Seamless documentation of all processes
In order to provide evidence of legally compliant data processing, you must document every process with personal information and keep a record of processing activities. Your CRM system should offer suitable options for documenting and storing this information. In order to store further details, such as the date the data record was entered into the CRM system and its origin, new processes and modified instructions may be required. The documentation obligation may result in new workflows that require additional CRM functions. Flexible and agile CRM solutions that support data capture and process mapping and automatically log changes to data are advantageous.

Duty to inform and consent
You are obliged to inform your customers directly about the collection of personal data. As the GDPR relates to the rights of natural persons, all business transaction data in the B2B environment is affected, which makes it particularly difficult to collect data when acquiring new customers. Your CRM system should already provide information about the type, scope and purpose of data processing when generating leads. You must provide evidence of explicit consent for the storage and processing of data, for example through a double opt-in procedure. With an archiving process in the CRM system, you can manage the consents centrally and thus fulfill the obligation to provide proof. If release or prohibition notices can be stored for different contact channels such as email, telephone or circulars, only customers who have given their consent will be contacted.

Obligation to provide information, correction and deletion
Your customers may inquire whether and which personal data you process. You must then provide information about the data controller, processing purpose, place of collection and storage period. A function that allows you to compile all information about a customer and generate it as a PDF is very helpful. Furthermore, your customers can revoke their consent, request the correction or deletion of their data and request the transfer of data to another company. Your CRM system must therefore offer a rights and roles concept for accessing, changing and deleting data. An automatically generated change log is also useful here.

CRM software from the cloud
If your company uses CRM software from the cloud, you need to check the data protection level of your cloud service provider. It is safer to choose a European cloud provider with a data center in the EU.

The GDPR places high demands on your CRM system. Check which requirements it already meets and where it needs to be adapted. A data protection-compliant CRM system is by no means the same as a data protection-compliant company. The requirements are highly individual, so there are no standard solutions. A careful analysis of all business processes and systems is required in order to guarantee genuine data security. Use the GDPR as an opportunity: with agile, innovative CRM software, it is possible to centrally consolidate the GDPR requirements of other IT systems. This can become a real competitive advantage.

Author: Michael Märtin, Managing Director of atlantis media GmbH

www.atlantismedia.de