GDPR came into effect in the UK in May 2018 with much pre-emptive preparations and dire warnings of the consequences of failure to comply. Post-Brexit, GDPR continues in force in the UK as the “UK GDPR”. Whilst a number of high-profile businesses have been fined for not complying with the data protection rules, such as British Airways (£20m), Marriott International (£18.4m), and Google (at a staggering €50m or £43.2m), smaller businesses should not consider that they are immune to fines either.

Not only are fines a real possibility, but businesses also risk facing compensation claims. If individuals suffer financial damage or distress because of a business’s breach of the UK GDPR, they may be able to make a claim for compensation.

So what has happened over the last three years?

Over the last three years businesses have had to be aware of, and compliant with, the development and evolvement of codes of practice by the ICO (Information Commissioner’s Office) and other regulatory entities. They have also had to face Brexit and what that means for data protection law, particularly where cross-border data flows are concerned.

Businesses have also had to consider data protection legislation and requisite changes in procedures as well as updated documentation to provide for the changes in their own activities and working environments as a result of the Covid-19 pandemic. As we have seen, the pandemic has caused a shift in employment and business practices with home working on the increase and many businesses shifting to online trading.

They have also had to be aware of new projects and practices as part of ongoing growth. All of these factors point to the importance of businesses regularly reviewing their use of personal data and their policies, procedures, and other documentation.

What this means if you use CRM

Having data stored on a central database is essential for a business to keep track of leads, prospects, customer information and supplier details. Therefore, ensuring certain policies and processes are enforced will eliminate any risk of it being used incorrectly. Here are some pointers based around the seven principles of GDPR, which will help you stay UK GDPR compliant when using your CRM system.

1. Lawfulness, fairness and transparency.

Personal data must be processed in a lawful, fair and transparent manner. For example, resist the temptation to buy marketing lists from unreliable sources. Not only will they flood your CRM system with inaccurate data; you may be purchasing data that was obtained unfairly and unlawfully.

2. Purpose limitation.

Simply collecting personal data and storing it in your CRM system doesn’t make you compliant. If your policies state that you need people’s names, addresses, company, job titles and emails in order to carry out the required service to your customers, then your CRM needs to reflect this and be configured so that it’s able to store this information. Beyond that, your CRM should not allow users to enter other personal and sensitive details, such as marital status, genetic data, political opinion etc.

In other words, don’t collect or use personal data other than for specified, explicit and legitimate purposes, and do not further process the data in a manner that is incompatible with those purposes.

3. Data minimisation.

The data that you collect and process must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Again, it may be tempting to include all sorts of additional information into your CRM system about your prospects, customers, suppliers and even employees “just in case” you need it at a later point, but if it’s not relevant, then it’s not GDPR compliant. Furthermore, it will only get in the way of the real, important data that you need to carry out your job efficiently!

4. Accuracy.

Take the necessary steps to ensure personal data is accurate and, where necessary, kept up to date, whilst taking into regard the purposes for which they are processed, erased or rectified. Regular housekeeping of your CRM system is therefore not only good for data integrity and managing processes; it’s also good for GDPR! Furthermore, linking your email campaigns through a CRM system such as MAXIMIZERCRM will ensure that any unsubscribes or hard/soft bounces are noted and updated automatically in the system.

5. Storage limitation.

Do not keep or process data for longer than is necessary for its intended purpose. Again, regular housekeeping will ensure your CRM system isn’t bursting at the seams with old, irrelevant data.

6. Integrity and confidentiality (security).

Personal data should be processed and stored in a secure manner. Although you are spoiled for choice when it comes to data storage capabilities these days, it’s vital that you do your homework and make sure that your data is stored securely. This applies not only to data from your CRM system, it also applies to data from all your systems – whether it’s on premise or in the cloud through hosting services. Plus – do you have a backup plan if things go wrong?

7. Accountability.

You should be accountable for how you keep and process personal data – and it starts from the top. What are your company policies, and are they stated clearly in a document that’s easily accessible to everyone in the company? Has your CRM partner, IT department and/or administrators set up the CRM system in a way that makes it easy for users to follow the procedures and GDPR protocols? Have your users received adequate training so that they comply with your best practice rules?

In summary

It’s important to your company’s efficiency as well as the law around GDPR that you regularly ensure your data is cleansed, relevant, correct and stored securely. In 2021 this is increasingly important with remote working and multiple users. Talk to us about how to set up your systems so that you maximise efficiency and productivity whilst remaining GDPR compliant.