Consents Management

In this article will provide an overview of how you can seek consents from contacts and how the CRM can help your business in conforming to the contact preferences.

Note! GDPR feature is available in Starter, Professional, Enterprise Edition.

---

• For Starter and Professional edition users Vtiger Privacy Guard is available as an add-on from the Extension Store.
• For Vtiger One Professional, Vtiger One Enterprise Edition users the Vtiger Privacy Guard extension is readily available and needs to install from Extension Store.
• To get started with the Vtiger Privacy Guard, please write to support@vtiger.com

Why does my business need Consents?

There are two reasons why consent is essential:

1. Avoid Penalties

   With increasing concerns about invasion of personal privacy, Governments around the world have stepped in to enact laws to protect individuals rights. For instance:

   • European Union will start enforcing GDPR from May 25, 2018, with stiff penalties for businesses that violate the law.

     • For more details on the rationale behind GDPR, please refer to our blog post - GDPR and CRM: What Is GDPR and How Does It Affect CRM?

   • United States enacted CAN-SPAM act in 2009 with stiff penalties for sending commercial messages that do not follow the stated guidelines. It has become imperative for businesses to heed these laws or risk huge fines.

2. Gain trust from your clients by being transparent on how your business uses their data.

My business does not operate in Europe. Do we need Consents?

If you are sure that none of your contacts or leads resides in Europe or is citizens of EU countries, then you might not need to use Consents.

Warning!
If you have a webform that is publicly available, then European residents might have submitted the webform and shared their personal details like an email address. That is sufficient for your business to be liable for GDPR violations.

What actions and data require consent?

As per GDPR, a business storing personal information should offer the following rights to the individuals.

1. Right to know the information the business has on the individual
2. Right to know how the information is used
3. Right to know if the business is tracking their engagement.
4. Right to ask a business to stop processing the data
5. Right to ask a business to erase their data.

Consents module in Vtiger CRM makes it easy for your business to grant these rights to individuals and seek consent for storing and using their personal data and tracking their engagement.

3 Benefits of Consents module

1. Know if you have consent to store and use the data
2. Keep a record of when and from where the consent was granted
3. Seek consents from only selected contacts by configuring conditions for each consent (ex: Country=France)

Prerequisites - Before you add Consents

Step 1 - Identify the data for which you need to seek consent

The data you need to seek consent for varies from one business to another. A business should only need to seek consent for data that is not required for the operational purpose.

EMail address, Phone number, Marital Status, Religion, etc., are all considered Personal information. But some of this personal information might be required for operational reasons. For example, if an individual has bought services from your business, then you will need to retain the individual name and address on invoices and orders for record keeping and auditing purposes.

Classify which of the personal information is essential for operational purpose, and which information is not essential and is only kept for marketing purposes.

Non-essential personal information needs consents. You will be selecting these in the Data section of the Consents page.

Step 2 - Document the uses of the personal data

How do you use personal data?

1. Do you refer clients and share their data with partners?
2. Do you keep voice recordings of phone calls for training purpose?
   You will need to seek consent for these specific uses. You will be defining them in the Custom consents section.

Step 3 - Remove duplicate contacts with same email address

To prevent multiple consent requests going to the same individual, it is necessary to skip duplicate contact records (& lead records) that have the same email address. This can be an arduous task if you have thousands of contacts. Fortunately, Vtiger makes it easy by automatically flagging the duplicate contacts as “Duplicate” (Contact Status value will be set to “Duplicate”) and retaining the last modified Contact as the primary one. An administrator will be prompted to approve this automated process while enabling the Consents feature.

Step 4 - Choose the FROM Name and FROM Email address for the Consent requests.

Consent request emails will go from the Email address that you choose along with the selected FROM name. You should configure this in “Double opt-in and Consent Emails” section of the Settings > Email Settings page.

Step 5 - Understand the risks of losing data

Existing “Contact Status” value will be overwritten with “Duplicate” for the duplicate contacts.
If consent is deleted for a field, the field is also removed from the Layout editor.

Adding a Consent

There are three types of consents

1. Data Consent
2. Custom Consent
3. Tracking Consent

Note! Data Limits in GDPR compliance Add-on

• Personal fields - No limits
• Encryption fields - 5 fields per module
• Data consents - 10 fields per module
• Custom consents - 10 fields per module

Setting up consents

To set up consents, please follow these steps:

1. In the Settings page, click on Consents from Configuration section
2. In Consents page, enable the checkbox “Enable the Preference Page.”

3. In the Pre-requisites pop-up window, enable the checkbox to confirm to deduplicate the contact records

   

4. If you have setup your Email Settings, then you are allowed to proceed. If you haven’t configured the Email Settings to send out opt-in emails, please configure and start the process again from Step 1.

   

5. Finally, confirm the Consents Prerequisites and click Save.

   

6. You will have to enable the checkbox again to configure the Consents.

Settings for each Consent - Who and What

When adding any consent, you need to configure the following:

1. Is this consent required from all contacts or selected contacts?
   • For example, you might only need to seek consent to store Credit Card Number when Contact Status changes from “Sales Qualified Lead” to a “Customer.” You can configure this condition in the “Show to” area.
2. What is the default value?
   • Choose “Yes” or “No Preference” as default, if you do not require consent to store it but need to provide the right to an individual to revoke it.
   • Choose “No” as default, if you need consent before storing the value.

Adding a Data consent

By default, any fields marked as sensitive will be added to the Consents page. You can add additional fields by clicking the “Add CRM field” button.

Adding a Custom Consent

To add a custom consent, click on “Add New Custom Consent” button, and enter the text defining the purpose.

For example, “Your contact details (email address & phone number) will be shared with a local partner to follow up.”

Adding a Tracking Consent

Vtiger provides the ability to track document and email engagement. You can configure to whom these consents should be shown. If the customer, mark as “No”, then you cannot send any email or track the document.

Note!

Email Tracking will not work if

• Email client doesn’t fetch & display images (Some email clients hide images by default and only fetch if the recipient clicks to load images)
• Consent for tracking is revoked by the contact

Other Preferences

GDPR requires that you give contacts the ability to opt out of processing entirely or erase their personal identifying data from the system.

• When a customer requests to “Stop using the data” - the customer’s email status changes to “Opted Out”, which means they’ll no longer receive email campaigns and autoresponders. The opt-out also stops workflow emails by updating the setting on the email settings page.
• When a customer clicks on “Erase my data” option, Please erase my data checkbox in the Contact’s record is enabled. To erase the date from the system, the assigned user has to delete the record manually.

When is a Consent request sent to a Contact?

Consent Notification settings govern how the contacts are informed.

1. If the Automatic option is enabled, and if a change in contact profile or a new contact matches a consent condition, then the system will automatically send an email. To prevent multiple emails going for multiple changes in contact profile done within a day, Vtiger has a daily process that checks the recently created and modified contacts and sends the emails. This process runs at 10 AM every day.
2. If the Automatic option is enabled, and if the Consents policy has changed (i.e., you have added or modified consents), then the system will automatically send an email. To prevent multiple emails going for updates to the policy done within a week’s span, Vtiger has a weekly process that runs on Friday at 3 PM and notified affected Contacts of the change in the Policy.

3. When ad-hoc emails are sent from CRM, the link to the Preferences page is included in the footer. But, when you include a user as CC/BCC, the Preferences page link is not included.

   
   

Consents block and field values in the Contact record

For each Data, Custom and Tracking consent that applies to a contact, the Consents block within the Contact record will show the consent value.

Consent values and Data field behaviour

Consent Value	Data field	What it indicates
Not Applicable	Editable	consent does not apply to the contact
Applicable	Not Editable	consent applies, but has not been requested yet (consents process runs once a day at 10 AM)
Waiting	Editable if default consent value = “yes”, non-editable if default consent value is “no”. (if there are any existing values, it will be erased)	A request has been sent (until the contact saves the preferences, the value will remain as waiting)
Granted	Editable	Contact has granted this consent
Not Granted	Not Editable (Existing value if any will be erased)	Contact has revoked this consent

Frequently Asked Questions

1. What if we delete consent for a field?

   • When consent is deleted for a field, the field is also removed from Module Fields & Layout Editor.

2. Can I send an invoice to contact that has requested to stop processing?

   • If you have a contract with a customer and are sending them an invoice as a part of fulfilling that contract, then yes, you may send them an invoice.
   • However, you should restart the processing on the record, and notify the customer why processing was restarted. This does not mean you can send the contact marketing email or perform any other tasks with their data.

3. Can I send workflow email to contact that has requested to stop processing?

   • You can send workflow emails to contacts that have requested to stop processing if that workflow email is related to a contractual obligation that you have with the customer, and not for any marketing or sales purpose or another purpose.

4. Can I send an invoice to contact that has requested data erasure?

   • If a contact has requested erasure before their record is erased you may still send them an invoice if it is required to complete a transaction as part of a contractual business obligation you have with them. However, once the contact record has been erased, if done correctly, you should no longer be able to identify them at all to send them an invoice.