An Introduction to GDPR CRM Compliance
Customer relationship management (CRM) systems and other sales and marketing platforms are great tools for improving interactions with customers and helping advance prospects along the sales pipeline. But because these systems ingest sensitive data to perform their tasks, they’re also breeding grounds for possible violations of the European Union’s General Data Protection Regulation (GDPR). The massive volumes of personal data processed, stored, and transmitted by a CRM can be difficult to track and contain, so close monitoring and diligent security measures are required to ensure the customer data you collect via a CRM is protected in compliance with relevant regulatory obligations.
According to a Global Alliance of Data-Driven Marketing Associations study, 92 percent of organizations store customer and prospect data in databases, so virtually every company is potentially subject to the requirements of the GDPR. In reality, everyone and everything that touches the personal data of EU citizens needs to handle it in adherence to the standards laid out in the GDPR.
However, despite the daunting amount of information retained by CRM platforms, they can actually be an aid—not a hindrance—to GDPR CRM compliance if their processes for data collection, storage, and access are customizable. For example, popular inbound sales and marketing platform HubSpot offers functionality and resources to support GDPR CRM compliance practices, ensuring all the system's methods for gathering and retaining data are GDPR-approved.
Ultimately, we recommend leaning on the expertise of your organization’s legal team and other compliance specialists to ensure you’re meeting the requirements of GDPR CRM compliance. But to get you headed in the right direction, here’s an overview of the regulation’s key tenets and a few tips for better positioning your organization to comply.
Key Concepts of GDPR CRM Compliance
One of the most significant aspects of the GDPR is its global reach. Any organization—regardless of its geographical location—that processes, stores, or transmits personally identifiable information (PII) must adhere to the GDPR’s standards if it’s collecting the data of EU citizens. As a result, maintaining compliance and security everywhere an organization operates is paramount, but most companies do not have the resources necessary for constant global protection, detection, and incident response for the sensitive data they process. This is where security providers can fill the gap in an organization’s defenses, and technologies such as tokenization can help simplify the compliance process.
An organization found to be willfully or intentionally in violation of the GDPR is subject to administrative penalties of 4 percent of annual turnover or €20 million, whichever is greater. Accidental infractions or negligence of the data protection mechanisms in the GDPR can result in penalties of the greater of 2 percent of annual turnover or €10 million. However, these fines do not include the cost of litigation, customer loss, systems changes, and other related fallout for failing to protect sensitive data.
For example, Marriott was fined more than $100 million after hackers exposed hundreds of millions of its guest records, and British Airways was fined a record $230 million for similar violations. But the projected losses for these companies based on compromised consumer trust and other difficult-to-quantify factors are much greater. Only time will tell the true cost of noncompliance.
The consent of data subjects for processing their data is not required in every case, but it is strongly encouraged if an organization might not otherwise have a compelling or legitimate legal reason for retaining that data. When providing an agreement for consent, organizations are no longer allowed to use complicated, obscure, or other difficult-to-understand terms and conditions to gain consent for data processing. In other words, the individual granting consent must be able to clearly understand the terms of the agreement and must be given an opportunity to refuse or acquiesce.
Breach Notification Policy
Organizations are required to report a data breach to a supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to put the rights and freedoms of the affected individuals at risk, those individuals must also be informed without undue delay. As part of any breach notification process, business continuity and disaster recovery are the top priorities. Security providers are especially helpful when responding to and recovering from a data breach. For example, if the personal data compromised in a breach has been deidentified using tokenization, an organization may not be obligated to notify the associated individuals.
Right to Access & Right to be Forgotten
Individuals have the right to obtain confirmation from the data controller as to whether their personal data is being processed, where it is being processed, and for what purpose it is being processed. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. Data subjects also can request that the controller erase and cease further dissemination of his or her personal data. This is also known as the right to erasure.
Privacy/Data Protection by Design and Default
Article 25 of the GDPR obligates organizations to consider data protection by design and by default. This concept requires data security to be built into the design of systems, as opposed to tacked onto existing processes and infrastructure. It also means that controllers are to hold and process only the data necessary to fulfill whatever need the data was collected for in the first place and to limit the access to customer data to the proper personnel. This practice is known as data minimization.
Learn how tokenization can help address other regulatory compliance obligations in our "Privacy Solutions" ebook.
Key Terms of GDPR CRM Compliance
Personal data is an often confused term. It’s used broadly to refer to all types of sensitive data, but within the context of the GDPR, it’s defined as any information “related to an identified or identifiable natural person.” The natural person portion is particularly important in how it relates to another key term, data subject. In order for data to be considered personal data—and as a result, protected by the GDPR—it needs to be associated with a data subject, or “an identifiable natural person.”
The full definition of a data subject according to Article 4.1 of the GDPR is “an identifiable natural person … who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person….” Simply put, data subjects are people whose personal data can be used to identify them. Understanding this can help you determine which elements of stored data are subject to the GDPR.
Any organization or entity that collects the personal data of EU citizens is a data controller. The controller is responsible for obtaining consent and complying with the requests of the data subject in the event that the data subject opts out of an agreement or asks that its data be deleted—even if the data in question is in the possession of a data processor.
A data processor is any organization or entity that handles the personal data collected by the data controller. Although the controller is responsible for managing consent and other communications with data subjects, processors still can be penalized for noncompliance. They also face additional requirements specific to their roles as processors of the original data.
According to Article 4(5) of the GDPR, pseudonymization is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” The GDPR specifically mentions pseudonymization as an appropriate method for deidentifying data. In fact, Recital 29 mentions incentives for organizations to apply pseudonymization, and Articles 25 and 32 specifically call out pseudonymization as an appropriate technical measure for protecting personal data.
How Tokenization Can Help With GDPR CRM Compliance
When implemented properly, security technologies such as tokenization can play a significant role in protecting sensitive data sets to meet the requirements of GDPR CRM compliance. Because tokenization removes sensitive data from internal systems, securely stores it, and then returns a nonsensitive placeholder to organizations for business use, it can virtually eliminate the risk of data theft in the event of a breach. This makes tokenization a particularly useful tool for risk reduction and compliance.
Tokenization not only secures sensitive data, but it also devalues it. In other words, it desensitizes the data via the process of pseudonymization, which we mentioned previously as an effective compliance strategy. Additionally, tokenization can help organizations fulfill certain measures of GDPR CRM compliance and requests from data subjects. With the right security controls in place, protected data can be temporarily detokenized when the information is required for processing or is requested by the data subject. In the event that an individual requests to be forgotten, an organization can simply delete the token on the tokenization provider’s system to comply with that request.
Yet another benefit of tokenization is that in the event of a data breach, an organization may not have to notify the affected individuals. If a threat actor infiltrates your environment, tokens—not personal data—are the only information that could be stolen. In effect, no data breach has actually occurred; therefore, there’s no need to issue a breach notification.
As we mentioned earlier, though, the best compliance tip we can give you is to follow the advice and expertise of your organization’s legal and security teams. This blog is meant to be a primer—not comprehensive, exhaustive guidance.
One more important thing to keep in mind: Don’t get caught up in the GDPR CRM compliance struggle. Instead of focusing too much on individual controls or determining how to achieve minimum compliance, take a data-centric approach that prioritizes security and risk reduction. If those concerns are satisfied sufficiently, compliance virtually takes care of itself.