Can your CRM enable you to achieve GDPR compliance?

All businesses will need to comply the with new GDPR act when it kicks in on the 25th May this year. Replacing the old 1990s Data Protection Act, it will set guidelines for the collection, processing and storage of personal data of anyone within the EU. Failure to comply will result in companies being fined.

Businesses that have a CRM system in place can be proactive about meeting GDPR regulations by configuring it in such a way that it will enable them to more easily comply with the new GDPR regulations.  

What will GDPR involve?

The key principles of GDPR are as follows:

• Transparency/Accountability – data needs to be used in a lawful and transparent way.
• Consent – it needs to be proven that data has been offered directly to the company using it.
• Privacy – it is essential that you tell individuals how you will use their data.
• Retention – information will only be held for a set period of time.
• Right to be forgotten – individuals can ask for their data to be erased from your database.
• Free access – information held should be provided to individuals upon demand.
• Portability – individuals are allowed to obtain and re-use their personal data.

Plan your CRM selection project and build a vendor shortlist with our CRM software selection checklist 

So how can your CRM system help with GDPR compliance?

Your CRM system can only help with GDPR compliance if you have suitable policies in place to ensure that it is used in a certain way.  Just having a CRM in-situ is not enough to ensure compliance.

Here are some processes that you should consider putting in place in order to operate your CRM in a proactive way, going a long way towards helping you to be GDPR compliant:

• Recording the source of your data – you need to be able to identify how, where when each record was put onto the system and so the ‘source’ field in the CRM should always detail this.
• Requesting explicit consent– if your CRM is used to send out marketing emails then there must be a double opt-in process showing that customers have given permission and if so, what you will use it for.  i.e. if they give you the authority to email them about product X and you instead send information pertaining to product Z, this is a GDPR breach. Double opt-in means that not only have they explicitly requested to be added to a marketing list but that they have also confirmed their email address to you.  Your CRM can be set up insuch a way that a double opt-in is compulsory.
• Retention – this refers to how long data is held for; this should relate directly to a certain product i.e. a one-year warranty.  After that, data should not be held. Your CRM therefore needs to be configured to delete any records of a specified nature once a set amount of time has passed.
• Right to be forgotten – data must be of high quality and not duplicated so that when a customer asks to unsubscribe, the CRM picks up the right contact in the database and removes it.
• Access rights – be sure that all users of your CRM have strict rights of access.  Use different levels of access according to seniority, defining them so that only certain information can be seen by specific users if they need to view, change or remove it.

Whilst your CRM cannot take care of all GDPR compliance, it can certainly help you to achieve it.  By putting in place strict CRM policies and configuring the system to perform certain set actions, your path towards total GDPR compliance will be a much easier one.