There’s been a lot of discussion about the impact of Europe’s General Data Protection Regulation (GDPR) on Australian organisations that have European customers. And rightly so, the fines are significant for non-compliance – up to 20 million euros or four percent of global annual turnover (whichever is higher), depending on the severity.
The regulation comes into effect on 25 May, imposing strict requirements on the way organisations collect, create and use the personal data of European customers. Gartner predicts that less than half of all organisations will be fully compliant by then.
The GDPR encompasses where personal data is obtained or created, how it’s used, where it’s stored, who it’s passed on to and how those recipients use the data. As a result, it notably affects CRM environments, as it prescribes how personal data is to be processed.
Key elements that contribute to privacy risk are both the amount of personal data processed and the level of sensitivity, in combination with the duration of the personal data life cycle. CRM systems typically contain vast amounts of sensitive personal data, which are kept for a considerable amount of time. This makes them a more likely source of non-compliance with GDPR.
Gartner predicts that GDPR non-compliance before 2022, caused by poor privacy management in CRM procedures, will have led to regulatory sanctions of the maximum degree. CRM cloud vendors, business process outsourcing providers, cloud infrastructure and hosting providers, and organisations in Australia with European customers, must seek legal advice to establish whether they’re directly regulated and liable under this new law.
Improve the customer experience
The volume of customer data in CRM systems has surged, thanks to the ever-increasing number of interaction endpoints. If you’re an application leader, you must prepare now for the access limitations the GDPR will impose if you haven’t already. This means putting proactive measures in place to process and safeguard customer data across disparate systems.
Complying with the GDPR will often be a team effort, requiring input from different CRM users and teams in the organisation. While it does present new challenges to those concerned (which might include marketers, sales reps, customer service and IT staff), the GDPR isn’t an insurmountable obstacle for organisations looking to leverage customer data to improve the customer experience.
Broken client trust moves customers to the competition. When correctly thought out and conscientiously applied, the GDPR may finally drive organisations to implement a more qualitative data control and processing policy. Even though it’s a law that forces many organisations to rethink their customer privacy handling, in this way it supports the customer experience. Customers will find the transparency provided attractive, which leads to enhanced customer trust and retention.
In addition, ensuring your customers' consent is up-to-date will enable you to know that they're comfortable with what you are doing with their information (sending newsletters, suggesting similar offers, etc.) and how they want it to be processed.
Impact on your access to CRM customer data
There are three main ways that GDPR will affect your access to CRM customer data:
1. Ability to locate customer data
Organisations often have separate CRM tools for different product lines in different divisions, jurisdictions or various channels, such as web, mobile and a call centre. As a result, most organisations have multiple CRM tools, often from multiple vendors — in fact, Gartner categorises CRM applications into 190 subcategories, all of which have market-specific, component solutions.
The GDPR and other privacy regulations bring this issue of disparate customer records and CRM systems, to the forefront. You need to have a handle on where all of that information resides. CRM customer data is collected and handled in the majority of cases by those teams that deal with customer identification (marketing), customer information delivery (sales) and customer contact centres (customer service).
2. Privacy by Design
A mandatory concept in the new regulation is that of Privacy by Design. It prescribes proactive and preventative measures for processing personal data, including both automatic and implicit protection. Core to this is data minimisation, which includes the deletion of inactive or faulty customer data (for example, data without permission).
Organisations will be required to collect only necessary personal data and provide transparent information at the moment of obtaining the data about how it’s to be used. Therefore, the GDPR creates collateral benefits such as brand value enforcement, customer trust and operational efficiencies.
3. Safeguarding customers' personal data
All users need to be informed and trained on the implications of the GDPR and the use of the CRM system to comply with privacy protection provisions.
As a further step, the design of workflows and the user interface should reflect access to customer data by applying the "is it relevant for their job?" methodology. Users who don't need access to customer data shouldn’t have access. Reviewing existing user profiles in the context of the workflows to be performed can identify unnecessary access to customer data.
A CRM system will hold records about individuals your organisation sells to. It’s important that you identify where, when and how the record got into your system. Monitored access rights automatically support the identification of the information source. If your organisation outsources processing activities to external service providers, check their compliance with privacy protection provisions in a regular and verifiable way.
Olive Huang is a research vice president at Gartner. She advises clients on their CRM and customer experience strategies and technologies. Olive will be presenting at the Gartner Customer Experience & Technologies Summit in Sydney, 18-19 June 2018.