GDPR and CRM – how much do you remember?

Published:  January, 2019

The New Year is here, and we’ve been doing some early spring cleaning. After the busy latter half of 2018, it’s fair to say that some people’s knowledge of GDPR has gotten a little dusty. But don’t worry, we’re here to help shake those brains free of any lingering GDPR cobwebs. Let’s get started: shall we keep or blow away these statements?

GDPR and CRM Systems

“I was GDPR compliant on the 25th May 2018. Job done!”

Let’s definitely blow away this statement.

GDPR was not based solely on a fixed deadline, and GDPR compliance on a fixed date will not continue indefinitely.

Some of the key pillars of the legislation are around the ongoing management of data, and your processes. A lot of hard work was done on companies’ data protection processes in the build-up to the 25th of May, but these are not evergreen.

It’s not suggested that you change all your company’s processes every day, but if there is a significant change to your business or the landscape in which your business operates, then your processes will need to accommodate the change.

What is a significant change, you ask? That is up to you to work out for your individual business.

A compliance step is taking Privacy Impact Assessments on proposed business changes to deem their significance to data protection.

Cloud storage systems such as SharePoint can be helpful to smaller businesses to record their privacy impact assessments.

“Having a GDPR compliant CRM system makes my company GDPR compliant.”

Dust this statement away quickly!

Whilst a ‘GDPR compliant’ CRM system won’t hinder your compliance journey, there is no single solution for compliance. Compliance is made up of a multitude of factors; technology is only one of these.

However, CRM systems are a very positive step to take.

It must be remembered though that a ‘GDPR compliant CRM system’ can be a misunderstood phrase – it is possible to use such a system in a noncompliant way.

A ‘GDPR compliant CRM system’ describes its design and infrastructure rather than the use of it. Using it will not make you compliant, but it is designed to guide general usage in a compliant way and built with compliance in mind.

For example, it is possible to import third-party mailing lists into most CRM systems, but this is often not advised since there can be no guarantee that the data has been obtained lawfully. In fact, certain marketing software such as ClickDimensions disallows use of these type of lists in their terms of use.

“GDPR negatively affects my relationship with my customers!”

You get points for being concerned about your customer relationships, but this statement can be brushed away too.

This statement would only be true if every aspect of your business was entirely noncompliant with GDPR. For you though, GDPR positively affects your customer relationships!

It should not be forgotten that the heart of the General Data Protection Regulation is to enhance the rights of EU citizens and increase your accountability. Customers are not put off by the fact that you are abiding the law, are accountable and transparent to them, and are respecting their rights.

If your concerns are around your communications and marketing activities with your customers, the same sentiment applies. Good business relationships are based on trust, and it is important that the customer knows that your relationship with them is legitimate.

What would negatively affect your relationship with your customers is if you communicated irrelevantly with them against their will. The GDPR compliant act of managing customer subscription and communication preferences ensures that your communication with your customers is relevant and desired.

Additionally, culling your databases of dead emails and contacts that you haven’t spoken to in 20 years is positive for your business relationships, amongst other things. Your marketing efforts and success metrics won’t be skewed by fruitless connections and you can better focus on your profitable relationships.

GDPR and the concept of CRM share certain pillars – that your customer data should be clean and organised, and that communications with your customers should be relevant. If you’re already using a CRM system, you are supporting a GDPR compliance sentiment.

If you aren’t using a CRM system, make sure that you have the resources available to safely and legally manage your customer’s data. Your customers are relying on you.

Disclaimer: We are not lawyers and this article is not official legal guidance. If you have any doubts about your GDPR compliance in the UK, consult the Information Commissioner’s Office.

 Katrina Caswell, Marketing Assistant

To find out more about CRM and GDPR, please contact us.

Related Articles and Information: Systems are not compliant with GDPR, Processes are
CRM Systems & GDPR Compliance: Recorded webinar

Repeat after me: GDPR starts with the processes (and policies), not with the systems.

This is something your systems provider should have told a long time ago:

First of all, Business PROCESSES must be compliant with GDPR, and then the systems will have to support those processes – not the other way around.

What does this mean?

It means that implementing System XYZ from ACME will not make your organisation compliant overnight. If someone tells you it will, please don’t believe them.

A best of breed CRM system will HELP (and please note the difference between “help” and “make”) your organisation become compliant because:

Looking at the Principles of GDPR, personal data shall be:

GDPR compliant system – summary:

For the large majority of organisations, GDPR is not something you throw money at. Having a healthy budget to update/upgrade your systems and hire a few experts certainly won’t hurt… but in most cases, it is the commitment and involvement of the entire business – especially the management team (all of them, not just the IT Manager!) – that will get you through the 25th of May.

Article 15
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information (…)

Is the Subject Access Request something new?

As with many of GDPR’s basic rights and principles, the Subject Access Request is not entirely new. As it stands today, we all have the right to contact an organisation and ask them what data they have on us, how they got it, and what they use it for. We can also ask them, if applicable, to update or delete such data.

So, what’s all the commotion about?

There are a few differences in the way GDPR will rule this process:

At this stage, nobody really knows how often organisations will receive these requests, and we can only assume that it will be very different from company to company. The type of market you’re in (B2B or B2C), your industry, the type of data you process, and how “well behaved” you are in your marketing initiatives will presumably impact the number of requests you receive.

But regardless of how often it will be used, the process must exist for the organisation to be compliant.


Getting ready for the Subject Access Request

If you’re based in the UK or dealing with UK based citizens, the Information Commissioner’s Office is always the best starting point for all things GDPR. Here you can find information on what rights data subjects have, and what you need to do to respect those rights.

When designing the process to support Subject Access Requests, there are a few important things to consider:

The bottom line is, in order to provide a person (data subject) with the information they require, first you need to find it. Mapping your existing data is, of course, the first and main step in this direction, but please don’t forget that if you have duplicate records – and it is very likely that you do – the data you are providing, updating, or deleting may not be all the data you have on that person. If that is the case, you are not complying with GDPR.

If you’re up to some serious reading, here is the actual legislation!

Disclaimer: the content of this blog does not constitute and cannot be seen as legal advice, and should not form the basis upon which any person or organisation takes a decision or reaches a conclusion in regards to their rights or obligations.

Related  Information:

We are starting to receive questions from customers asking if their Dynamics 365 / CRM system is GDPR compliant. Right now, (July 2017) the likely answer in most cases will be no.

Why is my CRM system not compliant?

As it stands at the time of writing it is likely that your company probably has not completed its definition of GDPR policies.  Therefore, how can your CRM be deemed compliant?

The initial focus should be not on the technology; it should start with your GDPR policies.

Your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn’t make it compliant. If your policies state that you only need a name, address, email information, to carry out the required management/service to your customers, then your CRM needs to be configured such that this is all it is able to store.

Your CRM should not allow users to enter personal details such age, marital status etc. beyond that, otherwise clearly your CRM system is not compliant because it is not following policies which have been defined around the agreed business need.  There is then the associated data, such as emails, transactional history like Orders, Cases, enquires etc. to consider.

How long can CRM hold a person’s data?

The GDPR legislation has rules around the policies which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc.  The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person’s data.  Your policy would need to state a case as to why a longer retention period is appropriate.

However, with just the subject area of emails, there is complexity.  Does this include all emails a person has simply been copied on?  If emails are stored in CRM, then there is the double issue of managing this whole area in both your email service and CRM.

But what do I do with the data in the backups?

There is also the consideration of backups and archiving, and this will apply to CRM as much as any other application.  So, when for example you are using an online hosted instance of a CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.

The right to be forgotten

Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support.

Clearly good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make CRM work efficiently.  When such requests are made, high-quality data will make it easier to ensure you identify the right person and that person only has one record in your system.  Therefore, any actions required can be carried out in confidence.  Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in the CRM that was missed.

GDPR and CRM compliance – where do I go from here?

This has not been intended to give you specific details on how to make your Dynamics 365 or other CRM system GDPR compliant, it should now be pretty clear that is an impossible ask.  Start with your policies, then look at the systems, not just CRM, and start considering each system against the policies.

Microsoft is posting a lot of advice and guidance, some with specific reference to their technologies and how they can help towards compliance, but there is no silver bullet.

Further Information available here:

Disclaimer: the content of this blog does not constitute and cannot be seen as legal advice, and should not form the basis upon which any person or organisation takes a decision or reaches a conclusion in regards to their rights and/or obligations.


The Global Data Protection Regulation comes into force exactly one year from today. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. We’ve all heard about it, we all know there’s a lot of work to be done, and if you are let’s say, a bit behind on that project, now is the time to “get cracking”.


So, roll up your sleeves, take a deep breath and start by understanding exactly how this is going to affect your business. If you are just starting with the information search, we strongly recommend that you visit the Information Commissioner’s Office website, before anything else. The ICO is “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.


Before you go on to any other information sources, do read their publications, guides and extensive resources. They are free, easy to understand, and most of all, they are official! Here are a few examples that we found especially useful for anyone starting their GDPR project:





Just in case you want to read the entire 99 articles, here is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, as published in the Official Journal of the European Union!

Other sources of information

Naturally, there are many businesses and individuals writing about GDPR and providing their views, opinions, guidance, and of course, their services. It goes without saying that we must be careful with what we read online, and GDPR is no exception. We share below some resources that we believe to be trustworthy and useful:


Here you will find a number of resources on this topic, including very useful white papers and examples of how the Microsoft products, that so many of us already have, can help achieve compliance.




We can’t stress enough that despite these authors’ extensive knowledge and experience, GDPR is ultimately your responsibility. So, get the facts straight, from the official sources, before going for someone’s opinion. Yes, including ours!