EN
    Search
    • EN-Gedys Intraware
    dsgvo-im-crn_header_wikiseite_1920x400

    GDPR IN CRM

    What requirements must a GDPR-compliant CRM system meet?

    gd_linie_orange_100x2px

     

    Data protection is a sensitive topic. The EU General Data Protection Regulation (GDPR for short) strictly regulates the use of personal data (hereinafter: personal data), non-compliance with which can sometimes lead to very high fines.

    A representative survey conducted by the digital association Bitkom in 2020 revealed that only 20% of the 500 companies surveyed had fully implemented the GDPR by September of that year. 56% even stated thatinnovative business projects had failed due to the GDPR.

    But more than half also thought that the GDPR set globalstandards for the handling of personal data and brought competitive advantages for EU companies.

    In 2022, according to a survey by Statista on the status of GDPR implementation in Germany, 22% of the companies surveyed have still not fully implemented the GDPR and 33% have only partially implemented it. The topic ofCRM and GDPR therefore remains topical.

    The recording and processing ofpersonal data in a CRM system is essential for the management of successful customer relationships. And not only in the interests of the company, but also in the interests of customers and interested parties. For this reason, we have compiled important information onGDPR in CRM for you here.

    1. the EU GDPR in a nutshell

    gd_linie_orange_100x2px

     

    The EU GDPR has been in force throughout Europe since May 25, 2018 and regulates thehandling of personal data by companies and public bodies.

    The overall aim is to strengthen personal rights to informational self-determination. The EU GDPR applies to all companies in the EU that store and process personal data. But beware:companies outside the EU must also comply with the GDPR if they offer their services or products to EU citizens and collect and use their data in the process!

    2 What is personal data?

    gd_linie_orange_100x2px

    Personal data refers to all information that relates to an identified or identifiable natural person. Information in the business environment can also be personal data.

    • First name and surname
    • address
    • Gender
    • Telephone number
    • E-mail address
    • IP address
    • Contact details of contact persons at
      customers or suppliers
    • IP addresses of website visitors
    • List of newsletter recipients
    GDPR-in-CRM_personal_data

    3. what does "processing of personal data" mean?

    gd_linie_orange_100x2px
    • Survey (e.g. by questionnaire)

    • Capture (e.g. using a form, software or camera)

    • Save (e.g. in a database, Excel file or file)

    • Change (e.g. update)

    • Transmit (e.g. to an authority or an affiliated company)

    • Synchronizing and linking

    • Locking or deleting

    Examples from everyday practice include storing thecontact details of your customers ' contacts (B2B) in your CRM system, collecting addresses for sending newsletters or simply recording anorder.

    Incidentally, this also includes recording the personalinformation of applicants for a vacancy in your company.

    4. personal data in the company

    4.1 Why do companies need personal data?

    When selling products and services, you need to convince potential customers of your quality. To do this, you need to know a lot about your future customers in order to choose the right approach and the right communication channels. You need address data for your recipients for every channel, for example, you need entire recipient lists for e-mail marketing and newsletters . But you also need personal data for commercial processes.

    4.2 Which departments work with the personal data?

    The first thing that comes to mind is the purchase processing and accounting departments. But there are actually several other departments that work with your customers' personal data before or after the purchase. For example, your marketing department is on the hunt for new leads, your sales department is acquiring new customers and your service department is looking after your customers.

    4.3 Is the handling of employee data also regulated in the GDPR?

    The GDPR not only protects customer data, but also employee data - from the application to the end of employment.

    The GDPR stipulates that personal data, including employee data, may only be processed if this is permitted by aspecific legal basis or with theemployee'sconsent. This legal basis can be found in the Federal Data Protection Act (BDSG). This states that employers may process personal data that is required for the commencement, implementation or termination of an employment relationship, even without consent.

    Today, the most important employee data is usually collected in a digital personnel file. The employer must protect this file from external access. In addition, employee data is required for user administration in order to securely regulate access rights to digital applications and customer data.
    GDPR-in-CRM_User management

    4.4 What software do you need to manage personal data?

    For GDPR-compliant management of personal data, you need CRM software that guarantees the rights and security of your customers and at the same time prevents you from risking high fines in the event of process errors. Transparency, optimally coordinated processes and central data storage for a complete overview support the GDPR regulations in CRM better than a collection of Excel sheets distributed across various servers.

    5. when is the processing of personal data
    permitted in the CRM?

    gd_linie_orange_100x2px

     

    The foundation of customer-oriented company management
    Customer centricity is at the heart of every successful CRM strategy. This concept revolves around the essential question: What motivates our customers today and tomorrow? By aligning their products and services with the current and future wishes of their customers, companies place them at the center of all their activities. A powerful CRM system acts as a central hub for this customer-oriented focus. It not only serves as a treasure trove of valuable customer data, but also enables strategic planning, task definition and the semi-automated implementation of customer-centric measures. In CRM, all points of contact - known as touchpoints - between customers and the company are recorded and analyzed.

    From the customer journey to customer experience management
    This comprehensive documentation makes it possible to track the entire customer journey - from the first encounter to the final purchase. The more detailed this customer journey is recorded, the more precisely tailored and personalized content can be developed for future interactions. The aim is to offer the customer a consistently positive experience with the company, its products and services - an approach known as customer experience management, which strengthens customer loyalty in the long term.

    5.1 Lawfulness
    for the processing of personal data is given if the GDPR permits it. There must be a "legal basis" for the processing as follows:

    • Performance of a contract: processing is necessary for the performance of a contract with the individual, such as using the customer's address to ship the ordered product.
    • Compliance with laws: Data processing is necessary to fulfill legal obligations, such as retrieving and storing the identification data of contractual partners in accordance with the Money Laundering Act.
    • Legitimate interests: The company is pursuing a legitimate interest with the processing. There are no less restrictive alternatives. The conflicting interests of the data subjects do not prevail. For example, viewing the business correspondence of an employee who is ill in order to process urgent customer inquiries.
    • Consent: The data subject has informed themselves and clearly consented to the use of data, e.g. a customer who signs up for the newsletter.

    5.2 Purpose limitation:
    Use data only for the purposes for which it was originally collected or that are compatible with those original purposes.

    5.3 Data minimization:
    Do not collect and use more data than is necessary for the specific purpose (no retention).Example: requesting names and employers to send newsletters is not necessary.

    5.4 Storage limitation: Delete personal data when it is no longer required,for example after expiry of the statutory retentionperiod after 10 years.
    retention period after 10 years.

    5.5 Accuracy:
    Correct incorrect or incomplete data.

    5.6 Data security:
    Protect data sufficiently against access by unauthorized persons, loss and falsification. Compliance with data security according to GDPR in CRM is ensured, for example, by role concepts, passwords, encryption and a firewall.

    Attention: Processing ban for sensitive data

    In some cases, the GDPR places additional requirements on data handling. These also apply to the GDPR in CRM:
    A general processing banapplies to sensitive data. This applies, for example, to data relating to health, religion, political opinions, trade union membership or sex life. Processing is only permitted in the case of justified exceptions and under particularly strict conditions, such as consent, employment law and social security obligations, etc.

    6 GDPR in CRM

    What your CRM must offer functionally for GDPR-compliant data processing

    gd_linie_orange_100x2px

     

    Of course, a whole host of functions and coordinated processes can make your day-to-day work easier when it comes to complying with GDPR requirements. Here we have collectedthe core functionalities that your CRM system must offer in order to be GDPR-compliant.

    Right to information/disclosure

    A person would like to know what personal data is stored about them. They may also want to know the purpose for which the data is processed or how the personal data is used. You are obliged to answer these questions.

    This applies, for example, to mailings and evaluations with mailing programs, use in campaigns, in the service desk or in third-party systems

    Right tobe forgotten

    A person wants their personal data to be deleted. This is only possible if other laws do not stipulate that the personal data must be retained or if there is another interest in retaining this data.

    Other laws are for example
    - commercial law
    - tax law
    - Criminal law

    Logging

    Whenever personal data is recorded, changed, deleted, combined or processed, this must be logged.

    Possible in CRM via the document history.This records who did what, when and why. All histories can be called up at any time.

    Obligation to provide proof

    The storage of personal data requires the consent of the person concerned. The consent must be documented in writing.

    In CRM, for example, via a scanned business card, by e-mail or via a form with double opt-in.

    Data minimization

    Personal data collected must be appropriate to the purpose and limited to what is necessary. They must also only be stored for as long as they are actually needed.

    The implementation of a deletion concept in CRM is necessary.

    Right to data portability

    Individuals have the right to receive their personal data in a commonly used format.

    This is possible from the CRM via "Contact at a glance" as an Excel export, for example.

    Right to restriction of processing

    Personal data may be retained but may NOT be processed automatically.

    Personal data may therefore only be stored in the CRM; use is only permitted if consent has been given.

    Right to object

    A person may object to the processing of their personal data. They must be informed of their right to object at the time of the first communication.

    After a person has objected, their data must be inactive in the CRM & may not be processed automatically.

    Access control

    Users of a personal data processing system may only have access to the data that corresponds to their access authorization. All functions for viewing or exporting data must be protected accordingly.

    This is ensured in CRM via role-based access rights.

    7. where is the personal data stored securely according to the GDPR?

    gd_linie_orange_100x2px

     

    In some cases, the GDPR places additional requirements on data handling. Whenexporting data, an adequate level of data protection must also be ensured if data is transferred to locations outside the European Union and the European Economic Area.

    For certain countries, the EU Commission has decided that their data protection laws are sufficient (e.g. for Japan, Israel, Switzerland). For all other countries, specialcontracts must generally be concluded with the data recipients. Until recently, companies in the USA were able to certify themselves in accordance with the Privacy Shield and thus ensure the level of data protection.Please note: The Privacy Shield agreement has been declared invalid by the European Court of Justice. There is currently no new agreement or anything similar.

    Please also read the blog article: CRM hosting in Germany

    8 Who is liable for violations?

    gd_linie_orange_100x2px

     

    In the event of an infringement, thecompany isliable. Some companies have now received extremely highfines. To prevent this from happening, you need tocheck the GDPR in your company's CRM in detail with regard to function, data storage and interfaces.

    If you protect the data inyour own data center, you have sovereignty and always know what happens to it.Hosting providers in Germany and Europe are also obliged to work in accordance with the GDPR. However, you are liable for breaches by platforms outside Europe.

    The specifics of data storage for the respective CRM offerings (on-prem, cloud, SaaS, interfaces) are also covered in the following blog articles:

    9 Conclusion:
    The right CRM helps your company enormously with the implementation of the EU GDPR

    gd_linie_orange_100x2px

     

    Using a GDPR-compliant CRM systemmakes it mucheasier for you to adapt to the EU regulation.Your employees will be data protection-compliant in no time at all! This is because you save yourself the effort of adapting your work processes individually just to ensure that your employees work in accordance with the new guidelines. At the same time, you strengthen the trust of your customers and prospects in your company and you do not lose any important customer information that serves asthe basis for your company's growth and innovation. German CRM providers will support the implementation of the GDPR.

    Observe the developments of the EU Commission. Further legislative proposals are already being discussed: TheData Governance Act presented at the end of 2020 is a further step by the Commission to position theEU as a data protection pioneer and turn the topic of data protection into acompetitive advantage.