Paul Pitman
posted by Paul Pitman on September 6, 2017
Find me on: Paul Pitman on LinkedInPaul Pitman on Twitte

In May 2018, data protection laws will change thanks to the introduction of a new directive from the European Union. This new ruling is called the General Data Protection Regulation (GDPR). The new directive aims to streamline data protection by bringing a standard practice into place for any and all businesses operating in the European Union. If you’re a CRM user and/or manager, here’s what you need to know.

First things first. Disclaimer: The information in this blog is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an advisor or solicitor.

With that out of the way, we can move on to what, in my opinion, is the single biggest challenge facing anyone involved with CRM. Put simply, GDPR will change the way we do business. Whilst there is still some uncertainty around specific details, the principals of GDPR are now clear.

Keep Calm and Carry On

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. If Data Protection is new to you, then to start the familiarisation process, you might like to complete the Information Commissioners Office (ICO) readiness survey online: 

If you are ready to take your first steps into the world of GDPR then this link from the ICO provides a handy guide on what to do:

GDPR for marketers – what’s all the fuss about?

In future blogs I will cover other concerns, but today I am focussing on how GDPR can restrict how marketers can “process” data, and by processing I mean use!

There are six legal grounds for processing personal data in the GDPR but marketers are only likely to make use of two of those legal grounds for their data–driven marketing activities. One is “consent” and the other is “legitimate interest”.

It is the issue of consent that is requiring changes to the way we conduct marketing activities. In particular, the use of email, mail and telephone calls to communicate with customers and prospects. GDPR requires that consent is now “explicit” and cannot be “assumed.” So web pages that automatically subscribe visitors to a monthly newsletter, when providing a bit of downloadable content, are now outlawed. Indeed, even such basics as automatically subscribing customers to a newsletter may no longer be possible – unless you can provide evidence of “legitimate interest”. If you do rely on “legitimate interests” you should maintain a record of the assessment you made, so that you can demonstrate you have given proper consideration to the rights and freedoms of data subjects. Also, be aware that data processed on the basis of legitimate interests is subject to a right to object – which can only be rejected where there are “compelling” reasons.

So if you are planning on using any data to communicate with customers or prospects then you need to act now to ensure you are compliant before May 2018.

Building GDPR consent into your CRM system

The GDPR sets a high standard for consent. Before you throw your hands up in despair, remember that doing consent well will put individuals in control, build customer trust and engagement, and enhance your reputation. A well implemented approach to GDPR could actually help you to acquire, retain and develop customers. One of the most common concerns around GDPR is that you will no longer be able to fire out marketing emails to anyone and everyone. This is true, but sending irrelevant communications to disinterested recipients damages your brand and reputation. That damage is significantly more expensive than any possible chance “hits”.

The first thing to do is check your consent practices and your existing consents. Do you have the right consents in place to continue to communicate with customers and prospects after May 2018? If you are in doubt, you have time to refresh consents if they don’t meet the GDPR standard. Well thought out email campaigns that communicate the limits of existing consent and offer clear benefits to the recipient of increasing consent should be number 1 on your list of things to do.

Remember, consent means offering individuals genuine choice and control. It requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Luckily, the CRM tools we work with can offer individuals access to their consent record on a web page. They can then update their record with the levels of consent they feel happy with.

Explicit consent requires a very clear and specific statement of consent, so it is best practice to keep your consent requests separate from other terms and conditions. Once again, our CRM tools allow you to be specific and granular. You can configure the preference centre to provide the right levels of detail to help individuals decide which topics are relevant to them.

As a benefit of storing this information in your CRM system, you can keep evidence of consent – who, when, how, and what you told people. You will need to keep consent under review and refresh it if anything changes.

In summary, keep in mind the following when you build GDPR into your CRM system:

  • provide clear, understandable notice to users of the consent you want
  • capture and log consent at the point of data collection
  • provide users the ability to see what has been collected
  • provide users the ability to easily revoke their consent and erase their data
  • be able to notify users in a timely manner in the event of a data breach

Once you have implemented GDPR compliance in your system, then you can start to think about using that data.

Photo credit: Paul Pitman


  • Leave a Reply