RGPD: how to check your CRM's compliance + 3 compatible software packages

Bringing a CRM solution into compliance with the RGPD - the General Regulation on the Protection of Personal Data - concerns every company: since May 2018, the entity is indeed responsible for collecting and processing information from its customers, its prospects with regard to the CNIL. Tools therefore need to be updated: they must guarantee your contacts total respect for their privacy, and enable you to manage consents and personalized access in complete security. The same rule applies to your sales prospecting or marketing campaigns: your use of customer relationship management software must comply with European law.

Let's take a look at the features and solutions that enable you to honor your obligations:

See all software Customer relationship management

Understanding the RGPD and its obligations

The RGPD (or GDPR in English) makes all companies, brands and cloud players accountable, whatever their activity. Here's some information to better understand how this law applies to the IT field and the digital universe.

Protecting customers' personal data

The new European regulation strengthens the rights of every person residing in Europe. Companies are now responsible for the data they collect and process.

The aim of compliance is to enable every prospect, customer or subscriber :

• give their consent before any information concerning them is collected,
• know why their data is being collected (the purpose of processing),
• access their data to modify or delete it,
• retrieve their data for transmission to a third-party service (portability),
• to be informed in the event of a data breach,
• request the de-indexing of certain web pages to respect the right to be forgotten.

Every company - whether operating in Europe or elsewhere - is subject to these regulations as soon as it is involved in the data processing chain, including storage.

The video below popularizes the RGPD or GDPR in English:

Bringing your company into compliance

A company must follow the 6 steps recommended by the CNIL to comply with the European regulation:

• Step 1: Appoint a Data Protection Officer( DPO ), who may be an external consultant;

• Step 2: to estimate the impact of the RGPD, the organization is required to list data processing in a register, to indicate each person responsible, with as mandatory mentions the purpose for each processing, the time for which these data will be kept, as well as the path taken by the data (flow and transfer) to identify the traceability of information ;

• Step 3: Based on the quality of the register, we need to decide on the 1st actions to be taken to respect the privacy of individuals, to collect only the dataonly the data required for the stated purpose, and ensure a very high level of security;

• Step 4: A data protection impact analysis must also be carried out for each processing operation, to identify security and non-compliance risks, and to pinpoint any weak points that need to be replaced or improved;

• Step 5: Aware of its strengths and weaknesses, the company must then initiate 3 qualitative steps, i.e. adopt a Privacy by Design approach, activate an internal awareness and training plan, and assemble the technological means to guarantee data confidentiality;

• Step 6: the company responsible for data processing must be able to provide proof of its compliance on request, such as its register, impact analysis, consents, proof of compliance through documentation, data traceability, etc.

Checking CRM software compliance in 3 steps

What is RGPD-compliant CRM software? Is my tool compliant? To draw up an inventory, it's advisable to call on your DPO: well-versed in RGPD technologies and rules, he'll do his utmost to identify strengths, weaknesses, and advise you on the processes to be set in motion.

Step 1: identify your CRM functionalities

Every company uses CRM software according to its development and customer relationship management strategy.

Before you can determine whether your tool is compliant, you first need to take stock of all its functionalities in order to identify and map your data collection and processing processes.

Let's take a look at the possibilities of CRM management:

• collecting information via a form (the CRM is connected to your website),
• the Internet user's IP is tracked to observe his or her behavior,
• cookies operate on the company's website or blog,
• sending marketing campaigns by email or SMS,
• prospecting by telephone, automated emailing, etc.
• integrated social network management,
• multi-channel or non-multi-channel contact management,
• connection to a prospecting database,
• etc.

Tip: also check connectors and APIs to see which applications your CRM is connected to. You may be able to identify non-compliant applications...

Step 2: determine the rules to be applied

RGPD and commercial prospecting are reconcilable: all you need to do is comply with the rules.

Your DPO will be vigilant and meticulous in checking the compliance of the processes linked to each functionality:

• Is the prior consent phase respected before a BtoC prospecting action?
• Does the principle of consent apply to cookies?
• Is the purpose of processing clearly indicated when information is collected?
• Does the contact have access to his/her data to exercise his/her rights?
• Do e-mailings contain unsubscribe and data access links?
• Where does the prospecting file come from?
• Is data processing or storage delegated to a subcontractor outside the European Union?
• Is data traceability secure?
• Are procedures in place to deal with data breaches or leaks?
• etc.

In the event of a data breach or leak, the company responsible for data processing must inform the data subject as soon as possible, and notify the CNIL within 72 hours.

Step 3: Correct and secure non-compliant processes

Following step #2, you score a majority of positive points for your compliance.

A wise DPO often advises the following corrective actions following the entry into force of the RGPD law:

• the requalification of contacts in the absence of consent; this involves sending a personalized email requesting the recipient's authorization and requiring an action by the recipient to give their consent to any communication ;


• updating data collection forms (see image below);


• verifying where data is storedand, if necessary, setting up new contracts with subcontractors who comply with European regulations;


• implementing an anonymization process to secure data and ensure its confidentiality and traceability.

In the image below, here's an example of a patch to be applied to integrate good data collection practices:

If your CRM doesn't allow you to initiate all RGPD compliance processes, there's only one solution: change software.

Comparison of 3 compliant CRM solutions

The diversity of CRM tools is such that companies use them as sales management software, prospecting software, contact management software and marketing and communication software. Here's an overview of solutions compatible with European regulations.

Initiative CRM equipped with the RGPD Portal tool

• give or withdraw consent,
• have access to modify your information,
• retrieve personal data,
• assert their right to be forgotten.

Each action is directly reflected in your CRM database. The CRM software also offers a wide range of functions for sales management, real-time reporting, optimal customer relationship management and effective marketing campaigns.

Sellsy: the fully compatible CRM, ERP and invoicing tool

Salesforce Sales Cloud: the GDPR-compliant American CRM

• the new Trailhead module supports companies in assimilating the fundamental principles of the RGPD and implementing concrete actions;
• the CNIL verified Salesforce's Binding Corporate Rules in 2016 and considers that the publisher offers a level of security and confidentiality that protects personal data transferred outside the European Union.

With this commitment, Salesforce reinforces its power of attractiveness already strongly deployed by its attractions: marketing campaign management, customizable dashboards, pricing and product management, workflow management and process customization, etc.

appvizer also notes 2 RGPD-compliant alternatives:

• Blue note systems, which presents a high-end CRM with a strong ability to adapt to different businesses,
• Eudonet CRM, which is aimed at all types of business, and is particularly suited to real estate players.

See all software Customer relationship management

Opportunities for your business

64% of French people think that companies are not honest in the way they use their data.
67% of French people hold companies responsible for the loss of their personal data, ahead of hackers.

Sources: The Boston Consulting Groupk, RSA / YOUGOV, March 2018

Compliance should not be viewed solely from the angle of constraint, but as a horizon of opportunities to be seized.

The figures show it: by complying with the RGPD rules, you effectively demonstrate a transparent approach and inspire confidence, both with your customers and your partners :

74% of French consumers remain loyal to companies that protect their data.
78% of consumers share information with companies that give them control over contact preferences.

Sources: Sitel 2018 / Boston Consulting Group 208 / Etude KPMG 2017 / Accenture Strategy 2017 / Consumer Privacy Trust & IPSOS, DMA Survey 2016 / Bizreport 2017

The performance of your marketing and prospecting actions increases with compliance: information is up to date, consents are verified, data is centralized. No more mistakes!

What's more, as you overhaul your CRM project, take the opportunity to streamline all procedures and get all your data under control. Involve your IT department and your DPO: you'll mathematically reduce all your costs thanks to a single law to be complied with throughout Europe!