While the GDPR has received a lot of attention in the technological world, it is often in the context of websites and cookies. Nevertheless, it does refer to all compilation or retrieval, including on CRM applications, of personal information. Here’s to everyone who can comply.
Basics of GDPR
The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union (EU) since 25 May 2018, which sets out guidelines for the collection of personal data by citizens of the European Economic Area (EEA) and Switzerland, respectively.
The GDPR allows for the use of personal data, including the compilation. In contrast, personal data is a piece of information that identifies or affects a particular person (known as the data subject).
The key data protection measures of GDPR provide legal requirements to:
- Obtain permission before personal data are obtained and processed
- Secure personal data
- Give customers the right to view, to correct, and to ask companies to remove the data.
Scope of GDPR
The GDPR shall apply where both the data processor/controller, the data topic, and the processing itself are located in an EEA (or Switzerland) Member State.
The law applies both to data processors (including entities and organizations that handle data) and to data controllers (individuals who determine how to handle the data).
That is essential because the GDPR protects your use of Customer Relationship Management (CRM) software.
Contrary to privacy laws, GDPR has no minimum sales or number of workers thresholds: any company storing personal data is affected.
GDPR & CRM Software
CRM software integrates a range of tools and processes to allow an organization to manage customer information. It means that the use of CRM applications requires implicit protection of personal data and causes GDPR requirements.
When you choose or upgrade CRM tools, make sure that you can perform these four main GDPR tasks.
- Prove Consent
While the GDPR sets out six legal bases for personal data collection, many CRM users rely on the consent of the data subject.
The GDPR places the burden on you to show that a data subject gave you permission in compliance with GDPR. This does not mean that you can rely on passive measures, such as a note saying that “the continued use of this website after our privacy policy is accepted.”
Instead, you will need at least confirmation that the user has read your Privacy Policy by ticking the indicated checkbox.
Recall also that consent requires a particularly important feature. For example, a customer can give his date of birth and agree to your use to ensure he is old enough to buy products with age restrictions. This is not considered permission to use the birth date to run a credit check.
This ensures that your CRM program will monitor any time the customer has given consent and the exact nature of the consent.
You must also ensure that the data that you store matches your approval. For instance, if your privacy policy states that you are processing the name and address of your customer, then you do not have permission to process their birth date.
You must fit the consent information with the software configuration. Perhaps you would set up the software to physically prohibit it from gathering and processing data that is not protected by the consent process.
Essential Feature: The capacity to control consent
- Know Your Data
The GDPR grants data subjects the right to ask for their personal information. The request for this information is considered a request for access by the data subject (DSAR).
If a data subject files a DSAR, you must immediately provide the full details you have requested. This can cover multiple repositories, for example, if a former employee is later a client.
Ideally, you will have a setup that prevents double entries because duplicated entries could inadvertently mean that you miss out on some information while responding to a DSAR.
You also need to know when you collect data, how long and for what reason. The GDPR does not give general consent but only includes data processing for a specific purpose.
If and when this intent is no longer relevant, your right to store or use the data is no longer legal. You need to know this so you can remove the data, including from any backup, from your CRM software.
Essential Feature: A mass update function that allows you to update fields or delete data quickly based on various factors
- Update or Delete Data
The GDPR grants data subjects the right to request them to amend or rectify their personal data. You are also entitled to order you to delete data for several reasons, including that it is out of date or no longer necessary, or that the data subject withdraws its consent, or that you have not legitimately used the data.
There are two specifications for your CRM applications. First of all, the program will allow you to make these changes without any complications.
Controlled access is needed so that authorized people can make changes quickly without unauthorized staff being able to change the data. Ideally, the program will monitor who deleted the data, and when it may help if your GDPR compliance dispute occurs.
The second requirement is to know precisely what will happen when data are updated or deleted. For example, a blank field might mean that a search or filter no longer collects the record from the customer.
You must, of course, be aware of any technical issues, but also know how altering, or removal of data will impact the service that customers may provide.
Essential Feature: Efficient sourcing of data for various purposes.
- Secure Data
The GDPR notes that “effective technological and organizational steps” are required to secure data.
Protection that complies with GDPR includes multiple components, including physical, technological, and organizational interventions and, where applicable, risk reduction (i.e., encryption and data anonymization).
You need both risk analysis and routine safety checks and assessments to be implemented. A key point about CRM is that individual employees have unique access rates based on their need to access customer data.
If a “physical or technical incident occurs,” you must also be able to retrieve the access details to your personal data. Eventually, you need procedures to make sure that any employees with access to personal data will only process it if and how you told them to do so.
Essential Feature: Customizable, granular control and protection standards.
Although GDPR enforcement may be a point of pain, GDPR compliance usually makes better use of CRM tools. Most of the steps you need to take do not require advanced skills. The key objective is to know exactly the data you have stored and why, when it dates, and what happens if you change it. Above all, you need software that works based on “privacy by design.”
