How the GDPR Affects Your CRM System

Why is the GDPR being introduced, and what does it mean?

For the first time in two decades, changes are being made to the Personal Data Act—it’s about time. The new changes brought about by the GDPR are fully in line with the new technologies we use today that collect data about us, such as mobile phones, social media, cloud services, sensors, and computers. We use these tools in a completely new way compared to before, and user data moves across national borders. The new law enables individuals to have greater control over their own personal data. The Personal Data Act (PUL) covers a large part of the new law, but the regulations in PUL differ across most of Europe today, which is problematic because data rarely remains within a single country.

How does the GDPR affect your CRM system?

A CRM system always contains a significant amount of personal data, for obvious reasons. So what does the GDPR actually mean for your company and the data stored and used in your customer management system? We’ll go over some key aspects of the GDPR below to clarify this.

The expanded rights for individuals under the GDPR.

A CRM system often includes numerous security measures to prevent data loss. To meet traceability requirements and for system functionality, a standard practice has been established whereby historical customer records are deactivated rather than deleted, which could potentially become an issue under GDPR. These expanded rights mean that individuals can make increased demands that conflict with secure storage practices, for example:

1. The right to be forgotten – as a private individual, you have the right to be removed from systems when the information is no longer necessary to fulfill a contract. The difference is that you should be able to ask your internet service provider to delete things like your browsing history, but obviously not debts or contracts you have with your bank.
2. The right to data portability – companies must be able to provide their customers with all the data they have in their systems so that customers can transfer it to another provider if they choose to switch services.
3. Access to personal data – last but not least, you should be able to request an extract from your provider’s system, if you wish, to see what personal data they hold about you.

The points above mean that you must be able to identify, extract, and delete information about customers and contacts upon request, and the processes for doing so must be clear even if they are not fully automated.

How can personal data be stored in accordance with the GDPR?

It goes without saying that personal data is needed for certain purposes. Nevertheless, security measures are required to ensure that the data does not fall into the wrong hands. The GDPR and data storage are rooted in the concept of “Privacy by Design,” which involves implementing privacy-protecting mechanisms from the ground up. This is explained as building the data structure and access controls in such a way that separate data protection initiatives are not required. One example is dividing the system into different parts, thereby limiting access to personal data within the systems solely to those who actively need it for their work. This is something we at Releye are actively working on and will continue to address in the future.

What does the GDPR say about security requirements for data storage facilities?

The digital world isn’t all that different from the physical world when it comes to the risk of being “robbed.” That’s why you need adequate protection in your systems to keep hackers and other data thieves out.

• Encryption requirements – Data must be encrypted, both at rest and in transit to and from various storage devices.
• Close integration between applications and their storage devices – It must be easy to identify where an application stores its data. Backups must also be linked to their respective applications in the same way.
• Audit Logs – All parts of the system that contain personal data must have audit logs so that potential breaches can be identified after the fact.
• Removing data from backups – When you remove a customer from the system you’re currently using, that data often remains in backups of the system created before the customer was deleted. The challenge here is that backups are created in different ways, and the process for extracting and deleting specific data will vary from case to case.

Here's how you can work on developing your CRM system without using personal data

When developing systems, different environments are typically used for different purposes. Common examples include a development environment, a test environment, a user testing environment, and a production environment. An important distinction here is that only the production environment—that is, the one in which the company’s employees work—may contain personal data. Development and test environments may only contain anonymous data.The Swedish Tax Agency’s own databasecontains fictitious personal data that can be used in these environments.

Data storage you might not think about that is affected by the GDPR

So far, we’ve talked about how to start securing your CRM system for the GDPR requirements coming in May 2018. But what kind of data do people rarely think about or tend to forget? For example, have you considered that the Post-it note on your desk with a name, email address, and phone number contains personal data that you’re storing insecurely? All personal data, regardless of the storage medium, falls under GDPR regulations. This probably doesn’t mean the police will confiscate papers from your desks. However, it does mean that binders and archives full of analog storage may be illegal under GDPR.

What can you do to prepare for the GDPR?

1. Build security into processes and systems from the very beginning. Also, keep in mind that you must not store personal data in test and development environments.
2. Review and take stock of the information you have and what is required—remove unnecessary data and explain why you need the information you want to keep.
3. Be sure to inform the customer about what data you collect and how you intend to use it – It is no longer sufficient to simply include a statement such as “By continuing to browse, you consent to the collection of data.”
4. Develop procedures for identifying and anonymizing customer data.
5. Have procedures in place to detect, report, and investigate data breaches.
6. Last but not least: seek expert advice—there are plenty of articles and information on the subject of GDPR, but it will be a much better investment for you to consult someone who knows the ins and outs.

Do you have any further questions about how your CRM system will be affected by the implementation of GDPR?Contact usand we’ll tell you more.