The Ultimate Guide to CRMs and the GDPR: Part Two


In our last article, we explained what GDPR is, the different grounds for collecting data and the rights of individuals that need to be met.

In this article, we’re going to look at how CRM functions can help support your GDPR processes and what steps you should take when setting up CRM-based data protection processes.


Stay GDPR compliant with a CRM


Implement policies

The data fields in your CRM can be customised, meaning that you can select which data your organisation collects. Any forms that customers fill out themselves would reflect these fields. This ensures that you only gather information you need to deliver products and/or services and nothing more.

CRMs can also track the source of data. For example, if your company uses inbound and outbound sales your CRM can tell you if a customer’s information came from an online form or from a sales call. This helps meet the individual’s right to be informed.


Automate policies

A CRM can be used to ensure that policies are adhered to. For example, if there is a change to a person’s data you could automate a message to that individual to confirm they made the change.

A good example of an automated policy is the right to erasure. If you only need to keep customer data for a limited time you can set your CRM to automatically delete their data once that period is over. You could also send an automated message to the individual informing them of this and offering them the opportunity to sign up to your mailing list.

Once an individual has been removed from your database under the right to erasure, your CRM can be set to automatically reject them in future—this avoids someone accidentally being re-added.


Keep data secure

Cloud-based CRMs are among the most secure ways to store people’s data. There are two streams to this.

The first is stopping people’s data from being stolen or accessed maliciously. Common features to combat this include password protection, encryption and various security tools.

The second is preventing it from being lost or corrupted. CRMs often keep 28 days of backup data in case of a catastrophic failure. Any deleted files are also kept as inaccessible background data just in case they were removed by accident.


Manage access rights

CRMs allow you to set permissions for different users, meaning that they get different access rights. This allows you to collect customer data but only grant certain staff access to it. You could also limit how much of the data certain users can see.

This not only keeps your data safer but also helps support the right to restrict processing and the grounds of only using the data for what you need.


Manage consent

With a CRM you can set up consent agreements on all of your customer-facing channels and then store and track them in your central database.

You can then make it impossible for a customer’s data to be used for something they haven’t consented to. For example, if an insurance provider collects a customer’s data when buying a policy and they do not agree to receive marketing messages that person’s email address will be automatically blocked from appearing in campaign mailing lists.


Manage subscriptions

Gaining permission to use people’s data to send them newsletters or marketing material is one of the most visible GDPR applications. By managing your email campaigns through your CRM you can give customers direct control over their subscriptions and make it impossible for someone to accidentally receive communications that they didn’t agree to.


Keep in line with new requirements

Communication and data technologies are developing rapidly and so are the regulations governing them. When GDPR first came in it took many businesses months to get their data in line with the regulations. Having a CRM means that you can quickly make bulk changes to your data as and when new legislation comes in.

For example, if in the future businesses are required to ask for additional permissions when transferring customer financial data between nations you could simply set up a new process that does this. Or perhaps you might need to erase all information pertaining to a certain aspect of a person’s identity—you could simply delete this from all records.


Four steps to GDPR compliance

By now you should be convinced that a CRM is a vital tool for complying with GDPR regulations.

However, you’re probably less clear on where to begin implementing your new processes. In the section below, we provide a step-by-step guide to planning and setting up these processes in a logical way that suits your business.


  1. Identify what data you need.
    Before you can get your processes in place you need to understand what data your company needs to collect from customers, how you will use it, where it will be stored and whether it will need to be transferred to a third party. These considerations ensure that you only collect the data you need and allow you to put in place only the policies that you need.

  2. Identify what the regulatory requirements are for collecting and managing that data.
    This is probably the hardest part. You’ll need to spend time considering what grounds you have for gathering data and weigh it up against the various individual rights listed above. We recommend that you visit the ICO website for more information.
  3. Work out what systems you’ll need in place. This is where your CRM comes in. Take a look at the information you are gathering, how it will be collected and by whom and then set up your CRM accordingly. At KulaHub, we can help you do this or even get it set up for you.
  4. Train your staff.
    Your staff need to understand data protection regulations as well as your internal processes. Most importantly of all, you should train them to recognise potential data breaches or mistakes in data management and report them to the ICO within 72 hours.



Get expert advice with KulaHub

The information provided in this two-part guide provides detailed information on what GDPR is, how CRMs can help and what steps you should take when setting up CRM-based data protection processes.

However, choosing the right CRM and using it correctly can still be an overwhelming prospect.

If you need a high-level CRM to manage your customer data and keep your business GDPR compliant, contact [email protected]. He’ll happily listen to your challenges and suggest an effective and affordable solution.

Leave a Reply

Your email address will not be published. Required fields are marked *