boberdoo blog

Who Has Lead Data Access? | Lead Management Planning

Written by Scott Hettman | Apr 18, 2018 2:35:53 PM

If you operate a lead generation business, you certainly deal with a lot of customer information on a daily basis. Because of this, I am sure you are well aware of the GDPR, its rules going into effect on May 25, 2018 and the measures most service providers are taking to manage and protect their customer data. Although this is an EU law, the GDPR affects any company who (knowingly or not) collects or stores information from European citizens. The GDPR will likely even serve as a roadmap for future U.S. regulation.

However, lead generation companies are in a unique position given their total reliance on customer information. Think about it. What is your answer to the following question?

How often do you or your colleagues need to see or gain access to specific customer information?

The answer is probably, “Rarely, if ever at all.”

Even if your lead distribution or lead management system has all the bells as whistles to collect, store and report on all of your lead data indefinitely, who has access to this data and what can they see?

If you can’t answer this question or if you haven’t already laid out a lead management plan to secure and protect your customer’s information, now is the time. If you are a boberdoo user, you can use any of the following features to build a lead management plan that fits your needs.

User group permissions

Individual user access and permissions are managed in boberdoo at the user group level. This allows you to build multiple user groups based on permission requirements and organize each user into these groups. For example, we recommend granting access to the Leads page and the Go To Partner Admin permissions only to those users who absolutely need to see lead details.

How To Set It Up

User-Level Two-Factor Authentication

Two-factor email authentication provides another level of security for your system users. This is enabled at the user level and can be set for each login or for each login with a new device.

How To Set It Up

Read our two-factor authentication instructions here.

User-Level IP Restrictions

By default, your system will allow user logins from any IP address. However, you can limit access at the user-level to a list or range of IPs you define.

How To Set It Up

As shown in the video above, go to Settings>Manage Users. Select a user to edit and uncheck the All IP addresses allowed checkbox. You can then paste one or more IP addresses in the Allowed IP list.

Leads Export Webhook & Email Logs

Because the Leads tab contains all of your lead information, it is the most sensitive part of your boberdoo system. Whenever possible, you should limit user access to this page. However, you should also utilize security features for users with access to this page. In particular, it is important to know when any leads are exported. You can do this by setting up a webhook to notify you or any other users when a Leads page export is performed.

How To Set It Up

Go to Settings>Webhooks/Notifications and add a new webhook for the event title Lead Browser Export. Most users set up a basic email notification to a specific email address or user group, but you can set up this webhook to your exact specifications. For more details on setting up a webhook, start here.

Additionally, all emails sent from the boberdoo system are logged in the Emails tab. From here, you can identify the time, date and email address of every lead export.

Sensitive Field Encryption

One of the best possible security measures is to encrypt sensitive or personally identifiable field values upon lead submission. This will still allow your lead buyers to receive the decrypted lead details and view them from their Partner login, but it will not allow your users to view or export decrypted fields unless they activate Secure Mode.

Secure Mode is a user-activated feature that allows users to decrypt and view sensitive fields. While Secure Mode is active, all user activity that could involve seeing sensitive fields is logged in the Secure Mode Logs. Furthermore, you can control which users have access to Secure Mode in the User Group Settings.

How To Set It Up

Read our full guide on sensitive field encryption and secure mode.

Data Deletion

The single, best way to keep customer data safe is data deletion. Deleting individual fields or entire leads is the only way to ensure that no one from your organization is responsible for customer privacy breaches. With boberdoo, you can set automated rules to handle your data deletion strategy. For example, you could automatically delete sensitive fields after 30 days and delete the entire lead after 60 days. Meanwhile, because we can hash values before deleting them, you can still use all lead duplicate checks you already use.

Finally, for those certain scenarios that you need to keep customer information, you can perform a secure export to your Amazon S3 account before the data deletion is performed. This allows you to manage your data indefinitely in Amazon and control access accordingly.

How To Set It Up

Read our full guide on data deletion.

 

At boberdoo, we take great pride in our external system security measures. However, it is the responsibility of each individual lead company to build an internal lead management and data security strategy to protect customer information. While we provide the features that allow you to build your own lead management plan, we are also here to help. Open a support ticket to get started.