bpm'online is a process-based CRM company with roots in Europe. The company ensures they are processing data and offering security options that align with GDPR requirements. bpm'online recognizes its role as both a data controller and data processor, depending on the situation. They break down their compliance perspectives into three areas:
bpm'online as a Data Processor
As a processor, the company has an assigned data protection officer (DPO) to respond to requests for blocking personal information from processing. Individuals, controllers, or supervisory authorities who’d like to contact the DPO can do so via a form on the bpm’online website or through direct mail. Personal data is collected from Web forms, with the consent of the data subject. bpm'online does not endorse the collection of personal data through any “indirect” means such as purchasing contact lists. Privacy policy statements are available at bpmonline.com.
As a processor, the company also holds accountability for up-to-date security policies and regulations. Data protection policies such as pseudonymization are in effect and regular information impact security assessments are scheduled regularly. If an impact assessment indicates that processing would be high-risk in the future, the company’s DPO conducts consultations on it.
bpm'online uses technical and organizational measures for information security. Their Cloud-based SaaS platform is accessed via a secure connection and uses encryption to store all personal data on the database side.
bpm'online as a Data Controller
As a controller, bpm'online offers several tools that allow a DPO to maintain compliance and provide data subjects with a copy of their personal information. Some of these tools include:
- Global search and filters
- Ability to create a DPO workplace
- Deletion functions
- Change logs to keep track of processing alterations
- Storage & access tools
- Information portability functions
- Customer portal accessibility
- Ability to export list data for data subject requests
- MS Word report templates for data subject requests
- Attachments and notes for data subject requests
- Record permissions and editing
- Ability to create object permissions
- Landing pages and Web forms
- Ability to establish organizational roles
- Audit and change logging
- Section wizard to add necessary subject information
The company also performs data protection risk assessments as a controller. After bpm'online did initial impact assessments, they preemptively instituted several “mitigation measures” to prevent any high-risk processing activities.
Your Organization’s GDPR Compliance as a Data Processor Through bpm'online
bpm'online wants its customers to understand what’s expected of them as a data processor. Any company using bpm’online is a data processor because they are keeping information on subjects. The company recommends appointing a DPO, which may not be applicable to all businesses. However, if an organization decides it is necessary to hire a DPO, that DPO should create a DPO workplace within bpm'online. The organization should also make it easy for individuals to contact the DPO about their data.
It’s important for companies to use their CRM to set up audit and change logs as well as logging on the DBMS level. Make sure those functions are enabled in your bpm'online instance. Any publicly available privacy statements should be reviewed for GDPR compliance and gone over with customers. bpm'online stresses the importance of companies understanding the sources of their data and having information security policies and regulations in place.
To comply with the GDPR requirements for data protection by
design/default, organizations must also audit their information security
risks. Are there companies you work with that act as joint controllers
of your data? Mutual responsibilities must be agreed on.
As a data processor, your company is responsible for obtaining
consent from any other processors or controllers as well. Data
Protection Officers will need to demonstrate GDPR compliance at all
levels if ever asked by a supervisory authority. Additional GDPR
compliance measures include:
- Setting up user and role structure/access rights
- Making sure https is enabled
- Using encryption tools on the DBMS level
- Conducting data protection impact assessments (Deeper assessments
will be necessary for organizations using the on-site version of the
software.)
- Informing individuals about their rights to lodge a complaint with a
supervisory authority via your website, license agreements, or another
preferred means
To learn more about bpm’online’s GDPR compliance, please reference this PDF or visit their GDPR webpage.