How CRM systems help bridge the gap between the customers and business by Max Fatouretchi

Customer relationship management (CRM) is no more considered to be just an application but is given the highest priority when it comes to understanding your customers and aligning the business accordingly. 

CRM systems have delivered huge value to organizations by addressing customer-related issues on a day-to-day basis. Ultimately, with the right use of CRM systems, companies benefit a lot in terms of customer satisfaction, increased efficiency, and improved profitability.

GDPR regulation helps to safeguard the processing of personal data and easy movement of data. Regulation protects the freedom and fundamental rights of the people in terms of protection of their personal data and respecting their privacy. In this article, we will discuss about the GDPR and how it is important for any business to be GDPR compliant if they want to deal with any user's data from EU.

This article is an excerpt from the book The Art of CRM written by CRM Expert Max Fatouretchi. Max shares his decades of experience building successful CRM systems that make a real difference to business performance. Through clear processes, actionable advice, and informative case studies, this book teaches you to design successful CRM systems for your clients.

What is GDPR?

GDPR is a regulation within European Union (EU) law that covers personal data protection and privacy for the citizens of the EU. All global businesses, no matter where they are in the world, that are dealing with European users and clients are affected by this law. For example, Facebook has its headquarters in California, in the United States; however, since you can use it in France, which is within the EU, Facebook must be GDPR compliant.

GDPR was adopted by the European Parliament on the 27th of April 2016 and was enforceable throughout the EU by May 25th, 2018. GDPR replaces the 1995 European Data Protection Directive.

The regulation aims primarily to give control back to European citizens and residents over their personal data, or Personal Identifier Data (PID). It's designed to simplify the regulatory environment for international business by unifying the regulation within the EU.

What GDPR will do with a company is help them to regulate a number of processes that they'll face when it comes to dealing and storing the personal data of your clients within your company. To work successfully, it requires people within your organization to be assigned and responsible for roles.

The regulation itself consists of a set of rules. These rules protect personal data and the PID of European residents. An example of complying with GDPR regulation is if your company applied the highest-possible privacy settings by default, where user's data may not be processed unless it is done as specified by the regulation and that the personal data is not made publicly available without the explicit, and informed consent of the user.

In the Figure 1, you can see how GDPR is made up of three key elements within your company. The people, both customers and those who have the "roles" assigned to them, the data that you are managing, and the process that you're using to ensure your compliance with the regulation.

Figure 1: GDPR regulates the processing and controlling of personal data of EU clients

As a global leader in research and a key advisory firm in the IT and business applications sector across the world, Gartner believed that by the end of 2018, more than 50 percent of companies affected by GDPR regulation were not in full compliance with its requirements.

Personal data is defined broadly under GDPR as any data that relates to an identified or identifiable natural person.

So, where exactly would a company get personal data belonging or related to EU residents from? The list, as you can imagine, is quite large, but I've highlighted following some of the most common sources:

  • Forms that have been filled out by customers.
  • The contents of emails.
  • Photographs.
  • CCTV footage.
  • Loyalty program records.
  • Human resources databases.

If the organization deals with any of this information, then it needs to determine how GDPR applies to them and what they need to do in order to ensure they comply with the regulation.

In this regard, this is why we're so interested in GDPR because CRM applications are one of the primary applications and data sources that need to comply with GDPR regulations.

Personal Identifier Data

Personal Identifier Data, or PID for short, is a subset of Personally Identifiable Information (PII) data elements, which identifies a unique individual and can permit another person to "assume" an individual's identity without their knowledge or consent.

The key examples of PID include:

  • Birthdate.
  • Bank account number.
  • Fingerprint or voiceprint.
  • Personal Identification Number (PIN).

There are also other European-defined sensitive data that is globally treated as PID, and not just for citizens of the EU. These include a person's:

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade-union membership.
  • Health or sex life.
  • Offenses, criminal convictions, or security measures.
  • Proceedings from crimes or offenses.

GDPR also requires some organizational measures such as assigning a staff member as a data-protection-officer. This person will be responsible for the implementation and assurance that regulations surrounding it have been properly complied with.

While GDPR preserves most of the principles established in the earlier European Directive, it is a more ambitious law. Among its most notable changes, GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, manage, or analyze personal data, or PII.

GDPR also gives national regulators new powers to impose significant fines on those who fail to comply with the law. These could be up to 4% of global revenue for organizations that breach the law. Companies who have been fined include; Facebook (October '18) and Equifax (September '18) who were both fined £500,000.

GDPR obligations

GDPR extends the scope of EU data protection law to all foreign companies processing the data of EU residents. A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA), such as the UK and the Information Commissioner's Office, who will both hear and investigate complaints, and sanction administrative offenses. In turn, each of these SA's will co-operate with those from across the EU.

Under European data protection law, organizations harvesting personal data are divided into "Controllers", or the entities which control and manage the personal data, and "Processors", the entities that process personal data only on the instructions of the controllers, such as cloud providers.

Before we look at what each of these two roles involve, there are several significant obligations that a company must address when complying with GDPR, these include:

  • Consent: It must be as easy for the user to withdraw consent as it is to give it.
  • Breach notification: The processors are obliged to inform both the controller and clients within 72-hours of a breach.
  • Right to access: The data controller should provide an electronic copy of personal data for free to the subject of the data.
  • Right to be forgotten: The data controller must erase personal data on request from the subject of the data.
  • Data portability: Which allows the data subject to obtain and reuse the personal data.
  • Privacy by design: Ensures data protection from the onset of the design of the application.
  • Appointment of Data Protection Officers (DPO): A role given to a qualified officer who is appointed in public authorities.

Let's now move on to look at both the controller and processor, two key roles that are vital to any compliance with GDPR.

Controller and Processor roles

In the previous section, we introduced the roles of both the controller and the processor. In this section, we're going to break-down each of those roles in more detail.

It's important to identify and become familiar with these two roles, and the responsibilities that they have, as they are accountable in the processes of compliance with GDPR and have obligations towards the authorities.

In Chapter 4 of the GDPR regulation, three key subjects are defined:

  • Data subject: Defined as "an identified or identifiable natural person." For the purposes of GDPR, that data subject is covered, regardless of the person's nationality or place of residence within the EU, in relation to the processing of their personal data.
  • Controller: Defined as, "the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data." Within the context of the GDPR, a controller does not have to be located within the EU for GDPR to apply to them. As the controller you have two key roles to play:
    • Give data subjects a copy of their personal data, together with an explanation of the categories that their data is being processed, the purposes of that processing, and the categories of third parties to whom their data may be disclosed to.
    • Help every individual exercise their right to correct inaccurate personal data, erase data or restrict its processing, receive their data in a readable form, and, where applicable, fulfill a request to transmit their data to another controller.
  • Processor: Defined as, "a natural or legal person, public authority, agency, or another body which processes personal data on behalf of the controller." Here, the processor's main role is to:
    • Implement the appropriate technical and organizational measures to assist in responding to requests from data subjects exercising their rights as discussed preceding.

GDPR applies to both controllers and processors of PID. If you are controlling and processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organization is located within the EU, then these roles apply to you.

In this article, the General Data Protection Regulation (GDPR) is explained in brief about its relevance to each individual. Step - by - step obligations of GDPR that must be adhered by the companies in the EU has been stated.

Learn how to master the modern customer relationship management from our latest book The Art of CRM written by Max Fatouretchi.

About the Author

Max Fatouretchi’s CRM journey began 20 years ago as he started his own Customer-relationship management company in Vienna/Austria. 7 years later he joined the business solutions team of Microsoft to lead business development for CRM and ERP products, technology development, and engaging with large companies across the globe. Throughout these years he has been engaged in some 200 CRM implementations and in various continents including Europe, Asia, Latin-America and Africa. As a mentor and trainer, in 2004 he started the Academy4CRM institute, where he taught CRM classes across the Europe.