GDPR and CRM system compliance

This is an article about CRM and GDPR compliance.

We are starting to receive questions from customers asking if their Dynamics 365 / CRM system is GDPR compliant. Right now, (July 2017) the likely answer in most cases will be no.

Why is my CRM system not compliant?

As it stands at the time of writing it is likely that your company probably has not completed its definition of GDPR policies.  Therefore, how can your CRM be deemed compliant?

The initial focus should be not on the technology; it should start with your GDPR policies.

Your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn’t make it compliant. If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store.

Your CRM should not allow users to enter personal details such age, marital status etc. beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need.  There is then the associated data, such as emails, transactional history like Orders, Cases, enquires etc. to consider.

How long can CRM hold a person’s data?

The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc.  The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person’s data.  Your policy would need to state a case as to why a longer retention period is appropriate.

However, with just the subject area of emails, there is complexity.  Does this include all emails a person has simply been copied on?  If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.

But what do I do with the data in the backups?

There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application.  So, when for example you are using an online hosted instance of a CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.

The right to be forgotten

Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support.

Clearly good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently.  When such requests are made, high quality data will make it easier to ensure you identify the right person and that person only has one record in your system.  Therefore, any actions required can be carried out in confidence.  Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.

Where do I go from here

This has not been intended to give you specific details in how to make your Dynamics 365 or other CRM system GDPR compliant, it should now be pretty clear that is an impossible ask.  Start with your policies, then look at the systems, not just CRM, and start considering each system against the policies.

Microsoft is posting a lot of advice and guidance, some with specific reference to their technologies and how they can help towards compliance, but there is no silver bullet.

Further Information available here:  https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx