Wizard Systems
Call us now on 01454 316800
  • Home
  • About Us
    • What is CRM
    • Testimonials
    • Privacy Policy
  • Products
    • CRM >
      • GoldMine CRM >
        • IntelliClick Email Campaigns
        • Outlook & Exchange Integration for GoldMine
        • GoldMine Integrated Survey
        • GoldMine GatorMail
        • GoldMine GatorLeads
        • Mailchimp integration for GoldMine
        • wMobile for GoldMine
        • GoldMine Mobile
        • GoldMine Web
        • GoldMine Cloud
        • MasterMine for GoldMine
        • iGoldMine
        • ActivSMS for GoldMine
        • TapiLink for GoldMine
        • GoldMine Address Verification
        • Details Plus for GoldMine
        • Scanner Plus for GoldMine
        • GoldMine Sage 50 Integration
        • GoldMine Sage 200 Integration
        • GoldMine Standard vs GoldMine Premium
        • GoldMine Corporate Edition vs GoldMine Premium Edition
        • GoldMine Blog
        • goldmine pricing
        • GoldMine Alternatives
      • Sage CRM >
        • sage crm sage 50 integration
        • Sage CRM Mailchimp Integration
      • Workbooks CRM >
        • Workbooks GatorMail
        • Workbooks Web Insights
        • Workbooks Outlook Integration
        • Workbooks Exchange Integration
        • Workbooks Sage Link
        • Workbooks Constant Contact Quick Start
        • workbooks mailchimp integration
        • Workbooks Multi Language Extension
        • Workbooks Mapping Extension
        • Workbooks Multi Currency Extension
        • Workbooks Trial
      • Freshsales CRM
      • Spotler CRM
      • Which CRM is best
      • CRM Comparison
    • Quote Systems >
      • QuoteWerks >
        • QuoteValet
        • QuoteWerks Sage 50 Integration
        • QuoteWerks Workbooks CRM integration
        • QuoteWerks Sage CRM Integration
        • QuoteWerks Quickbooks Integration
        • QuoteWerks Web
        • QuoteWerks integration with GoldMine
        • QuoteWerks Xero Integration
        • QuoteWerks Update Maintenance Program
    • Marketing Solutions >
      • Spotler B2B
      • Spotler Leads
      • Spotler Mail+ >
        • Spotler Mail+ vs Mailchimp
      • IntelliClick Email Marketing for GoldMine >
        • IntelliForm
      • Constant Contact >
        • Constant Contact Managed Services
        • Constant Contact GoldMine Integration
    • Service Solutions >
      • HEAT
      • Freshdesk >
        • Freshdesk Pricing
        • Freshdesk vs Zendesk
    • Other >
      • Go-Global - Remote Access
      • Hosted Desktop
      • Riva - Exchange Integration
      • Inaport - Data Migration tool >
        • Inaport for GoldMine
      • Crystal Reports
      • Address Verification
  • Training
    • GoldMine Training
    • Workbooks Training >
      • Master Workbooks Training Course
    • Sage CRM Training
    • Online Training
    • Training Course Schedule
  • Support
    • GoldMine Export
    • GoldMine Support
    • Sage CRM Support
    • Workbooks CRM Support
  • Services
    • Project Management
    • Implementation
    • Data Migration
    • Data Cleansing
    • Financing & Leasing
    • CRM Webinars
    • GDPR
  • News
  • Contact Us
GDPR compliance and CRM

GDPR Compliance and CRM

If you are using a CRM system and/or an email marketing system then the GDPR legislation is very important to you and your organisation.  The EU data protection reform was adopted by the European Parliament and the European Council on 27th April 2016.  The European Data Protection Regulation – ‘EDPR’ will be applicable as of 25th May 2018.

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.  It will replace the older Data Protection Act from the late 90s.  It is intended to provide the protection of individual’s personal data and is also designed to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals.


The Main Principles of GDPR

Any data you collect or control must pass the following test, otherwise it should be deleted.

a) Processed lawfully, fairly and in a transparent manner in relation to individuals; You need to be upfront with using an individual's data in a lawful manner and let individuals know how you intend to use the information and why.

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;  After being transparent of how and why the data is used, you must not use it for other reasons.

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;  You should not control data that has no purpose.  For example, you would not hold information about height, hair colour, age and religion if it has no bearing on what you do.

d) Accurate and, where necessary, kept up to date;  Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;  There are some exceptions to this.  For example, where data is stored for the benefit of public interest.

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Grounds for Processing Data

Once you have tested the data you store or control using the principles above, then you can only use or process the data using one of more of the following grounds.  These grounds must also be documented and evidenced to show any authority or the subject to which it relates.

1.    Consent
2.    Performance of a contract
3.    To comply with legal obligations
4.    To protect the vital interests of the data subject or other people
5.    To perform a task in the public interest
6.    Legitimate Interest

(Pursued by the controller or third party, except where such interests are overridden by the interests or rights and freedoms of the data subjects)


GDPR and Brexit

What about the UK leaving the EU….does this have implications?   If you process data about individuals (a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address) in the context of selling goods or services to citizens in other EU countries then you will need to comply with GDPR and the UK government has said it will support the GDPR legislation.  When the regulation comes into effect, the UK will still be part of the EU, so you must be compliant.  In the UK, there is still 'PECR' regulation in place - In B2B, the Privacy and Electronic Communications Regulations.  PECR works on an 'opt out' basis - e.g. You gain someone's email address from an exhibition, you enter that person into your database/CRM, you then can freely email that person until they opt out of your mailings.  It is assumed because it can be proved they had an interest in your product/service, you can send them emails about that product or service, perhaps using Legitimate interest.  This may change in the future.  This is not the case though if you choose to process data using the grounds of consent.  PECR does not overrule GDPR. Processing data has to pass the test under both sets of legislation.


What are the penalties for non-compliance?

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.  There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.


How can my CRM system help with GDPR compliance?

1.    Your CRM system can be a vital tool to gaining and maintaining GDPR compliance.  Your policies will dictate what the systems need to do to support your compliance position.  For example, simply having a CRM system that collects personal data doesn't make it compliant.  If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store.  Your CRM should not allow users to enter personal details such as age, marital status etc.  Beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need.  There is then the associated data, such as emails, transactional history like Orders, Cases, enquires etc. to consider.  All Users of the CRM system need to be informed and trained on the implications of GDPR and the use of the CRM system.  So….a CRM system will hold records about individuals you sell to.  It is important you can identify where, when and how the record got into your system.  Typically the 'Source' field of a Lead or Customer record is going to answer that question.

2.    Marketing via Email:  If you use your CRM system to market via Email then you need to implement an Opt-In process for gaining permission to email to that individual and stating when you gained that email address for your list, and what you intend to do with that address.  E.g. If you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR.  By using a double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process.  Wizard Systems can help you implement a double opt-in solution for your CRM if you do not already have one.

3.    How long can CRM hold a person's data?  The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc.  The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person's data.  Your policy would need to state a case as to why a longer retention period is appropriate.  However, with just the subject area of emails, there is complexity.  Does this include all emails a person has simply been copied on?  If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.

4.    But what do I do with the data in the backups?  There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application.  So, when for example you are using an online hosted instance of a CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.

5.    The right to be forgotten.  Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support.  Clearly, good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently.  When such requests are made, high quality data will make it easier to ensure you identify the right person and that that person only has one record in your system.  Therefore, any actions required can be carried out in confidence.  Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.
​
6.    Review your user's access rights - look at all your users and which access rights they have to your CRM system.  Good CRM systems will allow different levels of user access to be defined - who can see what information, change it or delete it.


If you want to know how to adopt the principles of GDPR in your CRM system, please contact Wizard Systems.  If you are looking for a new CRM solution which is GDPR compliant, contact Wizard Systems.

Good resources...
https://dma.org.uk/gdpr
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

And 12 steps to prepare for GDPR...
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

This article is for informational purposes only and is not official legal advice for your company.
Are you looking for a new CRM solution?
GDPR comes into forceCountdown

Our Services

Products
Training
Support
Implementation
Project Management

About Us

About Us
Contact Us
Privacy Policy

Support

Contact Support
Support Page
Support Policy
Picture
©1993 - 2025 Wizard Systems UK, 01454 316800, CRM Solutions for Sales, Marketing and Customer Service