25 May 2018 marks the day the General Data Protection Regulation will come into force. The GDPR provides better control over personal data and assures more data security across Europe. Read on to find out the biggest changes regarding your customer data management.
According to research from the GDMA and Winterberry Group, 92% of all respondents store information about customers, prospects and other contacts. Typically, this kind of information includes a lot of personal data: names, (email) addresses, personal interests, digital footprints and more.
This data is oftentimes stored in a CRM system. But with the GDPR, your strategy for customer data management will have to change.
Example of how the GDPR will impact your customer data management
What does the GDPR mean for you as a small to medium-sized business? It’s hard to find an explanation that is either comprehensible or applicable to your company. That’s why we’ll explain some key changes related to the GDPR using a promotional or commercial email for your services as an example.
The GDPR makes a distinction between two different type of emails:
- Without commercial aspect: holiday greetings or best wishes emails, information concerning the GDPR, etc.
- With commercial aspect or direct marketing: includes price information, discounts, promotional offers, etc.
Get explicit consent
You need to gain consent for storing people’s personal data and clearly document it. Obtain it in a way that leaves no room for misinterpretation, provided in a written or spoken statement. If your company, for instance, is mainly active over the phone, you’ll have to record calls where consent is given and link them to your CRM, so you can find recordings back easily.
Example: You need to ask your contacts (with the exception of customers) explicitly if they want to keep receiving your promotional emails. This means you can no longer use a soft email opt-in - e.g. a pre-checked box which easily captures your contact’s permission. Instead, think of a new way to ask people for clear permission.
For instance, offer them a personalised choice to subscribe for different types of content (useful how to’s about your product, service updates or special offers) and communication methods (through email, phone or by post).
As for customers, you can assume they have a legitimate interest in receiving promotional content, so you don’t need their explicit consent. However, you should provide an easy and transparent way for them to unsubscribe.
You can only collect personal data for specified, explicit and legitimate purposes. Clearly specify how you’ll use your contact’s personal data in your privacy declaration - you’re only allowed to use the data for these purposes. For example, a liquor company has legitimate reasons to ask for your birthday, as they can’t market their product to a person below a certain age. However, eCommerce companies don’t have the right to ask for this data to, for example, send people an email on their birthday.
Legal base for processing personal data
You need to have a reasonable legal basis for processing personal data, which means you can’t retain unnecessary data or use it to your liking. You can only store the data for the time necessary for the purpose given.
Example: You can no longer send people emails who’ve subscribed for your promotional emails years ago. When they first subscribe, you need to specify how long you’ll retain their data and ask them to reaffirm their subscription on a regular basis.
Right to be forgotten
You need to have a system in place to automatically delete personal data once the mandatory retention period has passed. What’s more, this system should enable you to delete customer data on request. The data subjects, such as your contacts or customers, have the right to contact you at any given time to ask for their data and request to delete it. You should provide a copy of the personal data you process on their behalf. If the data subjects made the request by electronic means, you can provide the information via email, unless they request otherwise. Afterwards, you’ll ‘forget’ their information and permanently delete their data from all your records.
Next, you will have to search your data (including old systems or backups) to identify if you have the required data. Upon the data owner’s request, you will need to delete the data and confirm the removal is completed.
Example: Does someone want to unsubscribe from your mailing list? You have to make it easy and transparent to find the way out, for instance through adding a footer in your email, offering a clear unsubscribe option.
Right to data portability
Next to the right to be forgotten, data subjects have the right to transmit their personal data to another controller. For instance, when you change telecom providers, a data subject can request to transfer their personal data from one provider to another.
How will the GDPR impact CRM?
You can’t ignore the GDPR if you use a database to store and process contact information, including personal data. Luckily, you can reach the same goals combining GDPR and CRM: build deeper trust and loyalty with your contacts by handling their personal data professionally.
Look for a CRM provider complying with the GDPR
As a user, it’s important to choose a service on the road of full GDPR compliance. In your search for the right provider, the following actions can indicate they’re prepared thoroughly:
- The service offers resources (e.g. blog posts, checklists, emails, webinars, ebooks) to help customers prepare.
- There’s a commitment to security and the GDPR specifically. The provider researches areas of their product and business impacted by the GDPR, develops a strategy to address those areas and performs the necessary changes. For example, a company ensures that staff that access and process personal data have been trained in handling data and are bound to maintain confidentiality and security of that data.
- The tool is (being) adapted to “privacy by design”. By definition, this means the CRM software complies to the GDPR from a practical perspective. For instance, the software should enable you to easily share, edit and delete personal data.
- They’ve appointed a Data Protection Officer.
- They’ve rewritten the Data Protection Agreement and communicated their compliance.
How is Teamleader CRM preparing for the GDPR?
Teamleader will be fully GDPR compliant by 25 May 2018. Our web applications, communications, database servers and all our customer data is stored and located on European servers in Ireland and operated by Amazon Web Services, Inc. Therefore it falls under the GDPR. In order to be compliant with the standards and obligations as set forth in the GDPR, Teamleader has already signed the ‘AWS Data Processing Addendum’. Safety is ensured by, for instance, encryption via SSL (in short, a method to convert data into a secret code).
Preparations are also made through external and internal communication, providing company-wide trainings, technical security audits and external legal counsel performs.
On top of that, the right documents also prove Teamleader will be ready: an internal incident management procedure, the Technical and Organisational Data Security Measures (TOM), privacy declaration and data processing agreement show Teamleader will be prepared to become GDPR compliant.
What will be your responsibility?
When users enter personal data in their CRM software, a software provider acts as a data controller. However, in this case a user is a data processor and therefore should act privacy-compliant. This means you still have some obligations, for instance:
- Assess your organisation, identify your data collection process and review your existing privacy efforts
- Establish privacy processes and controls
- Document your compliance
On top of that, ensure your customer data management strategy meets all of the above standards, like getting explicit consent, specifying the purpose and legal base for processing data and having a system in place to delete or transfer data on request.
This is only a handful of measures you should take to become privacy client. Next to your own efforts, you should use compliant CRM software to safely collect and manage personal data, making sure your customer data management is in line with the new legal framework.