Your CRM and GDPR

Why and how Salesflare will soon be GDPR compliant

No doubt about it: Salesflare will be GDPR compliant before the deadline of Friday May 25 2018. 💪

Operating from the center of Europe, just a 60km drive from where GDPR has been conceived, discussed and agreed upon, we probably take this a tad more seriously than most.

You’re not 100% sure what GDPR means for you and your CRM?

It’s really not that complicated. I’ll get you up to speed in a whim.

Let’s go through this together. 👊

guy asking if they're together

Is GDPR worth the panic?

We’ve been overwhelmed with quite a GDPR panic lately. 😵

spongebob and patrick running because gdpr is coming

There’s tons of talk about the possible fines. Companies sending dedicated emails and web pages with vague statements about GDPR compliance. Consultants and lawyers appearing out of nowhere.

A fellow founder recently told me: “This is going to be like the Y2K bug. Lots of craze and then nothing really happens in the end.” 😏

Probably the panic is indeed a bit too much.

But the difference with the Y2K bug is that the current GDPR panic will have a noticeably positive effect in the end.

The positive effect of GDPR

Up till recently, enforcement of European data privacy and security regulation was quite vague and not really strict. Everybody handled it in a different way. Some better than others.

GDPR changes that. Despite the fact that the guidelines on practical implementation are not super concrete, the high level guidelines have been set. 🙌

It is good for companies to have this guidance. Plus it also means that customers and the general public know what to expect. Because every company now needs to follow the same framework.

What GDPR means for Salesflare’s CRM

We’ve always taken data privacy and security serious while building Salesflare’s CRM platform, as data is at the core of what we do.

If you like to read more about some of the measures we take on this level, check out this article in our knowledge base. 👈

Still, the GDPR exercise we’re currently going through forces us to map exactly how we handle data, for customers and for ourselves. The benefits:

  • It improves the processes we follow;
  • Makes us review agreements with customers and suppliers;
  • And generally makes our data handling more future proof.

In short, it further professionalizes the way data is handled. And asks us to produce a ton of documentation.

document everyt

GDPR in 2 minutes

The European General Data Protection Regulation (GDPR) changes the way personal data on European Citizens and Residents is handled.

If you’re keeping data on European Citizens/Residents you need to comply with the regulation, regardless of where you’re based or headquartered.

Personal data is basically any piece of data that could be used to identify someone, when used on its own or in combination with other data. That makes the concept of personal data very broad.

There’s 3 parties in the relationship:

  • The data subject: the person that is the subject of the personal data
  • The data controller: the company that decides to keep and control this data
  • The data processor: the company that processes the data on behalf of the controller

As Salesflare, we are a data processor for our customers. Plus we are a data controller as well when marketing to prospects, providing customer service, keeping data on employees for HR reasons, …

👉 If you’re a customer of Salesflare, we will soon provide you with the necessary legal documents to make sure that you as a data controller (controlling data about your customers, the data subjects) are employing a data processor (that’s Salesflare) who complies with the regulations.

The principles

The principles set out in the GDPR text are simple, logical and timeless:

  • The processing of the data needs a legal basis
  • This purpose of the processing needs to be specified explicitly
  • The data processing needs to stay limited to this purpose
  • Data can only be collected and kept as much and long as needed
  • There needs to be openness on how the data is processed
  • People have the right to have their personal data transferred, modified or deleted
  • The quality of the data needs to be maintained
  • The data needs to be kept securely
  • Companies can be held accountable to follow these principles

Pretty logical, ain’t it? 😏

GDPR meets CRM: what Salesflare is working on

As I explained above, Salesflare needs to be GDPR compliant both as a controller and as a processor of personal data. What’s relevant to you as a customer is our role as a processor (for you as a controller).

As a data processor, we’re working on:

  • An updated privacy policy & terms and a data processing agreement (UPDATE: you can now request a DPA for signing here) ✔
  • Keeping all your personal data in Europe (it’s already there, on Google Cloud servers in Belgium, so that part is easy) ✔
  • Organizing an additional and professional security assessment to guarantee your personal data is 100% safe ✔
  • An internal mapping of all processed data, in which we document compliance with the above principles, making changes where needed ✔
  • Getting contracts with our subprocessors to assure they are GDPR compliant too ✔
  • Appointing responsibles and building processes: this is to stay compliant, to guarantee people can have their data transfered, modified, deleted, … and to notify the official instances in case of data breaches (would be a first). ✔

It’s a whole bunch, but the work is totally worth it 👊

What you should work on to be GDPR compliant

Salesflare being GDPR as your CRM is one important step, as it holds your customer data, but it’s definitely not the only step to take.

Summarizing in very short:

  • Appoint responsibles, including a Data Protection Officer (DPO)
  • Educate everyone in the team, create awareness, policies and guidelines
  • Update your legal documents, including your privacy policy
  • Create Records of Processing Activities (RPA) and map your data
  • Make sure your vendors and third parties are GDPR compliant (like Salesflare and many others)
  • If you hold sensitive data, do a Data Protection Impact Assessment
  • Work on things like getting consent from data subjects & informing them
  • Create processes to handle requests of data subjects to access, modify, … to handle data breaches and to ensure continued compliance
  • Register with your local data protection authorities

Still sounds a tad abstract? 🙃

No worries. Checklists like GDPR Checklist or GDPR compliance apps like ECOMPLY are here to help you nail the details. Check them out! 👈

In short

Look past the panic, the smoke and mirrors, and the money crazed consultants. Focus on the real stuff and get grinding.

It’ll surely take some documents, meetings and emails to get compliant, but it will make our parallel data world a much better place.

If you need help, we’re in it together. Check out the discussions on this EU GDPR Facebook group, the resources just above, … and get going. 💪

Good luck!

morgan freeman saying, "good luck"

We hope you liked this post.

If you did, spread the word! 😍

For more hot stuff on startups, growth marketing and sales

👉 subscribe here

👉 follow @salesflare on Twitter or Facebook

Jeroen Corthout