Clear C2

clearc2 white logo

(972) 304-7100

What is GDPR and how can CRM help?

man with glasses smiling
Charlie Spaneas

What is GDPR?

GDPR Stands for General Data Protection Regulation (GDPR). It is a legal doctrine that establishes guidelines for the collection and processing of personal information of individuals within the European Union.

The GDPR defines the principles for data management and the rights of the individual. It also includes details on possible fines if you aren’t compliant. Its intent is to provide the protection of an individual’s personal data. These requirements are enforced within data privacy laws across Europe.

Background Legislation

The European spotlight on data protection is currently on the GDPR. The fact is data protection in Europe began in 1980 with the OECD Guidelines. It consisted of eight principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.

In 1995, The Data Protection Directive 95/46/EC was the European Union’s answer to the division of privacy regulations across the EU. The European Parliament then adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995.

It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.

The GDPR is a much larger piece of legislation. Most importantly, as a regulation and not a directive, it is an enforceable law in all member states and for anyone with EU data subjects.

There are three European authorities officially responsible for the legislative process for GDPR: the European Commission (the EU’s executive branch), the European Parliament (the legislative body), and the Council of Ministers of the EU (responsible for policy, legislation adoption, and budget).

Why does it exist?

The most obvious answer to that question is public concern over privacy. Europe, in general, has had more stringent rules around how companies use their citizens’ personal data. As stated above, the GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online “business center of activity” that it is today.

Consequently, the directive is outdated and does not address many ways in which data is stored, collected, and transferred today. Is the public concern over privacy warranted?

It is significant, and it grows with every new high-profile data breach. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold are among the top reasons there is a lack of trust in how companies treat their personal information.

Who does it apply to?

GDPR requirements apply to each member state of the European Union, fostering more consistent consumer and personal data protection across EU nations.

The reason for the GDPR is to force a uniform data security law on all EU members so that each member state no longer needs to compose its own data protection laws, and laws are ubiquitous across the entire EU.

GDPR does not only apply to EU citizens who are in the EU. It applies wherever in the world EU citizens are located. Therefore, the data of any EU citizens working in the US, vacationing in the US, or receiving medical treatment in the US is subject to the same protection as if the EU citizens were working, vacationing, or receiving medical treatment in the EU.

US businesses that employ EU citizens among their domestic workforce will have to ensure their data security measures reach GDPR standards – whether applied selectively or to the entire domestic workforce.

GDPR naturally applies to multi-national companies with a base in the EU or do business in the EU, although simply closing an EU base is insufficient to avoid compliance with GDPR. GDPR is about data, not where an organization has a base.

An organization may decide not to do business with EU citizens to avoid complying with GDPR, but even that decision must be implemented correctly. If you maintain a website that uses cookies, and can be accessed by EU citizens, GDPR applies.

General Requirements

The GDPR consists of 99 articles that are grouped into 11 chapters. GDPR requirements apply to each member of the European Union, aiming to create more consistent consumer and personal data protection across EU nations. Some of the key requirements of the GDPR include:

  • Requiring the consent of subjects for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

Compliance Enforcement

Supervising Authorities (SAs) hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Companies are subject to the SAs’ powers and penalties.

The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case, and the SA may choose whether to impose their corrective powers with or without fines.

For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.

How can my CRM help with GDPR Compliance?

GDPR greatly affects how businesses collect, store, and secure personal customer data. This means that GDPR impacts marketing, it changes sales prospecting, and it requires a change in customer service departments as all personal data needs to be handled in a more professional manner.

If you use a CRM solution, it should be able to support the collection and management of personal data securely.

Customer Rights

GDPR comprises eight basic rights. These rights are given to individuals to protect their private lives and control the digital footprints they leave behind when using internet-based applications and services.

These rights are meant to create transparency, control, and trust between the parties. For CRMs, they can be segregated into three separate stages:

    • Prospect Stage:
      • Right to Consent,
      • Right to Data Protection,
      • Right to View Personal Data
    • Customer Stage:
      • Right to get Notified,
      • Right to Correct Data
    • Post-Customer Stage:
      • Automated Delete,
      • Right to be Forgotten,
      • Right to Data Portability

Obtaining Proper Consent

GDPR mandates you have a “lawful basis” to process personal data. A lawful basis covers a lot of areas. For marketing personnel, the main objective is to obtain proper consent from their target markets before collecting and using their data.

If your CRM system helps you collect data on contacts as well as organize/analyze them, it needs to be able to create GDPR-compliant opt-in forms. When someone creates an account with your business or offers up information in exchange for an “Action” (i.e., demo, free trial, collateral, etc.), they must be able to actively check a box confirming their consent that you use their data. It should also explain clearly why you need the data and what you plan to use it for.

Using a tool like C2CRM, meeting this requirement should be fairly easy using custom fields on your signup forms. Make sure whatever CRM you use has a system for recording consent, when and how you got it, and any updates that are made to consent information.

You should be able to see and verify that consent was obtained for individual contacts in your database.

Subscription Management

Under GDPR, your contacts also have the right to change or withdraw their consent after it has been given. There must be an intuitive way of doing this that doesn’t require them to contact your customer support. That’s where subscription management features come in.

Your email messages should include options to unsubscribe and/or manage their subscription. This should take individuals to a portal where they can select/deselect what kind of marketing content they want to receive. C2CRM and other top CRM tools have opt-out and email preferences compliant with this need.

You will also need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address. For example, getting the individual’s details about Product A and then emailing them about Product B could be deemed a breach of GDPR.

When implementing a double opt-in, not only has a user subscribed to a newsletter, mailing list, or other email marketing messages by explicit request but he or she also confirms the email address is their own in the process.

In addition, for many businesses, email isn’t the only marketing channel you’ll manage with your CRM. Contacts should be able to opt in or out of different forms of communication (email, phone, SMS, etc.) and specific marketing messages.

Data Management Features

To gain GDPR compliance, you’ll likely need to make any changes to your contact database. A CRM with the right data management features can help you save a lot of time in this process.

After evaluating your personal data, you need to make changes to record where the data came from, your legal basis for having it, and what it will be used for. Instead of making these changes by hand with individual contact cards, you should be able to create rules to bulk update your records.

GDPR also requires that individuals have the right to request access to their data. Your CRM software needs to have features that make it possible to export contact data when they ask for it quickly.

Check your CRM to see if it has data export features so you can download information from your customer database. You should be able to export the personal data of individual people to CSV files that you can send out at their request.

Also, your policies will dictate what the systems must do to support your compliance position. For example, simply having a CRM system that collects personal data doesn’t make it compliant.

If your policies state that you only need a name, address, and email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store.

Your CRM should not allow users to enter personal details such as age, marital status, or anything else beyond that; otherwise, your CRM system is not compliant because it is not following policies defined around the agreed business need. 

There is then the associated data, such as emails, and transactional history like Orders, Cases, enquires, etc., to consider. All users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system.

So, a CRM system will hold records about individuals you sell to. It is important you can identify where, when, and how the record got into your system. Typically, the ‘Source’ field of a Lead or Customer record will answer that question.


GDPR is the future for an individual’s data protection. Certification of GDPR compliance for companies is not required but recommended. Data Protection Authorities have accreditation programs for qualified vendors to administer the certification process.

This process can be very costly, especially for smaller companies. In most cases, demonstrating a company’s compliance is sufficient, but obtaining certification in advance often eliminates the need to do so. Your CRM system can be vital for gaining and maintaining GDPR compliance.