1 Overview

Data Protection is an essential part of any business solution that retains potential and existing customer data. It is important for you to know what you're entitled to keep and not to keep and for how long. It is also important to know how bxp can help you in adhering to your legal requirements.

This article provides an outline program to help you navigate what bxp can do for you.

2 PII

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. https://en.wikipedia.org/wiki/Personally_identifiable_information

Predominantly a US concept, the term equally applies globally and will be used throughout this article.

3 Laws

It is important for you to understand the data protection laws that apply to your country and your data. We provide an article to help you navigate this complicated area. Data_Protection_and_Data_Retention

If you feel more comfortable chatting to an experienced practitioner of the area, then get in touch with us at sales@bxpsoftware.com and we'll help to find you someone appropriate to help.

4 The program

4.1 PII fields

So at this stage, you recognise that you have some requirements upon you that you need to comply with. You understand the types and period of data that must be kept and that which must be removed. Generally information will now be clear to identify as PII and not-PII information.

Take for example, the following list of fields:

• Firstname
• Surname
• Street
• Area
• County
• Country
• Phone
• Email
• Industry worked in
• Number of children
• Children's names

As you have probably worked out there is PII and non-PII information in that list.

• PII - Firstname
• PII - Surname
• PII - Street
• Non-PII - Area
• Non-PII - County
• Non-PII - Country
• PII - Phone
• PII - Email
• Non-PII - Industry worked in
• Non-PII - Number of children
• PII - Children's names

4.2 Time

Once you have identified the PII fields in your data, the next important piece of information is time. For how long can you keep data? For how long must you keep data? Depending on the industry you're in, it will need to be ascertained for how long you can keep the data. Let's look at a few examples.

If the person is still a customer, (an active customer) then you need to keep PII so as to be able to work with the customer. Please remember that the information stored should not be excessive but rather enough to enable trade. As long as the customer is trading with you, then you can keep the data.

If the person was enquiring for a price (a prospect), then you are going to have a much shorter time window for retaining data. Essentially, the person has nothing to do with your company so you really shouldn't be storing data about them. 6 to 12 months is a rule of thumb to follow.

If you have traded with the person but they're no longer actively trading with you, e.g. a once off purchase (a passive customer), then you can only keep data up to a certain point. Essential, after your trade the person will revert to being a prospect in the same amount of time as a prospect.

The only over-riding length of time on a prospect is for legal reasons. (legal retention). If you trade with the customer and the law of the land requires you to keep data on customer available for a given period, e.g. in the financial industry, then you must not delete the PII information.

The only final exception to data retention is if the customer explicitly wants you to retain information about them. This consent is not implied and must be explicitly stated. A customer cannot opt out of your retention of their data, they must explicitly opt in. This law varies by country, but in most modern European countries the law requires explicit opt in from the customer. You must also in your communications give the customer easy ability to have their data removed without hesitation.

4.3 Approach

There is one approach which is to set up rules to wipe out the entire data record, but that can lose you valuable marketing information. For example, how does the demographic information of this months sales compare to last month. Now as you're only allow to keep potential customer details on file for a year, this means with a delete all approach, you'll lose that information.

Instead what is far more advisable is to set up a series of rules to remove the PII information but leave the rest of the data intact.

There are two primary ways of doing this set the PII informatin to deliberately obscure data. e.g. Firstname = zzz, Surname = zzz, etc.

Alternately you can set the data to blank. If you set the data to blank and you do a cleaning exercise later on, you might accidentally delete these records, believing them to be blank.

So we now have enough information to build our approach.

We want to set a specific set of fields (PII fields) to contain abstract data (zzz for example), where the last interaction date, of a non-customer (prospect or passive customer) with no contact in the last 12 months.

4.4 The Database Query

If today is the 1st of January 2016, this is done by doing the following in the CDA which contains your data.

Update CDA_X set strCDA_X_field_Y_Z = 'zzz' Where strCDA_X_LastDateTime <= '2015-01-01 00:00:00'

Now to remember to do this every day would be a pain. Instead we can build a MetaData program that performs this query and will dynamically adjust the date to 12 months ago. MetaData_-_Start_Here

That MetaData program can then be kicked off by manually running the program. Alternately you can contact bxp support and we can cause it to run on a scheduled basis for you.

The new General Data Protection Regulation (GDPR) came into effect on the 25 May 2018, which has reshaped the way in which data is handled across every sector. https://eugdpr.org/

bxp has addressed this by introducing a simplified approach to automatically removing PII so that your data is in line with these new regulations.

We call this the "bxp Scheduled Data Protection Routine" Form_-_Data_Protection_-_Scheduled

4.5 Backups

Before running any data deletion process, it's always pragmatic to make a backup and that way if any accidental data changing does happen the process can be easily reversed. bxp is backed up every 24 hours automatically for you Bxp_Backups. That said, the bxp support team can make mid-process backups before you execute any metadata program or data cleaning exercise. Just contact us through support. Understanding_bxp_Support

5 Next Steps

Now that you have a plan it becomes easy to set up the processes within bxp. If you are comfortable setting this up yourself that's great, but always remember that there is a team here in bxp support to help you get your processes sorted out. So feel free to get in touch or email us on support@bxpsoftware.com and we can help you deliver your data compliance.