What is GDPR and how can CRM help?
What is GDPR?
GDPR Stands for General Data Protection Regulation (GDPR). It is a legal doctrine that establishes guidelines for the collection and processing of personal information of individuals within the European Union. The GDPR defines the principles for data management and the rights of the individual. It also includes details on possible fines if you aren’t compliant. Its intent is to provide the protection of an individual’s personal data. These requirements are enforced within data privacy laws across Europe.
The European spotlight on data protection is currently on the GDPR. The fact is, data protection in Europe began in 1980 with the OECD Guidelines. It consisted of eight principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
In 1995, The Data Protection Directive 95/46/EC was the European Union’s answer to the division of privacy regulations across the EU. The European Parliament then adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
The GDPR is a much larger piece of legislation. Most importantly, as a regulation and not a directive, it is an enforceable law in all member states and for anyone with EU data subjects. There are three European authorities officially responsible for the legislative process for GDPR: the European Commission (the EU’s executive branch), the European Parliament (the legislative body) and the Council of Ministers of the EU (responsible for policy, legislation adoption and budget).
Why does it exist?
The most obvious answer to that question is public concern over privacy. Europe, in general, has had more stringent rules around how companies use the personal data of its citizens. As stated above, the GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online “business center of activity” that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today. Is the public concern over privacy warranted? It is significant and it grows with every new high-profile data breach. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold are among the top reasons there is a lack of trust in how companies treat their personal information.
Who does it apply to?
GDPR requirements apply to each member state of the European Union fostering more consistent protection of consumer and personal data across EU nations.
The reason for the GDPR is to force a uniform data security law on all EU members so that each member state no longer needs to compose its own data protection laws and laws are ubiquitous across the entire EU.
GDPR does not only apply to EU citizens who are in the EU. It applies wherever in the world EU citizens are located. Therefore, the data of any EU citizens working in the US, vacationing in the US, or receiving medical treatment in the US is subject to the same protection as if the EU citizens were working, vacationing or receiving medical treatment in the EU. US businesses who employ EU citizens among their domestic workforce will have to ensure their data security measures reach GDPR standards – whether applied selectively or to the entire domestic workforce.
The GDPR consists of 99 articles that are grouped into 11 chapters. GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Supervising Authorities (SAs) hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Companies are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
How can my CRM help with GDPR Compliance?
GDPR has a big effect on how businesses collect, store and secure personal customer data. This means that GDPR impacts marketing, it changes sales prospecting and it requires change in customer service departments as all personal data needs to be handled in a more professional manner. If you use a CRM solution, then it should be able to support the collection and management of personal data in a secure way.
GDPR comprises of eight basic rights. These rights are given to individuals to protect their private lives and control the digital footprints they leave behind when using internet-based applications and services.
These rights are meant to create transparency, control, and trust between the parties. For CRMs, they can be segregated into 3 separate stages:
- Prospect Stage:
• Right to Consent,
• Right to Data Protection,
• Right to View Personal Data
- Customer Stage:
• Right to get Notified,
• Right to Correct Data
- Post-Customer Stage:
• Automated Delete,
• Right to be Forgotten,
• Right to Data Portability
- Prospect Stage:
Obtaining Proper Consent
GDPR mandates that you must have a “lawful basis” to process personal data. Lawful basis covers a lot of areas. For marketing personnel, the main objective is to obtain proper consent from their target markets before collecting and using their data.
If your CRM system helps you collect data on contacts as well as organize/analyze it, it needs to be able to create GDPR compliant opt-in forms. When someone creates an account with your business or offers up information in exchange for an “Action” (i.e. demo, free trial, collateral, etc.), they need to be able to actively check a box confirming their consent that you use their data. It should also explain clearly why you need the data and what you plan to use it for.
If you use a tool like C2CRM, it should be fairly easy to meet this requirement using custom fields on your signup forms. Make sure whatever CRM you use has a system for recording consent, when and how you got it, and any updates that are made to consent information. You should be able to see and verify that consent was obtained for individual contacts in your database.
Under GDPR, your contacts also have the right to change or withdraw their consent after it has been given. There must be an intuitive way of doing this that doesn’t require them to contact your customer support. That’s where subscription management features come in. Your email messages should include options to unsubscribe and/or manage their subscription. This should take individuals to a portal where they can select/deselect what kind of marketing content they want to receive. C2CRM and other top CRM tools have opt-out and email preferences compliant with this need.
You will also need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address. For example, if you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR. When there is an implementation of a double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process.
In addition, for many businesses, email isn’t the only marketing channel you’ll manage with your CRM. Contacts should be able to opt in or out of different forms of communication (email, phone, SMS, etc.) as well as specific marketing messages.
Data Management Features
To gain GDPR compliance, you’ll likely need to make a lot of changes to your contact database. A CRM with the right data management features can help you save a lot of time in this process.
After evaluating what personal data you have, you need to make changes to record where the data came from, your legal basis for having it, and what it will be used for. Instead of making these changes by hand with individual contact cards, you should be able to create rules to bulk update your records.
GDPR also requires that individuals have the right to request access to their data. Your CRM software needs to have features that make it possible to quickly export contact data when they ask for it. Check your CRM to see if it has data export features so you can download information from your customer database. You should be able to export the personal data of individual people to CSV files that you can send out at their request.
Also, your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn’t make it compliant. If your policies state that you only need a name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store. Your CRM should not allow users to enter personal details such as age, marital status, or anything else beyond that, otherwise, clearly your CRM system is not compliant because it is not following policies that have been defined around the agreed business need. There is then the associated data, such as emails, transactional history like Orders, Cases, enquires, etc. to consider. All users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system. So, a CRM system will hold records about individuals you sell to. It is important you can identify where, when and how the record got into your system. Typically, the ‘Source’ field of a Lead or Customer record is going to answer that question.
GDPR is the future for an individual’s data protection. Certification of GDPR compliance for companies is not required but recommended. Data Protection Authorities have accreditation programs for qualified vendors to administer the certification process. This process can be very costly, especially for smaller companies. In most cases, demonstrating a company’s compliance is sufficient, but obtaining certification in advance can most often eliminate the need to do so. Your CRM system can be a vital tool for gaining and maintaining GDPR compliance.