Get Data Protection Ready

Unless you have been stranded on a desert island for the past 18 months you cannot have failed to read/hear about the General Data Protection Regulation (GDPR) which comes into force on Friday 25th May 2018. It’s certainly the ‘hot topic’ – the subject is broached at pretty much every client meeting I have and I expect to be talking/reading about it even more in the next 2 months. By now, if you’re reading this then I would assume you have at least a basic understanding of what GDPR is, and what it means, so I’m not going to re-write another blog on that. Besides there are hundreds of articles online about it!

What I’d like to focus on is some of the key requirements of GDPR and how Peppermint can help to facilitate your compliance with these so that you can achieve that Holy Grail of GDPR compliance!


Under the ‘Accountability’ principle of GDPR, firms must demonstrate Data Protection compliance by default and design. However, what this means in practice can be open to interpretation. Quite often in my role I’m asked can Peppermint do <……>? Invariably my answer is not simply ‘yes’ it’s ‘how would you like it done’? When it comes to GDPR, just one of the advantages of Peppermint CX is that it is built upon Microsoft Dynamics CRM, which is extremely customisable. No matter what your firm’s interpretation of the new laws are, I’m confident that Peppermint CX will be able to assist you in meeting them, using ‘bespoke custom fields’, ‘workflows’ (automated processes working away behind-the-scenes) and ‘business rules’ on forms.

Did you know GDPR will become the first global data protection law, as organisations anywhere in the world who use personal data relating to EU citizens must comply with GDPR?


If you are talking to someone about GDPR, then at some point, I can pretty much guarantee that the theme around ‘consent’ will be discussed – from a marketing and BD perspective it’s at the core of how working practices will change, post 25/5/18… In the simplest possible terms, for any firm to be able to market to an individual, they must be able to prove that they have received explicit, freely given and informed consent (i.e. the contact has proactively opted-in) to do so. Most of our clients will capture this consent using an eMarketing tool and creating the necessary fields in Peppermint to hold this information. Nothing really ‘ground-breaking’ there. However, what happens if a contact, who has previously given consent, moves firm and their contact details change? Will that consent still be valid? The short answer is ‘no’, it will not. In this situation, using Peppermint CX, you could create an automated workflow that resets, upon the edit of an email address, the ‘Consent Received’ field to ‘No’, clears the ‘Date Consent Received’ field and generates a task for a Data Administrator to re-obtain consent.

Individual Rights – Right of Access / Right of Data Portability / Right to be Forgotten

Under the new GDPR rules, individuals have the right to access the data held on them. This is known as a ‘Data Subject Access Request’ and firms must provide this free of charge and within one month of the request. For a firm with separate CRM, Practice/Case/Document management applications, this would mean a timely and inefficient procedure having to interrogate each system, then prepare the data so that it is in a consistent format. This may also expose inconsistencies in the data between the databases.

With Peppermint, however, there is only one system to interrogate – one single source of data, meaning that extracting the data is quick and easy and that you will be not have the embarrassment of having to explain away differences between the databases.

Similarly, individuals also have rights to request that their personal data is removed/anonymised or that their personal data is produced in a format that allows it to be transferred to an alternative organisation. Using Peppermint, our clients only need to perform this action once against the database, as opposed to multiple times across multiple systems.

Did you know the maximum fine which the ICO can levy under the Data Protection Act is £500,000. The maximum fine that can be levied under its successor, GDPR, could be €20 million.


Don’t Panic!

At the time of writing this blog, there is still over 2 months until the GDPR deadline, and so there is plenty of time to become GDPR compliant. In fact, if you can prove that you have previously obtained explicit, ‘opt-in’ consent, then that will still be valid. Some of the clients I work with are concerned that they will not have any marketing lists, 6 days after the Royal wedding. It will, in my opinion, also give you an opportunity to really cull your data and gain a much clearer view of who are genuine, relevant prospects, instead of the people who’ve been on a mailing lists for 10 years who never respond to anything.

One piece of advice, however – if you are thinking of sending out a blanket email to capture your consent, it should be noted that the vast majority of companies in the EU (and any company worldwide who holds data on an EU citizen) will also soon be doing exactly the same thing. Timing is key, and unless your email stands out, it may be lost in an inbox somewhere!

This blog was written by our Principle CRM Consultant, Russell Bell.