The short answer is yes, which may not be what you want to hear when you’ve been labouring hard on your CRM for months, perhaps years. 

Standard CRM design doesn’t cater for the GDPR requirements that came into force 25th May 2018. Many CRM vendors now provide GDPR compliant add-ons, but the GDPR is not a static list of regulations; it’s a living, breathing animal. Regulations are subject to change, growing organically to meet each emerging demand on its privacy remit. Each unprecedented assault on regulatory compliance, each new data privacy breach or crisis can lead to more change. For example, case law is likely to influence what defines legitimate interest in respect to the GDPR.

CRM - Keeping up with the GDPR

Updating a company’s CRM to keep up with an evolving GDPR requires considerable investment in money and staff resource. 

EU law now demands that Company Resource Management (CRM) systems comply with the GDPR. But many CRM databases are not designed for data privacy protection. With over 90% of companies using CRM to store their customers’ personal data, GDPR non-compliance is a widespread problem.

GDPR requirements for collecting data revolve around the six lawful bases. These are consent, contract, legitimate interest, vital interest, legal obligation and public interest.

The processing of data must be transparent and accountable. The data must be essential to business practice and remain private throughout the life-cycle of its processing. It must only be used for the purpose collected. Under EU law, sharing data without authorisation from the owner results in a data breach.

GDPR Rights to Ownership

Then there are the GDPR rights to ownership. These give individuals control over their personal data and how it’s used. It can be easy to forget these GDPR requirements extend to CRM systems too.

Here are the eight basic data rights for individuals every CRM or database must incorporate to meet GDPR requirements. They are...

• the right to be informed
  
• the right of access
  
• the right to rectification
  
• the right to erasure
  
• the right to restrict processing
  
• the right to data portability
  
• the right to object
  
• rights in relation to automated decision making and profiling.
  

Referencing these basic rights with CRM functionality ensures your CRM meets GDPR requirements.

Key Aspects of Updating Your CRM to Meet GDPR Requirements

As a business owner, you can be forgiven for only looking ahead as you go about the course of your daily business. New sales, new leads, new appointments; that’s where the focus is, amid the hue and cry of turning an annual profit.

GDPR requirements force you to refocus your energies. To look backwards and forwards. GDPR requirements place greater obligations on data controllers. Have your DPO revisit your CRM to ensure it is GDPR compliant, even if this means making major changes.

Let’s now consider what impact GDPR requirements have on the structure and functionality of CRM systems. Philip Brining, of Data Protection People, blogs about this brilliantly. Here is a summary of a few points he makes.

● Accountability

Accountability is the force driving most of the changes to CRM systems. These days it’s not enough to comply, you must be seen to comply. This means your CRM must be designed to create actual evidence of GDPR compliance. Data controllers are now obligated under the GDPR to create records which prove their processing of data is legitimate.

Article 5(2) states that data controllers can show compliance with the seven key data protection principles. You can read about these principles on the ICO website. In brief, they are:

• Lawfulness, fairness and transparency
  
• Purpose limitation
  
• Data minimisation
  
• Accuracy
  
• Storage limitation
  
• Integrity and confidentiality
  
• Accountability
  

Accountability issues arise with CRM records because each owns a history on how why and when the data was entered. Either someone has entered the contact record direct, or it’s come via a third party.

This poses the question of what privacy information the data subject has been fed. It can vary from one third-party source to another. Even within the same organisation, privacy disclaimers often vary depending on the channel. For example, a company might serve different privacy information via its website than through its Facebook page.

Precisely how a company has warned a visitor affects the future legitimacy of the data it processes. The privacy message served determines the accountability. So recording privacy messages as metadata is a good idea. It keeps your CRM compliant with GDPR requirements.

● Consent

Consent is usually a matter of programming a simple opt-in or opt-out call to the CRM. The consent must be genuine, which sidesteps the use of shady gimmicks like pre-ticked check boxes. Article 7(3) of the GDPR states that consent must be as easy to withdraw as it is to give. Further, the data subject must be able to withdraw consent for certain types of processing, such as cold calling, while keeping it for others. Check your CRM system can offer this nuance and flexibility.

Data controllers must be able to show a clear audit trail for consent and review permissions as and when the data subject requests. Consent must be logged at the point of data collection.

● Retention

Each customer record is composed of several data fields. The data stored in these fields will suggest varying retention periods depending on its nature. Having a one-size-fits-all retention period for the whole record is usually not ideal. 

For example, data relating to a customer sale may only need storing until the product warranty expires. You should then delete that nugget of data, as it has fulfilled its purpose. But what happens when that customer registers another sale. He may make several purchases over time, all stored under the same customer record.

This example shows how data fields which store a name and address need a longer data retention period than a field which records a sale. People just don’t change their address that often, and their names even less. Still, when they do make those changes, an old address or a previous name should only be kept long enough to fulfil its legitimate and original purpose. This rationale is even more critical for sensitive data, such as credit scores, loan instalments and medical history.

If your CRM allows it, it may suit your purposes better to set data retention periods field by field rather than globally. Breaking down your data retentions in this way better protects against GDPR non-compliance. It also allows you to preserve the data you don’t have to delete for longer.

Remember, the GDPR demands data controllers exercise greater control over data retention periods. Matching retention to data purpose helps achieve this.

● Purpose

All data collected must be for a specific purpose. Recording that purpose in your CRM’s metadata will help keep you ahead of the GDPR game. Purpose depends on the data. The purpose for collecting marital status differs from that for a credit score. 

Recording the purpose as metadata means it’s invisible to the end user. So you must make clear by other means the purpose for which the data is being collected. And if your company only needs name, address and email data to carry out its purpose, don’t also ask for marital status and age. You’ll be in breach of the GDPR.

● Access

Lastly, this brings us to the right of access under Article 15. Companies often collect personal data from third-party sources. Article 15(g) states that, if requested, a data controller must give an individual any information available on who’s accessed their data. Arguably, disclosing the source’s category, e.g., direct marketing, might be enough to comply with the GDPR. But in the interests of courting customer trust, I would recommend you always record full source details in your CRM metadata. 

You see now how there’s plenty to consider in aligning your CRM with GDPR requirements. The upside is that if you invest the time and effort updating your CRM, it will reward you back with ironclad customer relationships built on trust.

You should take all the above as general guidance only; it is not a substitute for legal advice. For details of our GDPR consulting services, please call Priviness on 0203 2878 243 or email us at info@priviness.eu

Further Reading

The perfect CRM system for GDPR compliance, by Philip Brining, 23 May, 2016

Back To all catagories