bpm'online is a process-based CRM company with roots in Europe. The company ensures they are processing data and offering security options that align with GDPR requirements. bpm'online recognizes its role as both a data controller and data processor, depending on the situation. They break down their compliance perspectives into three areas:

bpm'online as a Data Processor

As a processor, the company has an assigned data protection officer (DPO) to respond to requests for blocking personal information from processing. Individuals, controllers, or supervisory authorities who’d like to contact the DPO can do so via a form on the bpm’online website or through direct mail. Personal data is collected from Web forms, with the consent of the data subject. bpm'online does not endorse the collection of personal data through any “indirect” means such as purchasing contact lists. Privacy policy statements are available at bpmonline.com.

As a processor, the company also holds accountability for up-to-date security policies and regulations. Data protection policies such as pseudonymization are in effect and regular information impact security assessments are scheduled regularly. If an impact assessment indicates that processing would be high-risk in the future, the company’s DPO conducts consultations on it.

bpm'online uses technical and organizational measures for information security. Their Cloud-based SaaS platform is accessed via a secure connection and uses encryption to store all personal data on the database side.

bpm'online as a Data Controller

As a controller, bpm'online offers several tools that allow a DPO to maintain compliance and provide data subjects with a copy of their personal information. Some of these tools include:

  • Global search and filters
  • Ability to create a DPO workplace
  • Deletion functions
  • Change logs to keep track of processing alterations
  • Storage & access tools
  • Information portability functions
  • Customer portal accessibility
  • Ability to export list data for data subject requests
  • MS Word report templates for data subject requests
  • Attachments and notes for data subject requests
  • Record permissions and editing
  • Ability to create object permissions
  • Landing pages and Web forms
  • Ability to establish organizational roles
  • Audit and change logging
  • Section wizard to add necessary subject information

The company also performs data protection risk assessments as a controller. After bpm'online did initial impact assessments, they preemptively instituted several “mitigation measures” to prevent any high-risk processing activities.

Your Organization’s GDPR Compliance as a Data Processor Through bpm'online

bpm'online wants its customers to understand what’s expected of them as a data processor. Any company using bpm’online is a data processor because they are keeping information on subjects. The company recommends appointing a DPO, which may not be applicable to all businesses. However, if an organization decides it is necessary to hire a DPO, that DPO should create a DPO workplace within bpm'online. The organization should also make it easy for individuals to contact the DPO about their data.

It’s important for companies to use their CRM to set up audit and change logs as well as logging on the DBMS level. Make sure those functions are enabled in your bpm'online instance. Any publicly available privacy statements should be reviewed for GDPR compliance and gone over with customers. bpm'online stresses the importance of companies understanding the sources of their data and having information security policies and regulations in place.

To comply with the GDPR requirements for data protection by design/default, organizations must also audit their information security risks. Are there companies you work with that act as joint controllers of your data? Mutual responsibilities must be agreed on.

As a data processor, your company is responsible for obtaining consent from any other processors or controllers as well. Data Protection Officers will need to demonstrate GDPR compliance at all levels if ever asked by a supervisory authority. Additional GDPR compliance measures include:

  • Setting up user and role structure/access rights
  • Making sure https is enabled
  • Using encryption tools on the DBMS level
  • Conducting data protection impact assessments (Deeper assessments will be necessary for organizations using the on-site version of the software.)
  • Informing individuals about their rights to lodge a complaint with a supervisory authority via your website, license agreements, or another preferred means

To learn more about bpm’online’s GDPR compliance, please reference this PDF or visit their GDPR webpage.

Posted in:

Looking for Creatio help?

We do training, customization, integration, and much more. Contact us today.