY
INDIVIDUAL RIGHTS
ARTICLE 16: RIGHT TO RECTIFICATION
ARTICLE 17: RIGHT TO ERASURE
ARTICLE 18: RIGHT TO
RESTRICTION
ARTICLE 20: RIGHT TO PORTABILITYARTICLE 15: RIGHT OF ACCESS

26. LEAD
GENERATION
AND
NURTURING
MARKETING
MARKETING
GETS
PERSONAL

27. TRANSPARENCY
LEAD GENERATION

28. EMAIL
MARKETING
MARKETING
MARKETING
GETS
PERSONAL

29. THE GDPR STATES THAT THE
PROCESSING OF PERSONAL DATA FOR
DIRECT MARKETING PURPOSES MAY BE
CARRIED OUT FOR LEGITIMATE
INTEREST
With proviso’s…..
RECITAL 70

30. RECITAL 70
DIRECT MARKETING
▸ Have a relevant and appropriate relationship with them
▸ Show that there is a balance of interests between the
organisation and the person receiving the marketing.
▸ Tell them you are going to market to them
▸ Show them how to opt out of receiving marketing from you

31. 80/20
RULEPARETO’S PRINCIPLE

34. SUMMARY
▸ LOG YOUR LEGAL BASIS
▸ GET CONSENT FOR MARKETING
▸ LOG THE DATE
▸ KEEP A REGISTER OF YOUR RATIONALISATIONS/DECISIONS
▸ LIMIT OR EXCLUDE STORING SENSITIVE DATA
▸ IF DOESN’T FEEL RIGHT, IT OFTEN ISN’T
▸ DELETE, DELETE, DELETE

35. Useful resources / links
▸ http://gdprandyou.ie
▸ https://gdpr-info.eu (official pdf of the regulation, neatly arranged as a
website)
▸ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regul
ation-gdpr/
▸ https://philipajane.com
▸ https://www.onepagecrm.com/sales-resources/gdpr-cheat-sheet

36. HOW DO YOU
EAT AN
ELEPHANT?
(OR TACKLE GDPR)

37. ONE BITE
AT A TIME!