GDPR defines personal data as any information relating to an identified or identifiable natural person (i.e. the data subject). There is a wide range of personal data that includes email addresses, location, mobile numbers, identification numbers, etc. In Zoho CRM, fields with such data can be marked as personal fields and can further be categorized as Normal or Sensitive. While GDPR aims to protect all the personal data, there is a special category within that which can be termed as sensitive personal data. One needs to take extra care in handling sensitive data as it might include information concerning health, medical records, financial details, biometric data, religious information or any other data that uniquely identifies the data subject.
In Zoho CRM, under Setup > Security Control > Compliance Settings > Preferences, you would have selected the modules that contain data subject's personal information and which needs to be GDPR compliant. The option to Manage Personal Fields will be available only in those modules under the Data Privacy section. When fields are marked as personal, data from those fields will not be transferred or shared in the following instances: data export, API usage and integrations with other services of Zoho (Books, Finance, Campaigns, etc.).
You can mark fields as personal from two places.
To manage personal fields from the Modules page
To manage personal fields from the Layouts page
The Data Privacy section for a record also contains details about the personal fields. It lists the number of fields that are marked as Sensitive and the ones as Normal.
To view personal fields
You may have marked some personal data as normal and others as sensitive. Zoho CRM gives you the option to decide which type of personal data you want to restrict from being accessed through APIs or other applications that are integrated with Zoho CRM. The following options are available to protect data subject's personal data being shared across other sub processors.
To run your business, you may use multiple tools from email service providers, customer relationship management systems to collaboration platforms. Many a times, these applications are tightly integrated and your customers' data is shared among these platforms. It is essential that these third-party processors you use are also directly and legally obligated to be in compliance with GDPR. To protect your customers' data, Zoho CRM has the option to restrict sharing of personal data to Zoho apps and third party applications integrated with your CRM account.
The following table will give you the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for an integration. For example, for the Zoho Project integration, Email is a mandatory field. If you mark email as a personal field, the data will not be sent from CRM to Projects. You can find more such details in the tables below.
*Please note that First and Last Name cannot be marked as personal fields.
Integrations with Zoho Apps
Integrations with Zoho Apps | Fields mandatory for the integration | What happens when personal data is restricted? |
Zoho Desk | Last Name and Email | Data will not be pushed from Zoho CRM. |
Zoho Projects | Email | Client user will not be added through project creation or association. |
Zoho Finance Suite | Last Name and Email | Data will not be pushed from Zoho CRM. |
Zoho Campaigns | Email | Data will not be pushed from Zoho CRM. |
Zoho Recruit | Email | Data will not be pushed from Zoho CRM. |
Zoho Cliq | NA | Details other than those from the personal fields will be shared via Zoho Cliq. |
Zoho Analytics | NA | If one of the previously synced field is restricted, then reports based on those fields will be deleted. |
Zoho Writer | NA | NA |
Zoho Motivator | NA | NA |
Zoho Creator | NA | NA |
Zoho Mail | NA | NA |
Zoho Calendar | NA | NA |
Zoho Social | NA | NA |
Zoho Sales IQ | NA | NA |
Zoho Survey | NA | NA |
Integrations with Third-party Apps
Integrations with Other Apps | Fields mandatory for the integration | What happens when personal data is restricted? |
Microsoft Office 365 | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Microsoft Outlook | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Google Contacts | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Slack | NA | Details other than those from the personal fields will be shared via Slack. |
Android or iOS Speech Recognizer (Zia Voice) | NA | Only call to Zia action will be disabled, the chat with Zia option will work as usual. |
To restrict data transfer to Zoho applications
To restrict data transfer to third-party applications
Using API, other applications can connect to your CRM account and data can be transferred. When data is transferred via API, you need to ensure that the personal data of your customers are not shared without a purpose. For data security, Zoho CRM has the option to restrict the sharing of personal data through API.
When data is restricted, you can not share the data outside the system via APIs.
To restrict data access through API
There may be instances when you have the requirement to export data and for security reasons, you would not want the personal data to be exported. For such cases, you can restrict the personal data (normal and sensitive) from being exported. This includes exporting reports and updating data using Zoho Sheet view. Please note the following when you restrict personal data for the export action.
To restrict data in export