Some people may have bad memories from when GDPR was launched a few years ago.
For many companies, it involved a desperate scramble to understand the new legislation, before going through their customer data with a fine-tooth comb to ensure that it met regulations.
At the same time, businesses had to set up new procedures to ensure that data would be processed and managed correctly in the future.
As a CRM provider, we were at the heart of this. We took time to understand the requirements and worked with our customers to help implement them.
It was a tough process but we learnt two things:
- GDPR is about developing good internal data management processes
- A CRM is the best tool for implementing these processes
It’s important for businesses to follow GDPR rules. Not only are they a regulatory requirement with big fines for non-compliance, but also they make your database and the operations connected with it more efficient.
According to Nosto, within five months of GDPR implementation open rates in the EU’s retail sector had increased by 30%. This is despite the fact that retailers had halved the number of people that they sent marketing emails to.
Other sectors reported similar changes, showing that quality is more important than quantity and proving the value of GDPR.
That’s why we’re publishing a series of articles to help our customers understand what the GDPR requirements are, how a CRM like KulaHub supports processes to meet this legislation and what steps you should take to get them set up.
What is GDPR?
The General Data Protection Regulation is a legal requirement for companies to follow a series of guidelines when collecting and processing the personal information of people in the UK and the EU.
They are designed to give people greater rights and protection over their data, as well as to align data privacy laws across Europe.
These guidelines cover:
- The principles of data management that organisations must follow
- The rights that individuals have when it comes to personal data
- The fines that could be levied for non-compliance
Let’s take a look at these in greater detail.
GDPR principles
Any company that collects or controls data must meet the following criteria or delete the information they hold:
Be honest, transparent and upfront about how and why you are going to use an individual’s personal data. For example, you can hold a competition with the aim of collecting customer email addresses to add to your mailing list—but you need to make sure you tell participants before they enter.
You should only collect personal data for the legitimate purposes that you explicitly specified. This means that if a customer submits their phone number to receive service updates, you can’t start giving them sales calls unless you seek and gain their permission.
The information you collect needs to be relevant to what you use it for, and you should only collect what you need. For example, if you are a dressmaker it makes sense to collect your customers’ measurements. It makes less sense to collect data on their hair colour, age or favourite horror movie.
Only keep data for as long as you need it. If your customers sign up to receive your newsletter you’ll probably have their details on record for some time. However, if you decide to no longer produce your newsletter you need to delete those customers’ details.
Data needs to be as accurate as possible and kept up to date. If an individual contacts you to say that their details are wrong you should immediately update them.
You must keep the data secure against loss, damage or unauthorised or illegal processing. This is a vital element that is pretty self-explanatory. If you store people’s data it needs to be kept secure.
You’ll also need to have certain grounds for collecting people’s data. These include:
Consent: Most people will recognise this in their everyday lives; it’s simply when a company asks you to agree to them using your data. This is usually at the bottom of online forms when companies ask for permission to send you marketing messages.
Contract performance: If you sign a contract with a company they will usually need at least some personal data to carry it out. The amount of information required depends on the contract. For example, if you provide consumer financial services you will need to process some personal data, such as your customers’ credit history.
Comply with legal obligations: Some professions are subject to regulations that require them to record and share information about who they work with. A good example of this is accountants, who are required to keep customer records in accordance with anti-money laundering legislation.
Protect vital interests: Some services deal with people’s health or safety. In these cases, gathering personal data can often be in the interests of the individual. For example, a private healthcare provider will need to keep its customers’ medical records.
To perform a task in the public interest: Many private companies provide services that are in the public interest and require them to maintain personal data. A good example of this is utility companies, which have to keep customers’ financial information as well as their usage of the utility.
Legitimate interest: This is a broad area that covers any use of data that has a minimal privacy impact. Organisations must be able to prove that their use of data is legitimate, necessary and isn’t overridden by the interests of the individual. These grounds could be used by businesses trying to use personal data to combat fraud. Combatting fraud is both legitimate and necessary, and it overrides the rights of the individual if there are reasonable grounds to investigate.
GDPR rights
GDPR sets out eight rights for individual citizens concerning their personal data. You’ll need to weigh your use of their data against these rights to test if you are using it legitimately:
The right to be informed: This isn’t just about telling people you are collecting their data and what you intend to do with it. You also need to provide a raft of information about your organisation and how you manage people’s data. Visit the Information Commissioner’s Office (ICO) website for more information.
The right of access: Individuals have the right to request access to and receive a copy of the personal data you hold on them. This can be requested verbally or in writing, and can even be made on behalf of another person.
The right to rectification: Individuals have the right to have inaccurate personal information updated within one month of a request.
The right to erasure: In most circumstances, people can ask for a company to erase their personal data. This is known as the ‘right to be forgotten’. Once again, companies have one month to respond.
The right to restrict processing: In some circumstances, people can request to have their data restricted or suppressed—in other words, the company can store it but not necessarily use all of it.
The right to data portability: This allows people to access and reuse their data across different services. This enables individuals to use services like price comparison websites that need to share an individual’s data in order to find deals and pass customers to their chosen providers.
The right to object: Individuals have a right to object to their data being used and you must respond to such requests within a month. However, this right is not absolute if the processing is in the public interest, the exercise of an official duty vested in you, or for legitimate interests like legal grounds.
Rights in relation to automated decision-making and profiling: This refers to feeding people’s personal data into computer algorithms to make decisions. Examples include deciding whether a customer is suitable for credit or assessing the likelihood that an individual would buy a certain product. You must get explicit consent from the individual to use their data in this way and you will usually need to inform them of your intentions.
What are the penalties?
If you fail to have GDPR processes in place or process people’s data without their consent you could be fined by the UK’s Information Commissioner. The fines use a tiered system with a higher and standard category.
The higher maximum
The higher category covers infringements relating to:
- Failure to comply with data protection principles
- Breaching an individual’s data rights
- Failing to comply with data transfer rules
Companies that breach these rules can be fined up to 4% of their annual global turnover, or up to £17.5m.
The standard maximum
The standard tier is for failing to have the correct processes or protections in place or for not meeting administrative requirements. For example, this could include failing to report to an individual if their data is breached.
The maximum penalty for such infringements is £8.7m, or 2% of total annual turnover.
How can a CRM help?
If you’ve read this far you’re probably wondering how you’re ever going to implement so many requirements at your business.
Never fear. A CRM is the perfect GDPR tool and can manage most processes for you. In our next article, we’ll highlight the different functions that CRMs offer and which parts of the legislation they can help you comply with. We’ll also explain what steps you should take when setting up CRM-based data protection processes.
Alternatively, if you want to speak to someone about how a CRM could ensure your business stays GDPR compliant contact [email protected]. He’ll happily listen to your challenges and suggest an effective and affordable solution.