How GDPR-led analysis should drive your CRM data migration plan

Last month I wrote a piece using the analogy of a house move for your organisation’s data migration. Whilst describing the expected migration stages it was admittedly a little light on GDPR factors.

At Hart Square, we continue to see great progress and much ongoing work on GDPR compliance. This is especially true where a project migration becomes another catalyst for increased compliance actions.

We find our discussions about “urgent GDPR action” have normalised into newer discussions on data strategy and governance: how best to plan and do the ongoing data “chores”.

Returning to the house analogy – as it has some depth – what happens when:

  • You sit down to sort through all those data drawers as part of a house move and realise there’s more sorting to be done than you thought,
  • You find several items stacked on shelves still reading: “why have you kept me?!”

The good news is that you can and must use all activity conducted before and after 25th May 2018 to double down on your GDPR efforts during a migration – it is the perfect time to take further action.

Quick tips for blending GDPR and migration approaches for best outcomes:

  1. Source data analysis/GDPR compliance checks
    • When identifying and analysing data for migration, you naturally go back to GDPR principles:
      • What have we got and where is it?
      • Upon what lawful bases do we hold it?
      • How well is it protected and what are its retention rules?
  2. Decision making
    • GDPR-led analysis is a perfect path to the right decisions about what to migrate or not.
    • Responsible proactivity like: “we do not run that function any more so let’s not keep the data”, or “we must migrate that data. We hold it under legitimate interests”.
  3. Exclusion/Inclusion rules
    • To help with the classic dilemma – “how far back should we keep?”
    • A clear set of GDPR retention rules sets certain migration rules for you, e.g. “seven years data back for contacts’ order records as we must retain an audit trail for HMRC”.
  4. Risk management
    • These processes help with the reality if certain data sets are being retained or processed in a way that presents risk to your organisation and data subjects.
    • You may simply enforce a GDPR recommendation previously made yet not fully actioned.
  5. Data Protection Impact Assessment (DPIAs)
    • It is ICO guidance and music to Hart Square ears to hear clients are conducting DPIAs for all new projects now where personal data will be affected.
    • And remember, a migration itself can be subject to its own discrete DPIA.
  6. Consent opt ins, preferences
    • Lest we miss the startlingly obvious: your migration must assure how preference centre management continues GDPR compliance in the new system and how preference data is accordingly mapped, loaded, then managed day to day.
  7. Marketing tools
    • A lot of implementation projects we see “put in” a replacement marketing tool.
    • Become the expert on how your preference data securely flows to and from all new systems
    • Know the exact points where someone may update their preferences with you

Remember – data still exists even if held in archive so do consider what constitutes data deletion, or anonymisation where deletion is not an option in migrating your data.

There is a huge payoff here regarding investment value if you focus on aligning all decision makers on the true value of the data to your organisation and your data subjects.

You can achieve both goals: abide with ICO GDPR principles, and hold highly valuable data.

One last dig for victory into the analogy then:

Doing this work well, you should reach a point in your project where you pejoratively slam the doors shut on the data van and say, as you see it sweeping off to your new home.

“I’m glad we spent the time on that. We only packed what we really need in the new place!”


Successful implementation

To learn more about system implementation management, join our training programme “How to deliver successful projects“. The whole course is invaluable and module 5 focusses on “Delivering a Successful System Implementation” including Data Migration


Hart Square’s GDPR White Paper for Non-Profits

GDPR compliance is mandatory from 25th May 2018

Building on current Data Protection legislation, GDPR is designed to bring the regulations up to date and ensure they’re fit-for-purpose in a digital economy.

Its introduction will increase the requirements placed on organisations to properly manage the personal information they process, increase individuals’ rights to privacy, and increase the penalties which can be issued where non-compliance is found.

At Hart Square we work exclusively within the non-profit sector and we know the impact this could have on our clients and across the sector. It’s not all doom and gloom though, there’s work to be done before May 25th 2018 but that work should have a host of positive outcomes.

Our White Paper is intended to summarise our approach to the challenge created by the introduction of GDPR and to the opportunity it presents charities, membership bodies and all non-profits.

Download it, have a read, then get in touch to tell us what you think!

Hart Square’s GDPR FAQs

General Data Protection Regulation (GDPR): Frequently Asked Questions

Does the GDPR replace the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR)?

  • Yes, the GDPR does replace the DPA. It does not replace the PECR, which give people specific privacy rights in relation to electronic communications.

Does the UK’s decision to leave the EU have any impact on GDPR?

  • No, it doesn’t. The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR on 25 May 2018.

Who is affected by GDPR?

  • You can assume that if you hold personal information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The regulation will apply to any organisation providing goods/services inside the EU that says how personal data and sensitive personal data should be processed and to those that process it too. GDPR applies equally to not-for-profit and charitable organisations. It also applies to both automated personal data and to manual filing systems.

When am I ‘processing’ personal identifiable information or sensitive personal data?

  • If you are storing, collecting, using or destroying personal data about your staff, members, supporters, suppliers, or any other contacts, or disclosing or transferring their data to another organisation, then you are processing personal identifiable information.
  • Sensitive personal data is information covering:
    •    racial or ethnic origin
    •    political opinions
    •    religious or philosophical beliefs
    •    trade union membership
    •    genetic data
    •    biometric data
    •    data concerning health
    •    data concerning a natural person’s sex life or sexual orientation

What ways can I justify processing data?

  • There are some fundamental ways to demonstrate a legal basis for the collection and processing of personal data:
    •    You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given and you must be able to provide evidence of this consent.
    •    You have a “legitimate reason” to hold and process personal information. For example, during an online purchase you have to provide whatever basic information is necessary to fulfil a transaction i.e. contact and address information and the seller will have to record your transaction.
    •    You may have a legal obligation to collect and process personal data. For example, if the person is an employee, you have a legal obligation to record and process payroll information and report details to HMRC. As you are legally bound to do this, you do not require the explicit consent of the individual to do this.
    •    Processing is necessary to protect the “vital interests” of an individual, that is effectively matters of life or death.
    •    Processing is necessary to comply with a UK legal obligation.
    •    Processing is necessary for the performance of a task carried out in the public interest.
  • In Hart Square’s opinion, consent and legitimate interests are the two most relevant legal bases to the NFP sector.

We pass our member/supporter data to our mailing house supplier so that they can send out member/supporter communications. Can we still do this after the commencement of the GDPR?

  • Your supplier needs to demonstrate to you that they are compliant with GDPR. Your contract with your supplier needs to have a GDPR compliance policy. If your supplier is not compliant, your organisation as well as the supplier could be liable for a fine.

Can our organisation carry on using existing DPA consents?

  • You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. However, if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being: specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, then you should obtain GDPR-compliant consent.
  • Consent must be actively given. There must be some form of clear affirmative action – that is a positive opt-in.
  • Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
  • When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms.
  • Ideally explicit consent is required for each channel of communication – both electronic and non-electronic – to allow the individual choice and flexibility.
  • You should also consider if you can rely on another of the legal bases to process personal and sensitive personal data. (See question above.)

How long does consent last?

  • There is no explicit expiry date, but there is an expectation that consent should last between two to three years. It is essential to record the date of when was consent was given, at the time it was given and a record of what the individual was told to capture their consent.
  • There is a requirement to have evidence of that interaction or conversation that recorded that consent and a link to the statement that was used to capture it.

Will audits from the Information Commissioner’s Office (ICO) increase?

  • The ICO has not made their position on this subject clear. However, the need to evidence compliance is most likely to come from members/supporters in first instance. You must show at once upon request that you are compliant, or face the possibility of significant fines.

Isn’t having to sacrifice all this data a bad thing?

  • Whilst the numbers of contacts may reduce, the quality of information should increase and you can become more targeted in your communications. It’s an opportunity to manage your organisation’s data better and ensure you have the accurate, quality information about your member/supporter database and build better and closer relationships.

Do I need to go on training or require certification for GDPR?

  • It’s not part of the requirements to attend any training or gain certification.

Shouldn’t our strategy just depend on how sensitive the data we’re holding is?

  • No, if your organisation is holding staff data, keeping HR records, customer/member/supporter lists, or other contact details then you will need to take steps to comply with the GDPR.

What are the consequences of not adhering to the GDPR?

  • The minimum penalty for non-compliance is 2% of global turnover or £10million whichever is more. In addition, there is the media coverage that would be generated by the non-compliance, the loss of your organisation’s reputation to hold data responsibly, which in turn may affect member or supporter retention, as trust in the organisation is eroded

Isn’t the number of complaints I had under DPA indicative of how many I will get under GDPR?

  • Not necessarily. It is likely that the increased media interest in non-compliant organisations following the commencement of the GDPR will raise awareness to all members of the public about their rights.

Hart Square’s GDPR Self-Assessment Form

Hart Square have worked within the charity and not-for-profit sector for many years, and during that time have helped numerous organisations make better use of their technology to meet their aims and objectives.

GDPR’s (General Data Protection Regulations) impending introduction in May 2018 is one of the most significant changes to impact the sector over this timeframe, in that it demands that all organisations tighten and improve the way they capture, store and utilise their contacts’ information.

The questions and examples in this Self-Assessment are intended to help organisations to better understand how prepared they are for these changes and to identify areas of greatest risk.

Our hope is that through this self-assessment, you will be able to identify areas of improvement and then go about tackling these in a timely and efficient manner.

GDPR compliance is the sole responsibility of each organisation, regardless of outside support, systems, or recommendations provided by 3rd parties.

Felinesoft GDPR Statement

APT Solutions GDPR Statement

Trillium GDPR Statement



Nothing Found

Sorry, no posts matched your criteria