Recent changes to data protection compliance requirements have put the way that many CRMs function in the spotlight. The EU General Data Protection Regulation (GDPR) came into force in May 2018 and brought with it new requirements for the handling of personal data. Penalties for non-compliance with this new regulation could potentially be severe and so reevaluation of whether a CRM is compliant or not is essential. There are a number of key issues that may point to the necessity of a CRM overhaul.
No identification of data collection purposes
The GDPR requires that data collection purposes must be specific, explicit and legitimate. More modern CRMs include this function, identifying information such as description and name, as well as the purpose for which the data was collected. However, older systems don’t identify data collection purposes, which may leave a business exposed.
A lack of time limits on data retention
Requirements in the GDPR vary but some data now has an expiry date in terms of how long it can be retained. Many organisations have become used to acquiring data and then just storing it until it’s either used or forgotten about – this is not possible with the new regime. Given the potential complexity of keeping track of data that does have an expiry date, and ensuring it is not retained beyond that date, a CRM has an essential role to play in flagging up potential time limits. Many bespoke CRMS and older systems simply can’t do this.
One of the biggest issues in the GDPR is that of consent. Not only is it necessary to now be able to identify whether an individual has opted in or out to various methods of contact but there are also specific requirements when dealing with certain people, such as minors. Consent is an issue that needs to be much clearer today – it’s not possible to simply hope that the right consent is there if you want to avoid financial penalties. Consumers are well educated about their rights under the GDPR and highly likely to complain about businesses that aren’t complying. The right CRM makes policing consent simple, using flags to indicate where consent is given and making it straightforward to action consent withdrawal.
Blocking data subject access requests
Did you know that anyone you hold data on can ask to see it now? If the data wasn’t directly collected by you from them they can also request any available information that you have about the data source. This could be a nightmare for many older CRMs, which simply don’t provide this kind of data history. Time and resources may well be wasted trying to comply with data subject access requests to avoid financial penalties. A newer CRM can be set up to ensure that there are direct lines of traceability, accommodating rather than blocking data subject access requests.
No information on privacy notices
You must be able to show that anyone whose data you have collected has seen a privacy notice. You’ll not only need information on when they signed up but also which version of the privacy notice they were shown. With a newer CRM it’s simple to track and access this information should your business ever be called upon to prove it.
These are just some of the holes that many organisations are finding in their compliance efforts as a result of an out of date CRM. Overhauling this essential system could ensure you meet compliance requirements and keep your business from facing penalties.