Creatio is a process-based CRM company with roots in Europe. The company ensures they are processing data and offering security options that align with GDPR requirements. Creatio recognizes its role as both a data controller and data processor, depending on the situation. They break down their compliance perspectives into three areas:
Creatio as a Data Processor
As a processor, the company also holds accountability for up-to-date security policies and regulations. Data protection policies such as pseudonymization are in effect and regular information impact security assessments are scheduled regularly. If an impact assessment indicates that processing would be high-risk in the future, the company’s DPO conducts consultations on it.
Creatio uses technical and organizational measures for information security. Their Cloud-based SaaS platform is accessed via a secure connection and uses encryption to store all personal data on the database side.
Creatio as a Data Controller
As a controller, Creatio offers several tools that allow a DPO to maintain compliance and provide data subjects with a copy of their personal information. Some of these tools include:
- Global search and filters
- Ability to create a DPO workplace
- Deletion functions
- Change logs to keep track of processing alterations
- Storage & access tools
- Information portability functions
- Customer portal accessibility
- Ability to export list data for data subject requests
- MS Word report templates for data subject requests
- Attachments and notes for data subject requests
- Record permissions and editing
- Ability to create object permissions
- Landing pages and Web forms
- Ability to establish organizational roles
- Audit and change logging
- Section wizard to add necessary subject information
The company also performs data protection risk assessments as a controller. After Creatio did initial impact assessments, they preemptively instituted several “mitigation measures” to prevent any high-risk processing activities.
Your Organization’s GDPR Compliance as a Data Processor Through Creatio
Creatio wants its customers to understand what’s expected of them as a data processor. Any company using bpm’online is a data processor because they are keeping information on subjects. The company recommends appointing a DPO, which may not be applicable to all businesses. However, if an organization decides it is necessary to hire a DPO, that DPO should create a DPO workplace within Creatio. The organization should also make it easy for individuals to contact the DPO about their data.
It’s important for companies to use their CRM to set up audit and change logs as well as logging on the DBMS level. Make sure those functions are enabled in your Creatio instance. Any publicly available privacy statements should be reviewed for GDPR compliance and gone over with customers. Creatio stresses the importance of companies understanding the sources of their data and having information security policies and regulations in place.
To comply with the GDPR requirements for data protection by design/default, organizations must also audit their information security risks. Are there companies you work with that act as joint controllers of your data? Mutual responsibilities must be agreed on.
As a data processor, your company is responsible for obtaining consent from any other processors or controllers as well. Data Protection Officers will need to demonstrate GDPR compliance at all levels if ever asked by a supervisory authority. Additional GDPR compliance measures include:
- Setting up user and role structure/access rights
- Making sure https is enabled
- Using encryption tools on the DBMS level
- Conducting data protection impact assessments (Deeper assessments will be necessary for organizations using the on-site version of the software.)
- Informing individuals about their rights to lodge a complaint with a supervisory authority via your website, license agreements, or another preferred means