GDPR and CRM - 7 Requirements You Can't Skip
A CRM stores hundreds of thousands of personal records — name, email, phone, contact history, sales notes. A GDPR audit easily finds 5-10 issues in a typical implementation. Below are 7 requirements you can't skip.
TL;DR
Every CRM holding personal data needs: legal basis, access/erasure rights, EU hosting, audit log, vendor DPA, retention policy, breach notification.
1. Legal basis for processing
For each data category, you must define legal basis under GDPR Art. 6: consent, contract, legal obligation, vital interest, public interest, or legitimate interest. Typical for CRM: 'contract performance' (clients), 'legitimate interest' (leads), 'consent' (marketing).
2. Right of access, rectification, erasure
Customer has right: to know what data you store (Art. 15), correct errors (Art. 16), erase (Art. 17). CRM must enable this programmatically — without legal team request. Typical: 'export customer data' and 'anonymise customer' buttons in admin panel.
3. EU hosting and data transfers
After Schrems II (2020) data transfers to US require special safeguards. Simplest solution: EU hosting. Salesforce/HubSpot have EU datacentres, but data sometimes goes to US via subprocessors. Open source CRM hosted on own EU infrastructure = zero risk.
4. Audit log of data changes
GDPR Art. 30 requires 'records of processing activities'. In CRM practice: log of every personal record change (who, what, when, why). Open Mercato has this built-in. In Salesforce — separate 'Field Audit Trail' module (paid). In Excel — none. GDPR audit without log = non-compliance.
5. Data Processing Agreement (DPA) with vendor
If using SaaS CRM (Salesforce, HubSpot) — vendor is 'processor' of your data. Requires DPA signing. Each major vendor has a template. If using open source hosted by agency — DPA with agency. If self-hosted — no DPA needed (no 'vendor').
6. Data retention policy
Personal data can be kept only 'as long as needed'. Typical retention: active customers — relationship time + 6 years (accounting), leads — 12 months from last contact, former employees — 50 years (HR). CRM must auto-anonymise data after retention.
7. Breach notification procedure
GDPR Art. 33: 72h to notify supervisory authority of breach. In practice: you need a procedure 'if we detect a leak, who notifies whom, in what format'. Most companies don't have one — and it shows only after incident.
GDPR checklist for CRM
Short validation list: (1) I have 'legal basis' document per data category? (2) System allows export/delete of specific customer data? (3) EU hosting? (4) Working audit log? (5) DPA signed? (6) Retention policy implemented? (7) Breach notification procedure ready?
What if something's missing
GDPR fines reach 4% annual revenue or EUR 20M. Local authorities typically impose EUR 11-70k. Even without audit — customer complaint triggers fines. Better invest 1-2 days in 7-requirement implementation than wait for incident.
Want a GDPR audit of your CRM? We'll help.
Book a call