Repeat after me: GDPR starts with the processes (and policies), not with the systems.
This is something your systems provider should have told a long time ago:
First of all, Business PROCESSES must be compliant with GDPR, and then the systems will have to support those processes – not the other way around.
What does this mean?
It means that implementing System XYZ from ACME will not make your organisation compliant overnight. If someone tells you it will, please don’t believe them.
A best of breed CRM system will HELP (and please note the difference between “help” and “make”) your organisation become compliant because:
- It is built using the industry’s best practices in what concerns data security.
- It is built using industry best practices in what concerns users’ permissions and traceability.
- It is built to provide flexibility to support ever-changing requirements, including changes to regulatory compliance – this means you can configure the system, customise it, or as a last resort, hard-code it to support your processes.
Looking at the Principles of GDPR, personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals – IT Systems such as CRM will help organisations keep a record of everything they do, and log who did what. But it is each organisation’s responsibility to establish the policies that determine the way in which data is processed and to ensure that all users are aware of those policies, and act accordingly.
- Adequate, relevant and limited to what is necessary – A good CRM system can help you enforce these boundaries, but their definition is again, up to each organisation. You can prevent your CRM system from having a field called “Age” or “Home Address”, but first you need to define that, under the Principle of Data Minimisation, your organisation should not collect such information. Again, you start with the policies, not with the systems.
- Accurate and, where necessary, kept up to date – Centrally managed systems do help a lot with this. If you know where (all) your data is, it will be a lot easier to update information, to provide it when requested, and to delete it when appropriate. You still need a policy and procedures in place to determine who does what in each situation.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed – having a CRM system will again help with this. However, the organisation will have to determine the purpose and the timeline for processing such data.
- Processed in a manner that ensures appropriate security of the personal data – Enterprise level CRM systems take advantage of the most advanced security technologies available in the market, and are therefore a considerable step towards compliance. However, and as with any other system, organisations still need to put processes and controls in place to ensure that personal data is only available to those who need it and that these users understand and respect the boundaries of their access to information.
GDPR compliant system – summary:
- A CRM system – or any other system for that matter – will not, on its own, make you GDPR compliant. CRM systems (good ones at least) can be customised to support the business processes that you define in regard to personal data. But it’s those processes that need to be compliant, to start with.
- The system will HELP your business become compliant, and it will help demonstrate compliance. From embedded security features to integration with marketing automation tools, there are many ways in which a proper CRM system can help. BUT, “switching on” the out-of-the-box version will not be enough – unless your processes happen to be an exact match to what that system delivers by default, which happens… never.
- There are many good reasons why you should implement a CRM system but you ARE NOT required by law to have one, in order to become GDPR compliant – yes, I’ve recently heard people say that you are, hence this apparently obvious statement.
- When in doubt, read the ICO’s Guide to GDPR.
For the large majority of organisations, GDPR is not something you throw money at. Having a healthy budget to update/upgrade your systems and hire a few experts certainly won’t hurt… but in most cases, it is the commitment and involvement of the entire business – especially the management team (all of them, not just the IT Manager!) – that will get you through the 25th of May.