Pipedrive - GDPR compliance and marketing consent
Valid until: Sep 30 2021
1. From time to time we receive a request from customers to stop marketing mailings or remove their data from our database. While the first case is simple for us, because we have created checkboxes with marketing consent in Pipedrive and tick them off if necessary, the second type of request (data deletion) is more troublesome. According to the GDPR, we should simply remove the contact from Pipedrive completely and not process it anymore, but on the other hand, we often import large external databases into it, where such a contact can be found again. In other words, we are afraid of a situation in which someone categorically requests the deletion of their data, and in some time we download it again along with a large, external database, add it to the CRM again and Pipedrive does not protest, because the e-mail address used to associate contacts is already deleted. As a result, we can resend unsolicited marketing emails to the customer.
It occurred to us that some kind of solution could be graying out, encrypting, anonymizing or whistling data from deleted contacts. So that in the light of the GDPR, they no longer constitute personal data that we process all the time, but that they are still sewn somewhere, and CRM can recognize that the e-mail address is on the "black list" and display an appropriate message to us. I haven't found such a solution in Pipedrive, so the question is, would you be able to do something like this?
We receive a request from a CRM client to forget his personal data. There is a check-box or a functionality (button) created in CRM, which, when launched, makes personal data (all that is in CRM in the available windows, i.e. name, surname, e-mail address, phone numbers, as well as everything from the contact history) (where there are personal data) they become invisible, but they cannot be completely deleted from CRM, because the next time we try to enter such data into the system, we must receive system information that a given contact asked us to forget. And now the following process opens for us : personal data are entered into the CRM and after pressing the save button, CRM spits out a prompt containing the following information (who forgot the data - what CRM user on our part, when - date and confirmation when the said person received confirmation of forgetting from us). reasons, such a person is to be re-entered in the CRM, the user should receive a prompt with the information that he confirms that this person has agreed to re-enter his personal data (reason: handing over a business card, meeting, etc.) and after pressing the button, I confirm, an e-mail is sent to the indicated person from the organization, who finally confirms the action and then the data can be entered or old data appear for possible editing.
Each personal record on which no action was performed (phone, note) had been for 3 years, it is automatically removed from the CRM (to consider whether it is completely or just as in the above case), but with a prompt that the record has been forgotten in in connection with the provisions of the personal data protection policy (and here also the record of the date of forgetting by whom the system action will be).
*Polish language preferred, description attached below