GDPR: Inevitable changes for businesses

GDPR: Inevitable changes for businesses

SMB life: the legislation we need to comply with

What is GDPR and what does the new legislation mean for businesses and entrepreneurs?

GDPR – General Data Protection Regulation is a new tool for protecting the personal data of individuals. It becomes enforceable from 25 May 2018 in all member states of the European Union.
The aim of the regulation is to distinctly enforce the data protection of European Union citizens.

GDPR CRM

However, it also brings a handful of duties and potential trouble to entrepreneurs and companies.

We discussed the matter with Marek Chlup, a specialist and someone who has helped us with implementing GDPR within our company and also within our product.

What does every company need to do in order to be GDPR compliant?

Meet all the GDPR requirements, of course! (laughing).
But let’s be serious.
As for the first phase, I would recommend that everyone does a process-data inventory. In other words, they should try to describe all the company’s processes that can somehow involve personal data.
Every company has at least three categories of data subjects – Employee – Distributor – Customer. The processes within these three categories need to get charted and we also need to identify, for example, what personal data we work with, how long we keep it, who can access it and what are the criteria to gather the data (the legal issues of processing). Personal data can be anything leading to the identification of a specific individual. For instance: name, address, biometric data, health records, etc.

In the second phase, I recommend a thorough review process:

  • The personal data protection policy – displayed for example on your website
  • The policy of data subjects‘ rights – where you define the processes for cases when the subject wishes to apply their rights, (right for information, right  for deletion, etc.)
  • The policies for announcing the breaking of personal data protection – a duty to inform the data subject and the relevant office, that data protection has been broken
  • In case you are processing personal data in a large quantities, you need to carry out a document called, Processing Records.
  • In case you are processing sensitive personal data (health records, genetic documentation etc.), you also need to designate a Data Protection Officer – DPO
  • Fill the new processor requirements into the contracts with processors, (for example the obligation that the processor will not add another processer without processing the mentioned above)
  • Train the key company employees and prepare templates for the data subjects
  • Revise the state of IT resources protection, (for instance the data approach management)

It may seem that you are overwhelmed with work, but most companies are already meeting some of the requirements mentioned. On the other hand, it is necessary to be diligent about this, because breaking the rules can result in severe penalties.

If you are not sure about something, I recommend seeking professional advice.

What impact does GDPR have on companies using a CRM system?

The impact of GDPR on CRM usage is significant.
According to GDPR, companies can only process personal data for a clearly defined purpose and there is a need of proportionality, meaning that only information necessary for the purpose of processing is to be maintained, for example a business relationship.
For example, a CRM solution can store information such as name, surname, business email address, phone number and the customer’s address, but information about family members or the customer’s birthday cannot be kept.

Therefore, every company using a CRM solution must revise all the information that is stored and specify whether it is proportional for the processing purpose. If unncessary information is found, it has to be deleted.

Last, but not least, entrepreneurs and companies should make sure, when choosing their CRM supplier, whether the product meets the GDPR requirements. For example, whether they have a certification of meeting the GDPR requirements or, if and how will they inform you about their status regarding being ready for GDPR.

What about companies outside the European Union, for instance in the United States, how can this influence them?

In case a company outside of the EU processes EU citizens‘ data, it has to meet the GDPR requirements.
It is always necessary to inform the subjects that their data is being kept outside of the EU and how is this situation treated.

Thank you for your help with the GDPR implementation, as well as for the interview.

An important remark on behalf of eWay-CRM:


GDPR becomes enforceable from 25 May 2018 for all the member states of the European Union.
We have a significant number of clients from all over the EU, (and also the USA), who can be affected by the new legislation. With this in mind…
…We are happy to announce that we will introduce a brand new specific eWay-CRM GDPR version 5.2 on April 12 2018.

So all our clients or future users have over a month to implement, both within the software and the company.

More detailed information will come in our next article, which is focused on a fully operational GDPR version of eWay-CRM, or in our GDPR eWay-Book.

We talked to Marek Chlup.

Marek Chlup is an auditor with a 20-years experience in the field of Informational Security and Data Protection.
He posesses the ISMS a ITIL certificates and has taken part in more than 100 internal or certification audits in a various businesses, (insurance companies, state authorities, companies offering public services and  manufacturing companies, etc.)