GDPR and CRM

• Posted : 01/04/2018 /
• Tags : AI, Business Development, CRM, Digital Transformation, Email Marketing, SEO, Web

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and it addresses the export of personal data outside the EU.

The GDPR will apply in the UK from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect its commencement of the GDPR.

The following article is only a summary of our findings and if you store, use or handle individuals' data you should ensure you are fully up to speed on this legislation by visiting the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Who does the GDPR apply to?

The GDPR applies to 'controllers' and 'processors' of data. In short, any business that stores, uses or handles data for itself or its clients will be affected by the new GDPR legislation. 

What information does the GDPR apply to?

Personal Data - any information that could be used to identify an individual. For example, name, email address, telephone numbers, account numbers, ip addresses, etc.

Sensitive Data - any information that is deemed sensitive would be things like: political views, sexual preference, medical history, etc.

Key Aspects of GDPR

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

 
A full description of each of these areas is provided on the ICO Website.

How Should a CRM Platform Support GDPR?

The following is a summary of what we think are important features and requirements of a CRM platform and these are all supported by Altido's CRM platform:

• Ability to track personal and sensitive data within the database model so that an administrator or data controller can at any time retrieve an accurate report on what types of data is being recorded and for what purpose.
• Ability to handle Right of Access requests for any individual in a timely manner with minimal cost and time implications for the business
• Ability to track each individuals' GDPR consent date and consent method.
• Ability to specify data relevancy timescales in months for each different type of individual data. For example, a clients privacy policy might state that enquiry data will be held for 3 months and the destroyed or that customer data is held indefinitely and lapsed customers data will be held for 5 years, etc.
• The CRM platform should understand these different types of data and be able to inform the data controller through a simple report when data has expired or is no longer relevant.
• Ability to see GDPR consent expiry against every single individual's record.
• Ability to remove or anonymise data that has expired simply and quickly

For our full list of GDPR requirements please get in touch so we can talk through your specific requirements in more detail.