With the EU General Data Protection Regulation (GDPR) due to come into force in May of this year, there have been a lot of questions raised over whether existing CRMs are likely to cause problems. The reality is that some CRMs – particularly those that are older and/or bespoke – may be fairly far off GDPR compliance and in order to get these to a compliant point the cost could be considerable. The alternative is migrating to a new, fully compliant system – but which is the best option for you?
This is one of the biggest issues raised by the GDPR – whether your current CRM does enough to police the issue of consent. Some of the more modern systems use flags to indicate opt-in or opt-out of various contact methods but older CRMs may not have this. There is also a need for extra vigilance when processing the data of under 16s and your systems must make it as easy to withdraw consent as it was to give. Many newer systems have these tools and safeguards built in – for older systems it could cost a fortune to implement this kind of radical system change.
Data collection purposes
GDPR compliance requires that data is only collected for specific, explicit and legitimate purposes – is this something that your CRM incorporates? Many older systems have fields, such as name or description, but there is no integration of the purpose for collecting and processing this data.
Data subject access requests
Another important consideration is the ability to show where data has been collected from. If data hasn’t come from the data subject themselves then the business must show “any available information as to their source” to the data subject. This just wasn’t a priority when many of the older CRM architectures were being created and so, as a result, many organisations could find it difficult to comply with data subject access requests because the information simply isn’t there.
Does your CRM have a time limit in terms of how long data is retained? Depending on the specific needs of the business the GDPR could now put an expiry date on the data that is being held within the system and require that it is held for a far shorter period of time. The capability to track the length of data retained and to automatically flag its expiry date is not something that many bespoke or older CRMs have.
Do you know what kind of privacy notice was shown to every customer whose data is held within your CRM? If not then this is something that you may need to bear in mind as the GDPR comes into force. Who signed up, how did they sign up, when did they sign up and what version of the privacy notice did they see? This is all data that many modern CRMs can help you to track.
If you’d like to know more about a GDPR compliant CRM – such as MarketDeveloper – please get in touch.