Why tech alone won’t solve your GDPR headache
As a provider of CRM software, we are fielding questions every week from customers asking if the solution we have implemented for them – whether on-premise or cloud - is compliant with the forthcoming General Data Protection Regulation (GDPR).
This highlights an important area of confusion surrounding the role that technology plays within your compliance programme. The first point to make, loud and clear, is that it’s your data that needs to be compliant! You can have all the information management tools in the world but if your data and associated processes aren’t geared up for the new data protection principles then technology will not be your saviour.
The regulation explicity states that ‘appropriate technical and organisational measures’ must be put in place, which indicates that embedding the regulation’s values into your company is far from a one-dimensional challenge. People, processes and technology need to be brought into alignment to pave the way for compliance.
In fact, our company is a case in point that technology alone will not tick all the compliance boxes. Despite running our business – naturally – using our own CRM, we’ve had to pay close attention to the ‘organisational’ requirements, reviewing our data workflows, overhauling processes, rewriting policies and arranging the necessary staff training.
Remember that under GDPR both data controller and processor shoulder compliance responsibility, so you need to extend your scrutiny of data practices to all third-parties processing data on your behalf. This also means that if you pass sales leads to a business partner – which is an integral part of life here at Maximizer - you need to make sure that they are GDPR-compliant. So we’ve been working with channel partners to share our compliance learnings, ensure that their preparations are on track and rewriting contracts so that compliance becomes a contractual obligation. Mitigating risk should be a vital part of your approach.
In truth, perhaps the primary task is to get your staff on board with the GDPR mindset, because if they haven’t ‘bought in’ and fully understood its importance at all levels within your organisation then you are exposing yourself to significant risk. Some larger companies find it useful to appoint ‘data champions’ across different departments in the business. Certainly it’s imperative that management is seen to be living and breathing the values of GDPR as much as everyone else.
Once you’ve got the people and process elements locked down, then the more appropriate question you should be asking your technology providers is how their solutions can support your compliance programme. Also, they are well-qualified to help you capitalise on the necessary preparatory work from a commercial perspective, using your newly supercharged data management to bring greater efficiency and insight to your sales and customer engagement processes.
CRM solutions are an ideal tool to satisfy the regulation’s ‘technical’ requirements. They provide an efficient way to draw together your disparate data siloes into one central repository and enable sophisticated auditing and indexing work, bringing oversight and control to your data and automating the workflows that manage GDPR-standard opt-in preferences and opt-outs.
Most of the functionality you need will come as standard (‘out of the box’) – plus if you use a solution with easily customisable tools then you can add your own GDPR-specific tabs or dashboards. For instance, we’ve set up a GDPR Compliance tab against each contact in our database to give a snapshot of their opt-in preferences and to enable easy segmentation by interest or topic.
A technical question you do need to ask your CRM provider (and indeed all of your Software-as-a-Service providers) is how they store your data. The compliance of data centres will come under specific scrutiny by the regulator so it’s crucial that you check your data is being held to strict GDPR standards, in particular if the data is transferred to centres outside the EU.
A common problem with CRM is that many features tend to be under-used. But in our experience, GDPR is prompting customers to derive further value from their existing solutions as they strive to make compliance deliver tangible commercial payback.
Indeed, if the regulation contributes to driving greater return-on-investment from CRM and other information management platforms, then this will be a highly beneficial outcome alongside the primary objectives of tighter data protection.
Mike Richardson - Managing Director, Maximizer EMEA
As Managing Director (EMEA), Mike is charged with leading and delivering the marketing, sales, service and operational strategy for the EMEA region, alongside the management of the Certified Solutions Provider network.
Mike joined Maximizer Software in 2000, by which time he...