CRM & GDPR are two key notions in the management of your customer data. More than 91% of companies with more than 11 employees are using a CRM (Customer Relationship Management) software solution to store information about prospects and/or customers, as well as about business opportunities.
Whether you are already part of it or if it is a new project for you, this data must be stored and processed correctly, in compliance with the GDPR, the General Data Protection Regulation.
How your CRM software can help you with your GDPR compliance?
If you already use a CRM software, it must support collection and management of personal data in a secure manner. GDPR has a significant effect on the way companies collect, store and secure personal data.
This regulation also has an impact on the way sales and marketing managers handle personal data.
Fortunately, some CRMs are real aids to compliance with the GDPR. They deal with transparency regarding personal data processing policy. The keystone for this is the consent of Internet users. This concept, on which the GDPR is based, was the subject of a book by Seth Godin: Permission Marketing.
GDPR: what is it?
The 8 essential notions of the GDPR
This regulation is based on eight key points. These rights are there to protect private information and frame the digital footprints one leaves behind when using internet-based applications and services.
- Right to consent
- Protection of personal data
- Right of access to personal data
Normally, your marketing team collects different types of information from leads and customers: contact forms, webinar replays, pages visited, etc. Your CRM software, as well as the synchronized marketing automation software, must ask for consent before storing and using personal data. For each contact (person) in your CRM, you must be able to digitally record consent, indicate the legal basis for storing the data, note the source from which you obtained consent (e.g. "a web form from a Product Landing Page") and store when and who updated the information.
The contact should be able to understand why its information is needed and how it will be used. Once the customer has given his consent, its information cannot be used for any purpose other than the one for which they have been informed. Appropriate measures must also be taken to secure this data. This is the reason why softwares whose data is stored outside the European Union is not compatible with GDPR principles, since the Privacy Shield agreement was cut to an end.
Finally, the contact must be able, via a form, to request an export of all personal data concerning him.
- Right to correct data
- Right to get notified
The contact is entitled to change the information he or she has provided. Therefore, there must be easy access to all information about them. You can associate this with a preference center that allows prospects and customers to decide for themselves what kind of information they want to receive, whether it's blog post updates, white papers or product information videos, as well as deciding what kind of content they don't want to receive.
There are different types of data, and different rules about how they should be handled. For example, basic personal data such as names, addresses, phone numbers are open data which can be accessible to all employees. Highly sensitive data such as bank account information or contracts require more security and strong authentication. Your CRM should allow you to set up automated rules on how different types of personal data can and should be handled by your company.
- Right to portability
- Right to be forgotten
- Automatic deletion
In addition to being able to export their information from the CRM, the contact must be able to apply their right to data portability, i.e. to authorize or not their communication to another company. Once again, this information must be explicit and traced in order to be enforced.
If a contact asks, it must be possible to delete all the data concerning him/her. To ensure that this deletion concerns all the files of your former prospect or customer, it is imperative that your CRM is perfectly synchronized with the other ERP systems that include personal data. Make sure that the API of your CRM is perfectly open and allows these IT gateways.
In order for the right to be forgotten to be complete, your CRM must also have a mechanism for automatically deleting data once the retention period established by the company has expired.
Data to ban from your CRM
This is not a feature, more than a point of caution. Your CRM should not contain sensitive personal data. This definition is given in article 9 of the GDPR. It concerns the following areas:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic and biometric data for the purpose of uniquely identifying a natural person
- health,
- sex life information or sexual orientation
GDPR aims to guarantee transparency in the processing of personal data, while a CRM system seeks to build loyalty among its contacts. Common objectives around customer relationship management.