Welcome to the third part in our ‘Choosing a Higher Education CRM system’ series. We’re going to be discussing ways in which you can protect your data. In recent weeks there have been several data security breaches in UK Universities. Within your Customer Relationship Management (CRM) system, you’re recording – or want to record – a lot of personal data about your applicants and students. As well as capturing data and notes about your schools and partners. You need this information to make sure you communicate effectively, and make sure you do this in line with GDPR. So, how can you do this while making sure you’re safeguarding this highly personal and sensitive data in your Higher Education CRM system? And how do you make sure the system you choose will give you the protection you need?
What’s meant by sensitive or personal data?
Firstly, you need to clarify what you mean by sensitive or personal data.
Most Universities will be capturing name, date of birth, email address, telephone and postal address details for applicants and students. This is probably classed by everyone as personal information.
However, you may also be recording qualifications, family relationships, special requirements, conditional offers, and hobbies, to name a few others. And then there’s notes that you may have made. You could potentially see all these details as personal information that also needs to be protected.
There is no right or wrong answer here. But just be very clear about what you want to protect and why.
Identify who you want to protect sensitive data from
This may sound like a strange thing to say, but it’s important to understand why you’re protecting your data and crucially who from. Security breaches don’t always necessarily come from outside your University. They can also be carried out by your own staff.
So, when considering the protection you need, you need to understand who you don’t want to access your data. And also whether this means you want to safeguard all your data, just a selection of records or only certain data values.
Mapping this out as a matrix or table in Microsoft Excel can help you see this more clearly.
As a result, you can then determine the types and levels of security you require.
Understanding different types and levels of security
So, now we can start to delve into the security options available in Higher Education CRM systems:
- User Authentication – This verifies that a user is who they claim to be and can be controlled using internal user accounts managed directly within your Higher Education CRM, integration with an existing user management system such as Active Directory or LDAP, single sign-on (SSO) via an external enterprise identity service or multi-factor authentication (MFA)
- Authorisation – This verifies what a user can or cannot access and is often role based.
- Encryption – Encryption encodes the data, so only users who have the key to decrypt it can view the data. It gives you an extra layer of protection – from both unauthorised internal and external viewing. Types of encryption include end-to-end encryption, encryption in transit and encryption at rest. Some CRMs provide data encryption at field- or database-level and offer rules-based decryption which gives you additional flexibility. If you’re storing sensitive information, then you probably need encryption.
- Data Security Filters – These show only selected data records to authorised internal users. Examples would be where a user can only see enquiries generated by or allocated to a member of his or her team.
- Secure API or Data Transfer – When bringing data into your Higher Education CRM system from other applications, like student information management systems, your data may be protected by the API or file transfer encryption.
It’s important to note here that not all Higher Education CRM systems will necessarily offer all of these options. And if they do, it’s unlikely they will all offer them in the same way.
Likewise, you may not need all of these options, so it’s a case of prioritising what you need and how you need them to work.
Finally, how do you safeguard your data while at the same time trying to analyse it?
One of the key reasons for purchasing a Higher Education CRM system is to attract prospective students. In order to achieve this, you’ll be running personalised digital marketing campaigns and events. You want to know how successful these are by analysing your data using a reporting tool.
Most Customer Relationship Management systems sitting on SQL Server or Oracle can link to some form of reporting tool, for example, Crystal Reports or Microsoft Reporting Services. But you’ll have to pay separately for licences to view and design reports using these. This can turn out to be quite a hefty extra cost.
Higher Education CRM systems that have integrated dashboards and reporting tools can save you purchasing extra licences. However, if they’re using proprietary tools, be aware that you may have to learn some weird and wonderful code to create your reports.
CRM with integrated, ‘point-and-click’ reporting and dashboard tools give you the most benefits. They will also automatically pickup any security filters or permissions you’ve applied across the system. Plus, with integrated reporting tools, your data will remain in your CRM rather you having to export and store it in a separate data store or warehouse.
But if you did want to export your Higher Education CRM data to an external database or warehouse then you need to know the integration methods and technologies used by the CRM. For example, does the CRM use Web Services? Does it have an API, and if so, is it self-explanatory or do you have to read a hefty manual? And is it RESTful or SOAP?
Determining whether the CRM has the level of security required
As previously discussed, to identify whether a Higher Education CRM can provide you with the level of protection you need, you must understand your priorities and what personal data looks like to you. Once you’ve done this, there are some questions you can ask your CRM supplier that will help you understand what their system offers. You can then make an informed decision based on what you actually need.
- What mechanism(s) does the CRM use to authenticate users in the system?
- How often does the system prompt you to change your password? Does the system encrypt passwords? And is there a specific format?
- If the CRM has an external portal for external user access how does it manage access?
- How does the CRM restrict user access to functionality, menus, reports, exports and workflows? How easy can this be changed?
- Does the CRM encrypt data?
- What algorithm does it use?
- Is it ‘at-rest’ encryption?
- Is it field- or database-level?
- Does the CRM allow you to add any new fields and encrypt them? How is this managed? Are there any restrictions?
- Will the CRM allow the encryption/decryption of data based on rules? How is this set up and managed?
- What data transfer mechanisms and protocols does the CRM support?
A final thought about safeguarding your data in your Higher Education CRM system
When considering protecting your personal data in CRM, it’s not just about managing login access with usernames and passwords. And it’s not just about protecting your data from unauthorised external access – but thinking about internal access too.
Securing your system through username and password access is just the first step. Encryption and data security filters are also available to help prevent unauthorised viewing of sensitive data.
The level of security you need depends on what data you’re holding in your Higher Education CRM, who has access and what you’re doing and plan to do in the future with your information. Asking the right questions can help you assess whether a CRM will give you the level of protection you need.
Catch up on the rest of the series
- Part one – Manage every step of the student journey with Higher Education CRM
- Part two – 7 things to consider when choosing a Higher Education Customer Relationship Management (CRM) system