search
Where Thought Leaders go for Growth
Reference a solution

RGPD: how to check that your CRM is compliant + 3 compatible software applications

RGPD: how to check that your CRM is compliant + 3 compatible software applications

By Grégory Coste.

Published: 26 October 2024

Bringing a CRM solution into line with the RGPD - the General Regulation on the Protection of Personal Data - concerns every company: since May 2018, the entity has been responsible for collecting and processing the information of its customers and prospects with regard to the CNIL. Your tools therefore need to be updated: they must guarantee your contacts full respect for their privacy, and enable you to manage consent and personalised access in complete security. The same rule applies to your commercial prospecting or marketing campaigns: your use of customer relationship management software must comply with European law.

Let's take a look at the features and solutions that will enable you to meet your obligations:

Understanding the RGPD and its obligations

The RGPD (or GDPR in English) makes all companies, brands and Cloud players responsible, whatever their activity. Here is some information to help you better understand how this law applies to the IT sector and the digital world.

Protecting customers' personal data

The new European regulation strengthens the rights of everyone living in Europe. Companies are now responsible for the data they collect and process.

The aim of compliance is to enable every prospect, customer or subscriber :

  • to give their consent before any information concerning them is collected,
  • to know why their data is being collected (the purpose of the processing),
  • to access their information in order to modify or delete it,
  • to recover their data in order to transfer it to a third party service (portability),
  • to be informed in the event of a data breach,
  • request that certain web pages be de-indexed in order to respect their right to be forgotten.

Every company - whether operating in Europe or elsewhere - is subject to these regulations as soon as it is involved in the data processing chain, including storage.

The video below explains the GDPR in simple terms:

Bringing your company into compliance

Companies must follow the 6 steps recommended by the CNIL to comply with the European regulation:

    • Stage 1: it must appoint a Data Protection Officer( DPO ), who may be an external consultant; the DPO is the company's compliance officer;

    • Step 2: To estimate the impact of the RGPD, the organisation is required to list the data processing operations in a register, indicating each person responsible, with the purpose of each operation, the length of time the data will be kept, and the path taken by the data (flow and transfer) as compulsory information to identify the traceability of the information ;

    • Stage 3: In the light of the quality of the register, a decision must be taken on the 1st actions to be taken to respect the privacy of individuals, to collect only the data necessary for the performance of the contract and to ensurethat the data is only used for the purposes for which it was collected.only the data necessary for the stated purpose, and ensure a very high level of security;

    • Step 4: A data protection impact assessment must also be carried out on each processing operation to identify the security and non-compliance risks, so as to pinpoint any weak points that need to be replaced or improved;

    • Step 5: Aware of its strengths and weaknesses, the company must then initiate 3 qualitative steps, i.e. adopt a Privacy by Design approach, activate an internal awareness and training plan, and assemble the technological resources to guarantee data confidentiality;

  • Stage 6: the company responsible for data processing must be able to provide proof of compliance on request, such as its register, impact analysis, consents, proof of compliance through documentation, data traceability, etc.

Checking CRM software compliance in 3 steps

What is RGPD-compliant CRM software? Is my tool compliant? To take stock of the situation, it is advisable to call on your DPO: he or she is well versed in the technologies and rules of the RGPD, and will do everything possible to identify strengths and weaknesses, and advise you on the processes to be set in motion.

Step 1: Identify the functionalities of your CRM

Every company uses CRM software according to its development and customer relationship management strategy.

Before determining whether your tool is compliant, you first need to list all the functionalities to identify and map the data collection and processing processes.

Let's look at the management possibilities of a CRM:

  • collecting information via a form (the CRM is connected to your website),
  • the Internet user's IP is tracked to observe their behaviour,
  • cookies are used on the company's website or blog,
  • Sending marketing campaigns by email or SMS,
  • prospecting by telephone, automated emailing, etc.
  • integrated social network management,
  • contact management in multi-channel mode or not,
  • connection to a prospecting database,
  • etc.

Tip: also check the connectors and API to see which applications your CRM is connected to. You may be able to spot non-compliant applications...

Step 2: Determine the rules to be applied

The GDPR and commercial canvassing are reconcilable: all you have to do is comply with the rules.

Your DPO will be vigilant and meticulous in checking the compliance of the processes linked to each function:

  • Is the prior consent phase respected before any BtoC canvassing?
  • Is the principle of consent properly applied to cookies?
  • Is the purpose of the processing clearly indicated when information is collected?
  • Do contacts have access to their data to exercise their rights?
  • Do emailings contain unsubscribe and data access links?
  • Where does the prospecting file come from?
  • Is data processing or storage delegated to a subcontractor outside the European Union?
  • Is data traceability secure?
  • Have procedures been established in the event of data breaches or leaks?
  • etc.

In the event of a data breach or leak, the company responsible for data processing must inform the data subject as soon as possible and notify the CNIL within 72 hours.

Step 3: Correct and secure non-compliant processes

Following step 2, you have scored a majority of positive points for your compliance.

A well-informed DPO often advises the following corrective actions following the entry into force of the RGPD law:

  • requalification of contacts in the absence of consent; this involves sending a personalised email requesting the recipient's authorisation and requiring an action by the recipient to give their consent to any communication;

  • updating data collection forms (see image below);

  • checking where data is storedand, if necessary, setting up new contracts with subcontractors that comply with the European regulation;

  • implementing an anonymisation process to secure the data and ensure its confidentiality and traceability.

In the image below, here is an example of a patch to be applied to incorporate good practice in data collection:

If your CRM does not allow you to initiate all the processes required to comply with the RGPD, there is only one solution: change your software.

Comparison of 3 compliant CRM solutions

The diversity of CRM tools is such that companies use them as sales management software, prospecting software, contact management software and marketing and communication software. Here's an overview of solutions that are compatible with the European regulation.

CRM initiative equipped with the RGPD Portal tool

  • give or withdraw their consent,
  • have access to their information in order to modify it,
  • recover their personal data,
  • assert their right to be forgotten.

Each action is directly reflected in your CRM database. The CRM software also offers a wide range of functions for sales management, real-time reporting, optimal customer relations monitoring and effective marketing campaigns.

Sellsy: the fully compatible CRM, ERP and invoicing tool

Salesforce Sales Cloud: the GDPR-compliant American CRM

  • The new Trailhead module helps companies to assimilate the fundamental principles of the RGPD and implement concrete actions;
  • the CNIL verified Salesforce's Binding Corporate Rules in 2016 and considers that the publisher offers a level of security and confidentiality that protects personal data transferred outside the European Union.

This commitment strengthens Salesforce's appeal, which is already evident in its features such as marketing campaign management, customisable dashboards, price and product management, workflow management and personalised processes.


appvizer also notes 2 RGPD-compliant alternatives:

  • Blue note systems, which presents a high-end CRM with a strong ability to adapt to different business lines,
  • Eudonet CRM, which is aimed at all types of business and is particularly well suited to the property sector.

Opportunities for your business

64% of the French think that companies are not honest in the way they use their data.
67% of the French hold companies responsible for the loss of their personal data, ahead of hackers.

Sources: The Boston Consulting Groupk, RSA / YOUGOV, March 2018

Compliance should not be seen solely in terms of constraint, but as a horizon of opportunities to be seized.

The figures show it: by complying with the RGPD rules, you are effectively demonstrating a transparent approach and inspiring confidence, both with your customers and your partners :

74% of French consumers remain loyal to companies that protect their data.
78% of consumers share information with companies that give them control over their contact preferences.

Sources: Sitel 2018 / Boston Consulting Group 208 / KPMG Study 2017 / Accenture Strategy 2017 / Consumer Privacy Trust & IPSOS, DMA Survey 2016 / Bizreport 2017

The performance of your marketing and prospecting actions increases with compliance: information is up to date, consents are verified, data is centralised. No more mistakes!

What's more, when you overhaul your CRM project, take the opportunity to streamline all your procedures and get all your data under control. Involve your IT department and your Data Protection Officer: you'll reduce your costs mathematically, thanks to a single law that you'll have to comply with throughout Europe!

Article translated from French