CRM & GDPR, how to manage your customer data

CRM & GDPR are two key concepts in managing your customer data. More than 91% of companies with more than 11 employees use a CRM software solution (or GRC for Customer Relationship Management) to store information about prospects or customers, as well as business opportunities (or Pipeline). 

Whether you are already one of them or it is still a project, this data must be stored and processed properly, in compliance with the  GDPR, the General Data Protection Regulation. 

Can your CRM software support your GDPR compliance? 

If you use CRM software, it must support the secure collection and management of personal data. The GDPR has a significant effect on how companies collect, store, and secure the personal data of their contacts. 

This regulation also impacts the way salespeople and marketing managers process personal data. 

Fortunately, some CRMs are real aids for achieving GDPR compliance. They offer everything from the management of stored data to transparency regarding the personal data processing policy. The cornerstone of this framework is the consent of internet users. This concept, on which the GDPR is based, was notably the subject of a book by Seth Godin: Permission Marketing.  

GDPR: what is it? 

The 8 essential GDPR concepts 

This regulation is based on eight key points. These rights are there to protect people’s private lives and govern the digital footprints they leave behind when they use internet-based applications and services. They come into play at 3 moments in the customer journey. 

Prospect 

1. Consent
2. Protection of personal data 
3. Right of access to personal data

When your contact is still only a prospect, as your business opportunity progresses (Pipeline, Funnel, or Conversion Funnel), you gather all the information collected by your marketing (contact forms, webinars, videos, and blog articles) and your sales teams (meetings, demonstrations, phone calls). Your CRM software, together with the connected Marketing Automation software,  must request consent before storing and using personal data. For each contact (person) in your CRM, you must be able to digitally record consent, indicate the legal basis on which you store the data, note the source from which you obtained consent (for example “a web form from a Product Landing Page”) and store when and who updated the information.

Moreover, the contact must have the possibility of knowing why their information is necessary and how it will be used. Once the customer gives the company their consent, their information cannot be used outside the purposes of which they have been informed. Appropriate measures must also be taken to secure this data. This is notably why software whose data is stored outside the European Union has not been compliant since the Privacy Shield agreement was invalidated. 

Read also: CRM & Privacy Shield

Finally, the contact must be able, via a form, to request an export of all personal data concerning them. Moreover, double opt-in is an essential CRM feature to automatically validate and update email addresses via  forms.

Customers

1. Right to correct personal data
2. Right to be informed and notified

The contact is allowed to modify the information about them that they have provided. There must therefore be simple access to all the information concerning them. You can connect it to a preference center that allows prospects and customers to decide for themselves what type of information they wish to receive – whether blog post updates, white papers, or product information videos – as well as what type of content they do not wish to receive. 

Different types of data have different rules regarding how they must be processed. For example, basic data such as names, addresses, and phone numbers are open data accessible to all employees. On the other hand, highly sensitive data such as bank account information or contracts require greater security and strong authentication. Your CRM must allow you to configure automated rules on how different types of personal data can and must be processed by your company, as well as notify your contact.

Former customers

1. Right to portability
2. Right to be forgotten
3. Automatic deletion

In addition to being able to export their information from the CRM, the contact must be able to exercise their right to data portability, that is, to authorize or not authorize its communication to another company. Once again, this information must be explicit and traceable in order to be enforceable. 

At the simple request of the contact, it must be possible to delete all data concerning them. To ensure that this deletion does indeed cover all the records of your former prospect or customer, it is essential that your CRM be perfectly synchronized with the other ERPs containing personal data. Make sure your CRM’s API is fully open and enables these IT connections. 

Moreover, for the right to be forgotten to be complete, your CRM must also have a mechanism for automatically deleting data once the retention period established by the company has expired. 

Data to ban from your CRM 

This is not a feature, but rather a point of caution. Your CRM must not contain sensitive personal data. This definition is given in Article 9 of the GDPR. These concern the following areas:

• racial or ethnic origin, 
• political opinions, 
• religious or philosophical beliefs,
• trade union membership, 
• genetic and biometric data for the purpose of uniquely identifying a natural person, 
• health,
• sex life or sexual orientation

CRM and GDPR aim for the same transparency to convince and build loyalty with confidence

Ultimately, the GDPR aims for transparency in the processing of personal data while a CRM system seeks to build loyalty among its contacts. These are shared objectives centered around customer relationship management.

Data is an asset of the company that enhances its value. With the advent of artificial intelligence, your future investment decisions and the quality of your offerings will depend on the integrity of personal data.