Customer relationship management (CRM) software provides clear advantages to any organisation that sells goods or services. It lets your organisation manage your customer interactions, makes those customers happier to buy from you and helps you make better decisions because your organisation has detailed information about those customers. However, your organisation will be processing a significant amount of personal data about customers when using CRM software – which raises privacy and data protection issues. Let’s chat about why privacy matters here, how CRM software works, what the privacy issues are and what you can do about them.

Why should you care about privacy issues when it comes to CRM software?

Not handling the privacy issues arising from using CRM software could have significant consequences for your organisation, but perhaps not in the way you might think. Regulatory fines and interventions are always the low-hanging fruit of non-compliance with data protection laws. The relevant regulator or supervisory authority could issue your organisation with a monetary penalty for failure to take account of the privacy issues or compel your organisation to take steps to address those issues. Regulatory involvement may be less likely to occur, depending on the size of the organisation and how active the relevant authority is in your jurisdiction.

More worrying are the consequences that could occur in any organisation, no matter your size or where you are doing business. Suppose you do not account for privacy issues upfront. Those privacy issues could rear their ugly heads later, such as when your organisation:

  • Has a data breach, leak or other incidents of unauthorised access to personal data
  • Gets hit by a data subject access request from an angry customer looking for an immediate response
  • Needs to convince a potential business partner that you take privacy issues seriously before they agree to work with you at a time when involving that partner is critical to the survival of your business

When these problems manifest themselves, they can disrupt your business in a significant way by pulling your focus away from doing the things that make you money. In other words, you should care about privacy issues regarding CRM software because they can impact your bottom line by ruining your reputation or derailing your operations rather than subjecting your organisation to fines or regulatory involvement.

How does CRM software work?

CRM software is usually a platform that helps organisations administer their interactions with existing or potential customers to build stronger relationships. The service provider may host it centrally and provide it to organisations over the Internet on a paid subscription basis via a browser or mobile application. It often includes features that help with sales, marketing, customer service, and analytics.

One of the significant benefits of using CRM software is that it helps an organisation have a unified view of their customer across multiple business units and marketing channels. The goal of using CRM software is generally to make customers happier and help an organisation keep them. It can also help an organisation grow more quickly by making decisions based on real-world customer information. Examples of prominent CRM software include Salesforce, HubSpot and Pipedrive.

Your organisation will invariably process the personal data of data subjects when using CRM software, such as by:

  • Collecting identifying and contact information about potential customers
  • Using that personal data to profile and get leads for marketing purposes
  • Storing that information and information about the outcome of those marketing efforts on an ongoing basis
  • Moving that information from the country where they collected it to the country where the CRM software provider hosts its servers
  • Analysing large amounts of potentially sensitive personal data in the form of buying habits and personal preferences

What are the legal issues?

Your organisation should be aware of several legal issues regarding CRM software. Many of these stem from the processing of personal data, which means that relevant data protection laws will apply. For example, your organisation will need to:

  • Process personal data lawfully in terms of the GDPR in the EU, CCPA in California in the US, POPIA in South Africa or other data protection laws that apply in jurisdictions around the world
  • Comply with cross-border data transfer requirements when using CRM software by having a data processing agreement with the necessary clauses or another appropriate mechanism in place to justify that transfer
  • Make sure that the personal data in the CRM software is secure against unauthorised access by giving users the correct access privileges, enabling and training staff on how to use two-factor-authentication and otherwise configuring the platform correctly
  • Give customers access to the personal data the organisation processes about them by setting up the CRM software to allow customers to get their information when they ask for it
  • Not storing personal data for longer than necessary in the CRM software, where your organisation will need to understand the purpose for which they collected it and to erase it when the information has fulfilled that purpose

Actions you can take