Tough data protection laws and their regulatory frameworks are fast coming online and businesses must gear up for new rules and regulations. The trend started across the Atlantic with the European Union’s vigorous privacy law which went into effect in 2018 and covers every business operating on the continent.
And now every news story that publicizes a data breach adds to the push to safeguard the data from outlaws in basement computer rooms and overseas spy mills. The cost of compliance is treated differently from business to business, but the costs of noncompliance can be stiff.
Many firms are investing in expansions of their customer relationship management systems in an effort to stay abreast of the law. A specific cost for firms operating in Europe was created by the request-to-be-forgotten provision in the European law, formally known as the General Data Protection Regulation, or GDPR.
Telling systems: ‘forget’ data
CRM platforms of multinationals doing business in Europe will be asked to process requests by individuals or businesses anxious to be struck from their databases, placing stress on systems that weren’t designed to meet those requirements.
Established CRM systems have been built around specific requirements such as processing orders or tracking shipments. These are the traditional, functional building blocks that have supported CRM development.
Data removal requests go against the grain for many software platforms that were designed to travel in the other direction, to add data.
What are the penalties for non-compliance?
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
The principles
The principles set out in the GDPR text are simple, logical and timeless:
The processing of the data needs a legal basis
This purpose of the processing needs to be specified explicitly
The data processing needs to stay limited to this purpose
Data can only be collected and kept as much and long as needed
There needs to be openness on how the data is processed
People have the right to have their personal data transferred, modified or deleted
The quality of the data needs to be maintained
The data needs to be kept securely
Companies can be held accountable to follow these principles
What is the bottom line of your CRM system?
A CRM can help keep track of your GDPR obligations and be readily configured to ensure that your GDPR compliance is up to the mark. As a matter of fact, CRM must inherently include the following functionalities that help you stay on top of your GDPR game!
1. Implementing GDPR policies
2. Consent Management
3. Data Security
4. User Access Rights
5. Right to Erasure