GDPR compliance requirements: Does an organization need explicit permission to store records of email addresses and phone numbers of customer contacts that are already in my CRM?

If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization.  You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirementsPseudonymization can reduce the risk with these data protection processes.

  1. Your SAP CRM system can be a vital  tool to gaining and maintaining GDPR compliance requirements. First, it is important to understand that your policies will dictate what your SAP systems need to do to support your GDPR compliance requirements position. For example, simply having a SAP CRM system that collects personal data doesn’t cover your GDPR compliance requirements. If your policies state that you only need name, address, and email information to carry out the required management/service to your customers, then your CRM needs to be configured so that this is all it is able to store. It should not allow users to enter personal details such age, marital status, etc. Then, there is associated data, such as emails and transaction history, like Account Management, Contacts, Lead, Opportunity, Activities, etc. to consider.  All users of the SAP CRM system need to be informed and trained on the implications of GDPR with the use of their SAP CRM system.
  2. Your SAP CRM system holds records about individuals you sell to.  You must be able to identify where, when and how the record got into your system.  Typically the ‘Source Field’ field of a Lead or Customer record is going to answer that question.
  3. Marketing via email.  If you use your CRM system to market via email, then you need to implement a double Opt-In process for gaining permission to send email to that individual. When you gain that email address for your list, the Opt-In process needs to state what you intend to do with it. With double Opt-In, not only has a user subscribed to a newsletter, mailing list, or other email marketing messages by explicit request, but he or she also confirmed the email address is their own in the process. 
  4. Deleting prospect and customer data. How long can SAP CRM hold a person’s data? The GDPR legislation has rules around the polices that mean--depending on your specific business needs--there may be limitations in the length of time it may be reasonable to hold this data.  For example, the legislation indicates that there would be no reasonable need for a company to retain that person’s data beyond a product warranty period.  Your business policy would need to state a case as to why a longer retention period is appropriate in order to reach GDPR compliance requirements
  5. Data in the backups and test systems?  There is also the consideration of backups, test systems, demo systems, and archiving, which applies SAP CRM as well as SAP HR Systems.  Ensure your CRM backup, test, and quality systems have their data anonymized.  Natuvion’s TDA can assist your GDPR compliance requirements.
  6. The right to be forgotten.  Similarly, when individuals request an update of their information, the right to be forgotten, or a report of what information you hold on them, then your policies need to define the requirements that your system needs to be able to automatically support.  SAP Information Retrieval Solution can help!
  7. Review your company's user’s access rights – look at all your users and what access rights they have to your SAP CRM system.  It allows for different levels of user access to be defined – who can see what information, change, or delete it.