finova CRM & GDPR

About

There are a number of rights and processes that must be adhered to as part of the General Data Protection Regulation (“GDPR”).

This document sets out how finova’s CRM will help its customers fulfil the requirements of GDPR:

Consent

A new consent capture area which includes separate (and granular) consent for essential contact, marketing contact and passing of data to other systems.

The ability for a customer to record and update consent via the client portal.

Warnings throughout the system if consent is not given which shall help users to adhere to the client’s preference.

finova’s existing marketing tools make it easy to contact clients to reaffirm consent.

Data privacy

Your privacy policy can be displayed within the client portal

Customers not using the client portal can record the specific wording within finova’s CRM so they have a fully accurate record of what privacy statements have been presented to the client to capture the client’s consent around how the data is processed.

Data breaches

In the unlikely event of a data breach the mass-mailing features in finova’s CRM will allow you to contact those affected (if required).

finova’s CRM has comprehensive user access controls which allows you to restrict users to only the customer records they should see.

Right of access

finova’s CRM includes comprehensive export facilities to provide customers with a copy of their data.

Right to rectification

A customer’s details can be easily updated using the edit functions.

You can use a case note (of a specific type if required) to record a rectification request to prove how and when the request was acted upon. Diary reminders can be easily created at the same time to ensure the activity is completed in the prescribed timescales. You can also record the time spent on these activities to allow analysis on how many requests you are getting and the impact (in time) on your business.

Right to erasure

With the right permissions it is easy to permanently delete a customer and their data from the system.

Right to restrict processing

You can use a case note (of a specific type if required) to record a request for restricted processing to prove how and when the request was acted upon. Diary reminders can be easily created at the same time to ensure the activity is completed in the prescribed timescales.

System controls will then allow you to restrict the processing of customer data.

Right to data portability

finova’s CRM will allow the export of customer data in a commonly used machine-readable format.

Right to object

You can use a case note (of a specific type if required) to record an objection request to prove how and when the request was acted upon. Diary reminders can be easily created at the same time to ensure the activity is completed in the prescribed timescales. You can also record the time spent on these activities to allow analysis on how many requests you are getting and the impact (in time) on your business.

You can easily withdraw consent with a full history retained.

Data security

finova maintain strict procedures to ensure the integrity and security of its customers’ data. These procedures include, but are not limited to:

  • DBS checks; all staff members undergo full background checks prior to commencement of employment.
  • All staff are trained to follow finova’s data protection policy

finova’s infrastructure is entirely dedicated and located only inside the European Union.

Access to production systems is limited to a small, dedicated team of senior engineers. Prior to access being granted to the foregoing users each user undergoes training sessions covering the procedures involved in managing production servers.

finova’s production servers are hosted in ISO27001/2 compliant data centres. These are further protected by both hardware and software security levels, including:

  • WAF (Web Application Firewall) – to protect against a multitude of software driven types of attack.
  • Hardware Firewall – to ensure that levels of access are restricted to specific addresses, or locations.
  • Managed Security – finova’s hosting partner provides it with access to Cyber Security analysts who monitor finova’s servers and they look for specific actions which occur and take preventative steps in the event of a possible threat.
  • Back Ups – all servers and databases are fully backed up, with backups retained for 14 days.
  • Disaster Recovery – finova’s primary hosting site is replicated to an offsite location to provide a fallback solution should the primary site be compromised, such as loss of power.
  • Security Review Panel – finova’s security panel meet weekly to discuss security needs, and plan for any required implementation of new security measures.