GDPR – How will it affect your Sales process Part 2 in the series.
This continues from the last in our series at looking at the effect of GDPR handling business cards. How does the duty to “obtain consent” effect the contacts that have built up in our CRM systems? Most sales software has potential leads, that we have not had consistent communication with, and that may mean non-compliance with the new act. This has operational and technical implications that need to be addressed by management, IT and sales teams before the regulations comes into force mid next year.
As it stands, my library, which I have built up over several years, is in for a cull and moving forward, I will keep a record of consent. Now for Outlook, and those on Excel, it may seem relatively easy: just delete the record or row. If you do that you will get rid of the evidence, but then you have no audit trail proving that the information ever existed and was removed for compliance reasons. Starts to get tricky (recommendation is to leave the name, delete pertinent records and timestamp when completed). With the records on my CRM system it gets even more interesting. If I have a record and there has been no activity then no problem, delete and the audit trail at the backend has proof of its being done. Yet as a multi-relational database, designed as an automatic library system, as soon as there is reminder, copy of an email, associated document, the system won’t be able to “remove” that contact card until everything else has been deleted first. We may be talking about 10, 50, 100 links per contact. The implications for larger systems such as Salesforce, SAP or Oracle could be immense with users and administrators trying to unpick the tangled web of cross-linked and referenced bits of data. The good thing is that you can make a record “inactive” which “hides” the card and restricts user rights for that card to just the administrator. Under the act the “right to be forgotten” is all about whether you are still “accessible” and in some cases not being accessible by users may have to be deemed sufficient for the purposes of complying with the act.
What about my existing contacts?
Then there is the issue of the contacts you already have in your system, for most of whom you probably don’t have the consent to hold the data, let alone contact them. Even if you try to contact your existing list to get consent, this would be against the spirit of the act. Don’t even mention the imported lists from trade shows or purchased from data companies. At some stage, you are going to have to do a purge of what is there and for some it may just easier to start again.
On top of all that, you will need to show best practice and review your data for possible archive. That means your CRM system must have the means of highlighting records that have are no longer active for an agreed period and have a procedure for deleting them off the system. Retaining data for the sake of it, or you might need it one day will no longer be acceptable.
But what about backups?
If an individual calls upon their “right to be forgotten” then it is not only the live system but their record should be expunged from all the backup systems as well. You could have as many as 10 back up instances in case one is corrupted. They may also be on different sites to protect against fire or theft. If you use cloud storage you may never know how many backup instances you have nor on which continent they may reside? Obviously there will have to be some level of realism that comes into this or otherwise organisations will spend all their time scurrying around for bits of data rather than getting on with the business at hand. Simple procedures, such as use of encryption can make the data “inaccessible”.
Even so, these are some of the issues that will have to be delved into and thought about before achieving an adequate policy that safeguards people’s data whilst allowing businesses to operate. Each organisation and system will have its own nuances to contemplate as it meets this challenge.
If you need our assistance in getting your organisation GDPR compliant, please see our introductory offer . To measure your progress on GDPR take part in our health check, and there is a breakdown of the legislation in our FAQ section. We offer a complimentary 10 minute phone call with our legal team on a GDPR question you may have (one per domain/company). Simply fill in the details on the form below and contact you at a time of your convenience.
Next in the series: Keeping leads with the right to be forgotten.
About the Author:
Malcolm Ford has had 25 years’ business experience, over 2 continents and has worked in a variety of sectors. Currently he installs, implements and trains staff on best practice for using CRM systems.