ar130405 - Fotolia
Companies doing business with European Union customers and those who use cloud CRM services must be able to document how they -- and their cloud providers -- comply with GDPR data protection and tracking mandates. One little statement, one big job.
Helpshift Inc. developed strategies to tackle General Data Protection Regulation (GDPR) compliance while creating documentation and features for its in-app chat support, which is available on the Salesforce AppExchange and Zendesk Inc.'s App Marketplace. Microsoft, which along with Salesforce has invested in Helpshift, offers three Helpshift analytics apps in its AppSource marketplace.
Once Helpshift tuned up its own apps, the company began offering advice to companies prepping their GDPR strategies, regardless of the customer's CRM support service or application. Helpshift manages in-application chat functions for for Zynga, Xfinity and Honeywell.
One feature that enabled Zendesk and Salesforce GDPR compliance Helpshift calls issue redaction, which wipes records from its cloud when an end user asks one of its app-selling customers to do so. It also flags the user and reminds the service team to ticket that user for deletion in other CRM tools the customer might use. Issue redaction also promotes compliance with the piece of GDPR that gives European Union (EU) citizens full control of their personal data, including the right to be forgotten by the companies from which they buy apps.
"How do you manage those requests?" is a common GDPR compliance question to any service and support team, not just those that develop and sell mobile apps, said Erik Ashby, principal program manager lead at Helpshift.
"Since we're the support system that users want to talk to [in smartphone and tablet apps], we can step in and help manage those requests ... and respond back to the customer saying, 'Your data's been removed,'" he said.
Beyond a reminder to create workflows to remove a customer's data across all the CRM tools in which an organization might store it -- knowing that many such forget me requests will originate from the service/support side -- Ashby offered other tips for companies whose CRM operations are looking to get on the right side of the regulation, especially those trusting some customer communications to AI-powered chatbot automation, and those who are tackling complex Salesforce GDPR compliance plans involving AppExchange vendors.
These tips can also help customers using the Helpshift AppExchange looking to put the finishing touches on Salesforce GDPR compliance plans long in the making, as well as users of other CRM platforms finalizing their own strategies.
COPPA is a good start: Many of Helpshift's customers are gaming app developers, and so they already have compliance strategies in place for the United States' 1998 Children's Online Privacy Protection Act (COPPA). If your company has built a COPPA compliance plan, you have a head start with GDPR's special protections for children's data. If not, look to that law for strategies -- such as anonymizing data for apps geared toward kids and giving service agents a method to remove data from your system when a child contacts them and identifies themselves as a minor.
Ask your vendors for advice: Not only are the cloud vendors in your sales, service and marketing stack working to document their GDPR compliance, they can probably share best practices from other customers they've been talking to during the run-up to GDPR. Your vendors can be especially helpful if you're designing Salesforce GDPR compliance, which probably involves multiple cloud providers and multiple service channels, such as chat, email and social media.
Consider making it a standard for non-EU customers: With GDPR being a stringent standard, it's Ashby's opinion that it will contribute to privacy standards globally, as SaaS vendors will need to communicate with each other about the technical support of the regulation using common terminology, such as GDPR's right to be forgotten.
"Everybody's going to want to be able to work together," Ashby said. "They all are going to want to align to the same standards."
Look at the big picture: Finally, while GDPR might seem like a long, daunting document mandating a lot of minutiae for any company handling the personal data of EU residents, Ashby advises that you break your compliance strategy down into the regulation's core tenets -- data protection, data rights, privacy and accountability -- and compare it to what you're already doing. Then, fill in the blanks.
"Those are very logical things you should have in your system anyway because you want to take care of your customers," Ashby said. "When [Helpshift] read through the GDPR, we said, 'Oh yeah, a lot of this makes sense.'"