Českomoravská stavební spořitelna, one of the top banks in the Czech Republic, administers enormous amount of client personal data every day. The data are subsequently gathered and stored in the bank´s internal systems. Despite the high security level and personal data protection, ČMSS had to undergo several major steps to be in compliance with the GDPR Directive.
The GDPR Directive and its importance
The GDPR Directive will come into effect in May 2018 and it may require, in some cases, to reimplement and modify existing systems. If the initial analysis identifies a need to perform changes in a system, companies´ only option will be to implement them.
What kind of changes was necessary to implement into the system for the customer relationship management in Českomoravská stavební sporiteľňa and how did the reimplementation ensuring the compliance of CRM with the GDPR look like?
The First step: Analysis
During the initial phase of the analysis, as a part of the GDPR implementation in ČMSS, Deloitte, a consultant company, was involved. Deloitte, together with IT, business guarantees, and lawyers, examined and defined individual purposes of personal data recording and processing. The outcomes of the analysis were transformed into propositions how to ensure the compliance of the ČMSS information systems with the GDPR Directive.
The Second step: Implementation of requirements
Propositions which emerged from the analysis subsequently led to definition of requirements on modifications of all systems working with personal data records.
CRM (a system for customer relationship management), which we implemented in ČMSS during the last year on the Microsoft Dynamics CRM platform, belongs among such systems.
In relation with the CRM solution, from the GDPR point of view 3 following reimplementation requirements were necessary to incorporate into the system:
1) Requirement to ensure recording and processing of requests from data subjects concerned
Requirement implementation outcome: Currently, ČMSS employees are able to record requests from data subjects concerned related to GDPR, which the GDPR Directive allows them.
We talk about the following requests:
- Right of access by the data subject
- Right to rectification
- Right to Erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
2) Requirement to ensure recording of data subjects´ consent for a variety of purposes in ČMSS
Implementation requirement outcome: CRM in ČMSS is a system which records and consolidates persons and clients. A new structure for recording consent as well as for withdrawal of consent given by data subject concerned was proposed. Thus, CRM becomes a source of information on given and withdrawn consents for other systems.
3) Requirement to ensure invalidation/erasure of data
Implementation requirement outcome: After the set period of time, when ČMSS is no longer authorized to process personal data of data subjects (and there is not a legitimate purpose of processing personal data of data subjects), there is a need to disable or erase the data. The CRM solution will provide these operations over data processed in this system.
What is the resulting attitude towards GDPR?
It´s important to mention that compliance with the GDPR Directive does not necessarily mean inevitable reimplementation of companies´ systems. Initial analysis proved to be crucial. It identifies findings which are to be solved in order to meet GDPR requirements. The way how requirements are being implemented can vary – it is up to each company what approach it chooses to comply with the Directive.
If the analysis in your company has defined a need to reimplement your CRM solution, do not hesitate and contact us. We’ll make sure your systems are in compliance with the GDPR.