NOTE: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.

You may have noticed disclaimers popping up in your CRM, heralding a change in data protection (or something or other–you weren’t really paying attention). While you might be used to brushing off these disclaimers and clicking “accept” without reading the fine print, you may want to pay closer attention to the GDPR and how your CRM handles your customer data.

Replacing the 1995 Data Protection Directive, the GDPR, or General Data Protection Regulation, is a wide-sweeping European regulation aimed at protecting customer data. More than simply an updated “terms of service”, the GDPR provides strict guidelines for European Union member states regarding how to handle personally identifiable customer information. While companies have had two years to prepare for the GDPR, the regulation officially takes effect on May 25th 2018.

If you’re assuming that you can ignore the regulation because your company isn’t based in the EU, think again: any business with customers in the EU must comply with the GDPR. The regulation means that any personally identifiable information of EU customers–no matter where the company itself is based– is protected.

If you’re using a CRM (and according to our research, the majority of you are), you need to make sure that you’re properly handling customer data in order to comply with the GDPR. If not, you risk losing customer trust and paying hefty fines up to €20 million.

Here, I’ll go through what the GDPR is, and the features in a CRM that can help you comply with the regulation.

What the GDPR encompasses

At its core, the GDPR is a set of eight rights that customers have in regards to their personal data and the way that your business handles it. As a company, it’s your responsibility to create policies within your organization to uphold these rights and allow for accountability and transparency regarding your use of customer data.

The eight customer rights within the GDPR are:

  1. The right to be informed about which of their personal data is being collected and how it’s being used. This includes why your company needs that data, how long you’ll keep it, and who else it might be shared with.
  2. The right to access a copy of all of the personal data that you hold about them.
  3. The right to rectification (ie. to request changes) of personal data on file if it’s inaccurate or outdated.
  4. The right to erasure or deletion of personal data from your database. This is also known as “the right to be forgotten”.
  5. The right to restrict processing of personal data. In this case, your company can still store customer data, but can’t do much with it.
  6. The right to object to the processing of personal data but also to object to its use for things like direct marketing, historical research, or public interest purposes.
  7. The right to data portability to be able to reuse personal data for the customer’s own purposes. This includes things like switching providers and having their data transferred over to a new provider.
  8. The right to reject automated processing and ask for a manual review of information if the customer feels that automation may not accurately assess their situation.

Some of these rights have stipulations, including the nature of the request and whether the customer has legitimate cause to ask for it. It’s also dependent on how you define your policies in relation to the data that you collect and store about your customers. Having customer consent and informing them about how you use their data is a big portion of that.

Regardless, you need to ensure that your data storage and privacy efforts support the GDPR in case any issues arise.

For a full break-down of the GDPR and the rights and processes involved, check out this guide from the Information Commissioner’s Officer.

The CRM features that can help you comply

Becoming fully GDPR compliant starts with your organization and the policies in place to protect customer data. The idea is to have both accountability and transparency of customer data and how it’s being handled. Hiring a data protection officer is ideal, but it’s not always an affordable option for small businesses. Start with putting the right policies in place and ensuring that you and your employees are taking the necessary steps to adhere to them.

While software can’t make you GDPR compliant, there are features that can help you ensure that you’re sticking to the regulation. Since a CRM often acts as the home base for customer data, it’s especially important that your CRM supports managing customer data in a way that’s secure and protects your customer’s rights. This will include rules and security protocols regarding:

  • Data storage and retention
  • Data backups
  • How data interacts with other software that your CRM integrates with
  • Access roles and permissions
  • Consent.

Many CRMs have already made or are in the process of making improvements and adjustments to their offerings in order to offer features that’ll make it easier for you to comply with the GDPR. Whether you’re on the market for a new CRM or are looking to see if your current CRM might help support your GDPR policies, consider some of the example features below.

Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context, and are not intended as endorsements or recommendations.

Consent Management

Part of GDPR compliance is having customer consent to collect and store their data, along with explaining (in plain English) why your business needs that data. If you’re using a CRM, check for features that let you add a checkbox when users are signing up to your service that confirms their consent for you to collect and use their data. There should also be a place in your contact’s database entry where you can record this consent, and when you got it.

Tools like Salesforce and Hubspot let you capture this with custom fields. Hubspot, for example, lets you create new properties in its form builder for consent by creating a label and adding your consent text. When users are signing up, you can capture that consent automatically through a check box, to be stored in your contact’s database entry.


Subscription Management

GDPR gives customers more control over what type of information they want to receive from you. This is especially true when it comes to marketing materials. In order to make sure that your customers aren’t receiving anything that they don’t want to, check for subscription management tools within your CRM.

Salesforce offers subscription management features, as does Microsoft Dynamics and SuperOffice CRM, as seen below. This feature gives you more visibility into which email marketing campaigns individual customers want to receive, with a section outlined in the database showing which emails any unique customer has subscribed to.


Customer Portal

Offering a front-facing customer portal gives users visibility into the information that you have about them in your database. It also provides an opportunity for customers to request changes to that data if it’s inaccurate. This can be beneficial for both the customer and your customer support department, because it gives your customers more autonomy while eliminating some of the workload from your customer service department.

Some CRMs like Vtiger and NetSuite offer customer portals within their solution, while others have add-ons that create a separate customer portal for your CRM.

Customer 365 is one example, as seen below. The tool offers this service for Sage CRM so that customers can view and access data themselves instead of having to ask a representative from an organization to do it.


Data Export

If you can’t have an external-facing customer portal, data export features are a good option to let you download customer data which can then be sent to customers who want to know what information you’ve got stored about them.

Most CRMs, including big names like Salesforce and Dynamics 365, offer a function for exporting data from your customer database. Pipedrive is another example, where you can export data using different filters including specific people, as seen in the screenshot below.



Being able to remove customer data from your database is an important aspect of the GDPR that you’ll need features for. This includes either removing customer data completely from your database, or detaching details from being associated with customers.

Pseudonymization and anonymization are being offered by tools like SAP and Microsoft Dynamics (seen below), which lets you remove or encrypt certain fields in your customer database so that the data can’t be seen or accessed. There are also third-party security tools which can help with this process.


While this isn’t an extensive list of the features offered by every CRM to help you comply with the GDPR, it gives you a good idea of what to look for before deciding on a CRM for your business. As GDPR quickly becomes a reality, any features that’ll help you comply with less friction will only benefit your compliance efforts.

Stay ahead of the curve

It’s still up in the air as to who exactly will be policing GDPR compliance and what that might look like. It’s likely that we won’t know until the first case is brought to light. To avoid being the test case, make sure that your company is doing its part to comply with the GDPR.

  • Come up with internal policies and procedures for enforcing data protection regulations.
  • Keep track of and record the ways in which your company is complying with the GDPR.
  • Check the website for the CRM that you’re looking at to make sure that it’s got a GDPR plan in place that’ll support your policies for compliance.
  • Hire a DPO (if possible), and get legal counsel to ensure that you’re following the right procedures.

Remember: it’s not just your CRM that needs to be GDPR compliant. Any software that you use to manage customer data needs to comply with the GDPR. Before a reflexive “scroll and click” confirmation of coherence, make sure to read the fine print.


For more on compliance and customer data:

Share This

Share this post with your friends!