Is your CRM GDPR ready?

In this eBook, you will be getting more insight on the GDPR readiness and its role in the functionality of CRM. The GDPR sets a high standard for consent. It builds on the DPA standard of consent in many areas and it contains significantly more detail that codifies existing European guidance and good practice. GDPR is regarded to be tougher than the Data Protection Act (DPA) as it involves a clear affirmative action. The GDPR specifically bans pre-ticked opt-in boxes.

• Context is very important in GDPR. The context may be within the control of company’s own website or it may be through a third party. GDPR compliance can be simpler if we use best tools for the job: For instance 
  • Mail Chimp for mailing lists, 
  • Event rite for selling tickets, 
  • Go Card less for direct debit payments, 
  • Xero for accounts. 
• Personal information is critically important to access the potential benefits of GDPR. The consent data can be made available by integrating the personal information using the company’s APIs. The security of information can also be maintained by changing the privacy policy if the process is outsourced to third parties. The information accessibility in GDPR primarily relies up on the obtaining the granular consent for distinct processing operations.
• GDPR is forcing us to be transparent and upfront. The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
• GDPR requires organizations to respect and protect personal data – no matter where it is sent, processed or stored.
• It imposes new rules on companies, non-profits, government agencies and other organizations that offer goods and services to people in the EU.
• This is set to be an important step forward for individual privacy rights by giving EU residents greater control over their personal data, and removing ambiguity about the definition of personal data.

The Key principles of GDPR in CRM domain is listed as below 

a)  Transparency: It is important to understand that the CRM has been processed lawfully, fairly and in a transparent manner in relation to individuals; There should  be a higher degree of transparency while using an individual’s data in a lawful manner and let individuals know how you intend to use the information and why.  This encourages positive CRM implementation leading to satisfied and secured customer base for the company.

b)  Validity of collected data: The data for CRM is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. After being transparent of how and why the data is used, you must not use it for other reasons. This will help in promoting the external validity indulging better CRM practices in terms of data collection.

c) Data Relevancy: It is very important for the data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In no way there should be an attempt to control data that has no purpose.  For example, you would not hold information about height, hair color, age and religion if it has no bearing on what you do.

d) Data Accuracy: CRM is more effective if the data is more accurate and is updated.  Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

e) Data identification formats: CRM needs data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; There are some exceptions to this.  For example, where data is stored for the benefit of public interest.

f) Data security : CRM can be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The challenges of preparing for GDPR in CRM domain is discussed in detail and final recommendations to counter the challenges is also suggested as corrective actions

• If you are using a CRM system and/or an email marketing system then the GDPR legislation is very important to you and your organization.  The EU data protection reform was adopted by the European Parliament and the European Council on 27th April 2016.  The European Data Protection Regulation – ‘EDPR’ will be applicable as of 25th May 2018.
• The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). 
• The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.  It will replace the older Data Protection Act from the late 90’s. 
•  It is intended to provide the protection of individual’s personal data and is also designed to ‘harmonize’ data privacy laws across Europe as well as give greater protection and rights to individuals.

Once you have tested the CRM data you store or control using the principles above, then you can only use or process the data using one of more of the following grounds.  These grounds must also be documented and evidenced to show any authority or the subject to which it relates.

• Consent
• Performance of a contract
• To comply with legal obligations
• To protect the vital interests of the data subject or other people
• To perform a task in the public interest
• Legitimate Interest

No impact caused by Brexit

The Secretary of State for Department for Culture, Media & Sport (DCMS) has confirmed that GDPR will apply in the UK from May 2018. The UK will still be part of the EU at this time and will need to be recognized as a safe data haven in order to continue trading with EU members. In August 2017, UK government delivered a statement of intent for how a new Bill will bring the GDPR into UK law. 

Privacy policies

The privacy policies are in line with the new directive, privacy policies will need to be more detailed but written in plain language. Marketing teams will need to work with legal reps to review and rephrase these documents to ensure greater transparency.

Permission marketing 

Permission marketing will encourage all the CRM organizations to confirm they are the owner of an opted-in email address. GDPR also recognizes that permission is not indefinite and data would have to stop being used after a period of inactivity. Clearly this will impact on the usage of email addresses that are included in CRM marketing lists.

CRM  Process

• Your CRM system can be a vital tool to gaining and maintaining GDPR compliance.  Your policies will dictate what the systems need to do to support your compliance position.  For example, simply having a CRM system that collects personal data doesn’t make it compliant.  
• If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store.  
• Your CRM should not allow users to enter personal details such as age, marital status etc.  Beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need.  There is then the associated data, such as emails, transactional history like Orders, Cases, enquiries etc. to consider.  
• All Users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system.  So….a CRM system will hold records about individuals you sell to.  It is important you can identify where, when and how the record got into your system.  Typically the ‘Source’ field of a Lead or Customer record is going to answer that question.

Marketing via Email

• If you use your CRM system to market via Email then you need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address.  E.g. If you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR.  
• By using a double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process.  Wizard Systems can help you implement a double opt-in solution for your CRM if you do not already have one.

Data Handling practices

• How long can CRM hold a person’s data?  The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc.  
• The legislation indicates that beyond a product warranty period, there would be no reasonable need for a company to retain that person’s data.  Your policy would need to state a case as to why a longer retention period is appropriate.  However, with just the subject area of emails, there is complexity.  
• Does this include all emails a person has simply been copied on?  If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.
• There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application.  Clearly, good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently.  When such requests are made, high quality data will make it easier to ensure you identify the right person and that that person only has one record in your system.  
• Therefore, any actions required can be carried out in confidence.  Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.

Review your user’s access rights – look at all your users and which access rights they have to your CRM system.  Good CRM systems will allow different levels of user access to be defined – who can see what information, change it or delete it.

Here are the core principles concerning individual’s rights with the GDPR. This is a good place to start so you can easily become familiar with the GDPR:

• The right to be informed – when disclosure is needed on how you’re using personal data.
• The right of access – individuals have the sole right to their personal data.
• The right to rectification – If data is incomplete or incorrect, an individual can have their data removed or amended.
• The right to erasure – you may be restricted from processing personal data if the individual requires the deletion of their data.
• The right to restrict processing – you may not process the individual’s data after it’s stored should the individual request it.
• The right to data portability – individuals can re-use their own data across different services.
• The right to object – the right of individuals to decline their data being used for profiling, marketing or processing.
• Rights for automated decision-making and profiling – when processing is automated, individuals aren’t subject to an unchecked, automated decision that might be potentially damaging.

• While you respect the personal data of your customers, the GDPR will require you to revisit the channels of collecting customer information. GDPR CRM will be heavily impacted. But this regulation covers even the simplest forms of data management such as website contact forms and email marketing tools.
• When making sure your marketing practices comply with the GDPR, you’re probably thinking this only applies to European and British customers. You might think you’re off the hook with American and other international customers. However, the international market is also affected by the GDPR.

 Whether you’re a B2B or B2C marketer, the GDPR monitors how you process data, not where your clients live.To comply with GDPR CRM guidelines and maintain provable records when working with international clients, ensure contact and privacy statements state how you are using their information and where it is being stored.

The GDPR will affect how you handle, collect, and process data from your customers. This will impact your CRM and CRM tools, and you need to be sure your current CRM will comply with all GDPR regulations.

• Storing data – you need to be sure encrypted data is authorized and processed with the correct authorization.The kind of data you’re storing and collecting – you have to justify that the data you’re collecting is necessary to run your business.
• Processing data – processing of data should be conducted so the data can no longer be attributed to a subject without additional information.
• Data transfer – if data requires transferring, it’s required to be encrypted.
• Accessing data – you need to decide who has access to your customers’ data and who doesn’t have access. If you run your own CRM software or have a similar type of software that is necessary to run your business, you need ‘privacy by default’ and ‘privacy by design’ GDPR CRM built in. This means automatically applying the strictest privacy settings. This includes when a customer acquires a product and these privacy features continue to apply after the product is purchased.

It is very important for organizations to have compliance on GDPR and there are certain areas which can be affected due to GDPR like the website .It’s more important now than ever to inform your customers that your website uses cookies if it does. This includes your mobile website. Cookies collect behavior on your website. This helps marketers understand what their customers are doing on their website and how to tailor their marketing strategy to their website visitors. This not only improves marketing effectiveness but also the customer and user experience of websites. However, customers must now know that their behavior is being monitored. Therefore, consent is required. Have a disclaimer on your website, but make disabling cookies an available option. Or, you can simply ask if they have consented to use your website with cookies enabled.The GDPR is cracking down on unsolicited email marketing. If you’re sending emails to people who have been sitting in your account for years, they may be putting your marketing emails in the trash. If you do not have any permission information then you need to contact these customers to get the right permissions in place.