Managing Lawful Bases for Data Processing

Managing Lawful Bases for Data Processing

Managing Lawful Bases for Data Processing

Switch on GDPR Compliance options

Under compliance settings, you need to first switch on GDPR compliance settings if it applies to your business. Users with the Manage Compliance Settings profile permission can enable and view the features available under Setup > Users and Control > Compliance Settings

To switch on GDPR compliance options

  1. Click Setup > Users and Control > Compliance Settings.
  2. In the Compliance Settings page, toggle on the enable button for Compliance Settings.
  3. From the Enable GDPR compliance for modules drop-down list, select the modules that contain data subject's information.
    You can edit this later from Setup > Users and Control > Compliance Settings > Preferences.
  4. Click Save.

The Lawful Bases

The fundamental principle for handling personal data is that data must be processed lawfully and in a transparent manner. GDPR defines six lawful bases to process data. It is important to understand all of them as  no one lawful basis is better than the others. Choosing the most appropriate basis depends on the purpose of data processing and your business requirements.

  • Consent - When you have consent from the data subject to process their personal data. There must be a deliberate action on the part of the data subject to opt in or give consent.
    Example: Collecting and processing personal data for marketing purposes or for sending newsletters.
  • Contract - When you have a contract with an individual to supply goods or services requested by them. In this case, you process data to fulfill the contract.
    Example: During a contract, when the customer asks for more information via email, the organisation processes their personal data to respond to the request.
  • Legal Obligation - When you have to process the data to comply with the law.
    Example: An employee's salary details are needed by a government institution or an investigation requires the processing of the personal data.
  • Vital Interests - When you need to process data to protect someone's life or in an emergency situation.
    Example: Collecting personal details of the people to ensure their safety during an emergency or a fire.
  • Public Tasks - When you need to carry out tasks in the public interest, usually as a government institution, political party, etc.
    Example: As a public authority who processes data for scientific research, surveys, or public health studies.
  • Legitimate Interests - When your organisation holds a genuine, legitimate reason to process data and the purpose does not harm the data subject's rights.
    Example: A customer has not paid their invoice and so the company needs to process the customer's data to collect payment. Or, for administrative purposes, when an organisation processes an employees' personal data for payroll.

Applying Lawful Bases with the CRM

Lawful basis as Not Applicable.

By default, all the records in the Leads, Contacts, and Vendors modules will have the Data Processing Basis set to Not Applicable when you enable GDPR from Setup > Users and Control > Compliance Settings. Once this is enabled, each record will have a Data Privacy section with the data processing basis details. You can change this based on your discretion and business cases.

Data Privacy section for records

Once GDPR is switched on in your CRM account, each record will have a Data Privacy section where the data processing basis details are available. If Consent is the lawful basis, the options to send a consent form and update consent details manually will also be available. A new field called Source in the record's details page will also be available, which will store the data sources such as Web forms, APIs, Integrations, etc. 

Who can access Data Privacy section for records.

Any user who has the permission to view the record will be able to view and edit the Data Processing Basis section. If you use portals and the data processing basis is Consent, people who have access to the portal, will be able to see the Data Privacy section. They can update their consent details.

When Consent is the lawful basis

If your business is running on the CRM, you can process data based on any of the lawful bases mentioned earlier. Consent requires a deliberate action to opt in on the part of the subject matter. It is therefore mandatory for the controller to keep a proper consent management system in place to obtain consent from the data subjects.

The CRM's consent management system helps you obtain consent from your prospects and customers.

Consent management in the CRM has the following options.

  • Define Consent Settings
  • Set up the consent form
  • Add consent link in email template
  • View the status of consent request

Change lawful basis for records.

You can change the lawful data processing basis in the following ways:

  • Select an individual record and update the details under Data Privacy.
  • Create a list view to filter out the records and click the More icon > Update Data Processing Basis.
  • Create a workflow rule to automate the process of updating lawful basis for records that met certain criteria.

Use the Data Processing Basis field to define the criteria.

View Details and History

You can view the details of the Data Processing Basis chosen for a particular data subject. Further, any changes that takes place in this section will be logged under history, chronologically.
For example, to send marketing related emails to your customers, you need their consent. Hence, you send a consent form via email and when it's submitted, the consent details are automatically updated in your CRM account and can be viewed in the Details section. History displays the list of actions carried out in a record pertaining to data processing basis, right from creation of a record.

To view details and history

  1. Click open the data subjects record in your CRM account.
    The record could be in the Leads, Contacts, Vendors or any other custom module for which GDPR Compliance is enabled.
  2. Click Data Privacy.
  3. Under the Data Processing Basis section, switch between Details and History.

View Dashboard

Go to Setup > Users and Control > Compliance Settings > Overview, to view the dashboard that gives you the following details:

  • Number of records that have the lawful basis marked as Not Applicable.
    You can also view these records and update their lawful basis.
  • Number of records that have been updated with one of the lawful bases.
    The records are categorised as Consent or Other Basis. You can also view these records and update their lawful basis.
  • Chart that displays the consent status - PendingWaitingObtained.
    Click on the status to view the records.


    • Related Articles

    • Data Privacy

      Data Privacy View Data Source View Personal Fields Manage Data Processing Bases A record's details are available in two sections - Info and Timeline. When you switch on GDPR Compliance in your CRM account, you will be able to view another section, ...
    • Data Subject Rights

      Data Subject Rights Add Data Subject Requests Add Data Subject Requests Manually Handle Requests Within the CRM Add Data Subject Requests Automatically Raise Data Request View All Open Requests The GDPR explicitly states certain rights for the data ...
    • Data Privacy for Portal Users

      Data Privacy for Portal Users Data Processing Basis As a Data Controller, to be GDPR compliant you need to process data based on one of the lawful bases. Based on your business requirement and discretion you can choose a processing basis from the ...
    • Managing Autoresponders

      Managing Autoresponders Autoresponders are the solution to send automated replies and follow-up emails to the prospects and customers. Once you receive a response from the lead or contact, you have to manually exclude the contacts from the mailing ...
    • Managing Groups - An Introduction

      Managing Groups - An Introduction In the CRM, you can create different types of groups (set of users) to manage a set of common records. Groups can be used for setting up team selling, team support, event management by a group of marketing users, ...