CRM and GDPR Compliance: Maintaining Customer Relationships

GDPR and CRM: maintaining customer relationships

Companies are at pains to retain the wealth of information they hold on their customers now that GDPR data regulations are in force. Yet customer relationship systems typically don’t provide for the personal data controls that are now needed. So what are companies to do? Consentric’s Andy Green weighs up the options

Customer relationship management (CRM) systems provide an invaluable central hub for businesses that need to store and organise customer data. This information might be used in marketing promotions, or in sales contact and customer care activities, via links to respective software applications.

As a result, the CRM database is an important starting point for setting appropriate controls around capture and use of personal data, particularly in the light of enhanced consumer data rights under the new EU General Data Protection Regulation (GDPR). This requires a level of sophistication that most CRM systems do not provide for as standard. For instance, assignment of permissions to particular purposes and the lawful basis being applied (there are six possibilities: consent, contract, legitimate interest, vital interest, legal obligation and public interest) in order to keep communication channels open with customers.

The good news is that, rather than try to develop their own capabilities for managing all of this, it is possible to plug in purpose-built capabilities designed as add-ons to popular CRM systems such as Salesforce. 

Compliance needs the right controls

Under GDPR law, any organisation that holds someone’s personal data needs to be able to capture, manage and honour a range of data subject rights and permissions for keeping and using it.

There are six lawful bases for processing personal data and it is essential that a record is maintained because each has its own bearing on the rights to individuals’ data. For example, ‘consent’ must be aligned to a specific use case, and customers must have the option to withdraw this easily. ‘Legitimate interest’ as the lawful basis for keeping and processing personal data, meanwhile, requires that individuals can object to the processing of their data, yet without the automatic promise of data portability (something that is provided for under ‘consent’).

Such is the complexity around managing all of this that taking a bespoke approach to GDPR compliance is a daunting prospect. It can involve spending a lot of money to create custom fields to manage data permissions, then web interfaces to the data and so on. And even then it’s hard to achieve the granularity of control promoted by GDPR.

Companies must be able to show a clear audit trail of consent for the data they hold, too. They must also be able to review the status of permissions easily – since these could be linked to contact or case management processes, for example. This is especially important because customers may have the right to vet, edit and withdraw these permissions at any time.

The long arm of CRM

If CRM systems existed as data islands, the prospect of managing all this might not be so onerous. But the most entrenched CRM tools will exchange information with numerous other applications and data sources across an organisation, demanding a consistent, company-wide approach to data and permissions management. Given that cloud-based systems such as Salesforce can be tapped into from just about anywhere, organisations really need to approach data permissions management in a more systematic way.

A further consideration is that GDPR is not a one-time compliance task. Although robust rules were set down in advance of the May 25 GDPR deadline, these will continue to be refined over time. For instance, case law is expected to influence what constitutes ‘legitimate interest’ as a justification for holding and using someone’s data.

So companies’ management of compliance needs to be a continuous, evolving process.

The goal should be to have a centralised place where organisations can view, edit, manage and report on everything, especially as requirements and preferences change. In addition, customers will need access to a platform where they can check on the data an organisation holds on them, review and amend the consent they have given, or object to certain processing activities.

GDPR and CRM: Keeping everything connected

The option to ‘plug in’ this kind of facility directly into a CRM system is powerful in a couple of important ways.

First, it keeps the technicalities of maintaining GDPR compliance a step removed from everyday systems and processes – minimising disruption and the need for retraining. Assuming companies have done the essential groundwork (establishing what data they hold on customers, how they use it and whether this is justified – then addressing any grey areas), they can deploy the controls for managing it quickly and seamlessly. All they need to do is connect up the compatible consent and permissions management platform, to bring control right across the organisation – at every touch point.

Second, the ability to open up the platform to customers (via a special web portal, for example), could significantly boost the confidence of individuals in trusting a company with their data – especially if companies can explain the benefits, such as personalised offers, that can be tailored from that data.

The good news is that, by linking their CRM systems to the right GDPR control platform, companies can automate the process of obtaining consent, keep databases up-to-date with evolving legislation and set up prompts and creative campaigns before current customer permissions expire. So hard-won customer relationships aren’t lost unnecessarily.


* Consentric provides a secure personal data permissions management plug-in for Salesforce and other popular CRM systems. Find out more here.