Customer relationship management (CRM) is no more considered to be just an application but is given the highest priority when it comes to understanding your customers and aligning the business accordingly.
CRM systems have delivered huge value to organizations by addressing customer-related issues on a day-to-day basis. Ultimately, with the right use of CRM systems, companies benefit a lot in terms of customer satisfaction, increased efficiency, and improved profitability.
GDPR regulation helps to safeguard the processing of personal data and easy movement of data. Regulation protects the freedom and fundamental rights of the people in terms of protection of their personal data and respecting their privacy. In this article, we will discuss about the GDPR and how it is important for any business to be GDPR compliant if they want to deal with any user's data from EU.
This article is an excerpt from the book The Art of CRM written by CRM Expert Max Fatouretchi. Max shares his decades of experience building successful CRM systems that make a real difference to business performance. Through clear processes, actionable advice, and informative case studies, this book teaches you to design successful CRM systems for your clients.
GDPR is a regulation within European Union (EU) law that covers personal data protection and privacy for the citizens of the EU. All global businesses, no matter where they are in the world, that are dealing with European users and clients are affected by this law. For example, Facebook has its headquarters in California, in the United States; however, since you can use it in France, which is within the EU, Facebook must be GDPR compliant.
GDPR was adopted by the European Parliament on the 27th of April 2016 and was enforceable throughout the EU by May 25th, 2018. GDPR replaces the 1995 European Data Protection Directive.
The regulation aims primarily to give control back to European citizens and residents over their personal data, or Personal Identifier Data (PID). It's designed to simplify the regulatory environment for international business by unifying the regulation within the EU.
What GDPR will do with a company is help them to regulate a number of processes that they'll face when it comes to dealing and storing the personal data of your clients within your company. To work successfully, it requires people within your organization to be assigned and responsible for roles.
The regulation itself consists of a set of rules. These rules protect personal data and the PID of European residents. An example of complying with GDPR regulation is if your company applied the highest-possible privacy settings by default, where user's data may not be processed unless it is done as specified by the regulation and that the personal data is not made publicly available without the explicit, and informed consent of the user.
In the Figure 1, you can see how GDPR is made up of three key elements within your company. The people, both customers and those who have the "roles" assigned to them, the data that you are managing, and the process that you're using to ensure your compliance with the regulation.
Figure 1: GDPR regulates the processing and controlling of personal data of EU clients
As a global leader in research and a key advisory firm in the IT and business applications sector across the world, Gartner believed that by the end of 2018, more than 50 percent of companies affected by GDPR regulation were not in full compliance with its requirements.
Personal data is defined broadly under GDPR as any data that relates to an identified or identifiable natural person.
So, where exactly would a company get personal data belonging or related to EU residents from? The list, as you can imagine, is quite large, but I've highlighted following some of the most common sources:
If the organization deals with any of this information, then it needs to determine how GDPR applies to them and what they need to do in order to ensure they comply with the regulation.
In this regard, this is why we're so interested in GDPR because CRM applications are one of the primary applications and data sources that need to comply with GDPR regulations.
Personal Identifier Data, or PID for short, is a subset of Personally Identifiable Information (PII) data elements, which identifies a unique individual and can permit another person to "assume" an individual's identity without their knowledge or consent.
The key examples of PID include:
There are also other European-defined sensitive data that is globally treated as PID, and not just for citizens of the EU. These include a person's:
GDPR also requires some organizational measures such as assigning a staff member as a data-protection-officer. This person will be responsible for the implementation and assurance that regulations surrounding it have been properly complied with.
While GDPR preserves most of the principles established in the earlier European Directive, it is a more ambitious law. Among its most notable changes, GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, manage, or analyze personal data, or PII.
GDPR also gives national regulators new powers to impose significant fines on those who fail to comply with the law. These could be up to 4% of global revenue for organizations that breach the law. Companies who have been fined include; Facebook (October '18) and Equifax (September '18) who were both fined £500,000.
GDPR extends the scope of EU data protection law to all foreign companies processing the data of EU residents. A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA), such as the UK and the Information Commissioner's Office, who will both hear and investigate complaints, and sanction administrative offenses. In turn, each of these SA's will co-operate with those from across the EU.
Under European data protection law, organizations harvesting personal data are divided into "Controllers", or the entities which control and manage the personal data, and "Processors", the entities that process personal data only on the instructions of the controllers, such as cloud providers.
Before we look at what each of these two roles involve, there are several significant obligations that a company must address when complying with GDPR, these include:
Let's now move on to look at both the controller and processor, two key roles that are vital to any compliance with GDPR.
In the previous section, we introduced the roles of both the controller and the processor. In this section, we're going to break-down each of those roles in more detail.
It's important to identify and become familiar with these two roles, and the responsibilities that they have, as they are accountable in the processes of compliance with GDPR and have obligations towards the authorities.
In Chapter 4 of the GDPR regulation, three key subjects are defined:
GDPR applies to both controllers and processors of PID. If you are controlling and processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organization is located within the EU, then these roles apply to you.
In this article, the General Data Protection Regulation (GDPR) is explained in brief about its relevance to each individual. Step - by - step obligations of GDPR that must be adhered by the companies in the EU has been stated.
Learn how to master the modern customer relationship management from our latest book The Art of CRM written by Max Fatouretchi.
About the Author
Max Fatouretchi’s CRM journey began 20 years ago as he started his own Customer-relationship management company in Vienna/Austria. 7 years later he joined the business solutions team of Microsoft to lead business development for CRM and ERP products, technology development, and engaging with large companies across the globe. Throughout these years he has been engaged in some 200 CRM implementations and in various continents including Europe, Asia, Latin-America and Africa. As a mentor and trainer, in 2004 he started the Academy4CRM institute, where he taught CRM classes across the Europe.