Is your CRM (customer relationship management) system GDPR compliant?

Organisations that use a CRM (customer relationship management) system will have plenty of experience handling large volumes of personal data, which can be both a good and bad thing when it comes to the GDPR (General Data Protection Regulation). 

On the one hand, they’ll be familiar with the importance of keeping information such as names, email addresses and dates of birth secure, and updating or removing information when it’s no longer necessary. 

But on the other hand, extensive data processing activities require more rigorous compliance activities, increasing the potential for regulatory violations. 

So, how can you ensure your CRM is GDPR compliant? The answer is in adopting data protection by design and by default.


What is data protection by design and by default?

The GDPR introduced the term ‘data protection by design and default’ as a slight tweak on the existing idea of privacy by design. It essentially requires organisations to consider privacy and security issues at the outset of any personal data processing activity you conduct. 

Organisations can achieve the ‘by design’ aspect by implementing appropriate technical and organisational measures to meet the GDPR’s principles, and integrate safeguards into their personal data processing to ensure they can fulfil data subject’s rights. 

Meanwhile, data protection by default requires organisations to perform data processing activities only if they are necessary to achieve a specific goal. This requirement is closely linked with the principles of data minimisation and purpose limitation. 

To achieve data protection by default, organisations should: 

  • Take a ‘privacy-first’ stance with any default settings of systems and applications; 
  • Ensure they don’t give individuals the illusion of choice when it comes to data processing, instead giving them genuine control; 
  • Ensure that personal data is not automatically made publicly available unless the individual decides to make it so; and 
  • Provide individuals with enough controls and options to exercise their rights. 

Some CRM software providers redesigned in the wake of the GDPR to ensure their systems providing data protection by design and default, but it’s essential that you check whatever system you use. 

After all, youre responsible for your organisation’s practices, so if you’re using a third party, it’s not good enough to place the blame on their products and services if they don’t meet the GDPR’s requirements. 

Instead, you must take ownership of your practices. This might involve amending your policies and processes to ensure your CRM is up to scratch, or turning to a different organisation to provide CRM support. 


The benefits of a GDPR-compliant CRM

In the midst of auditing your CRM against the GDPR, it’s easy to lose sight of why the Regulation’s requirements are in place. 

The GDPR isn’t just a bureaucratic burden; it’s designed to develop trust between organisations and individuals – which is what your CRM should be doing too. 

It might take time to adjust your CRM, but doing so will lead to a better relationship between your and your customers, nurturing long-term growth. 


How the GDPR affects your business

EU GDPR, A Pocket guide, Second EditionSince the GDPR took effect in 2018, organisations have been required to make many changes to the way they operate. 

You can find out more about the ways your business is required to evolve alongside the Regulation by reading EU GDPR – A Pocket Guide. 

Written by Alan Calder, IT Governance’s founder and executive chairman, this book will help you gain a clear understanding of the Regulation and the steps you must take to achieve compliance. 

This book is also available in French, German,Italian and Spanish. 


Have a specific GDPR question?

Do you need a quick answer to a GDPR query? Feel free to ask us via our one-off consultancy solution. 

We make it quick and easy to get practical advice and guidance, with a team of GDPR experts answering your questions by email or live chat. 

Got a GDPR question?

corporate accountA version of this blog was originally published on 14 February 2018. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.