Sage CRM and Data Protection

2 minute read time.

This article has been prompted by a customer's questions as they completed a Data Protection Impact Assessment.  

A Data Protection Impact Assessment (DPIA) is a process to help organizations identify and minimize the risks to individuals' privacy from their processing of personal data. It is required for high-risk processing activities under the GDPR, but organizations can also choose to conduct DPIAs for other major projects or processing activities.

A DPIA typically involves describing the processing activity, assessing necessity and proportionality, identifying and assessing risks, identifying mitigating measures, and documenting the process and findings.

DPIAs can help organizations to protect individuals' privacy and demonstrate compliance with the GDPR.

I have discussed the general approach to Sage CRM's architecture and security in previous articles.

Are there retention and disposal measures defined for the contents in Sage CRM?

Data retention and disposal measures that satisfy local legal requirements are the responsibility of the customer.  But Sage CRM does provide features that allow customers to configure that system to meet the requirement of legislation such as the General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA).​

Please refer to the Help Centre for details of documentation for supported versions of Sage CRM.
Sage has also created a very good guide that explains how Sage CRM can help a customer meet their obligations under GDPR:

https://help.sagecrm.com/workbooks/gdpr/

The following information on Sage City may also be helpful​

Is the Sage CRM database encrypted? If yes, what kind of encryption is used?​

The Sage CRM database is not encrypted except for passwords.​  

Sage CRM uses the idea of hashing for database passwords. Hashing uses the bcrypt algorithm​

Is the personal data in transit encrypted? (The flow of data between the database and Sage CRM)​

By default, the data in transit between the application and the database is not encrypted. ​  You are strongly recommended to use HTTPS.  See:  Deep Layered Defence for Integrated Sage CRM

Sage CRM can be installed on either the same server as the database or on a separate server.  ​

If you're installing Sage CRM on a separate machine to the database server, you must install Microsoft SQL Client Tools to connect Sage CRM to the database server.   The Microsoft SQL client tools are installed as part of the SQL Server Management Studio(SMS).​

It may be possible to Enable Encrypted Connections to the Database Engine but Sage does not test with SQL encryption and therefore can not provide support for this.​
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16