Mastering GDPR with SpiceCRM

adminSpiceCRM News

GDPR – General Data Protection Regulation

Effective May 25th the European Union implemented new European wide rules for the management and handling of data of individuals. The GDPR was put in place. Originally more or less targeting the larger internet giants like Google and Facebook, it has a significant impact on any operation in the EU that is handling data – which literally is any company operating here – but also for companies dealing with the EU.

All of us most likely will remember 2018 as the year where we all got numerous emails to confirm that we still want to get news from a specific company. Millions and Millions of marketing records where trashed, trying to be compliant.


There is a couple of key principles the GDPR boils down to:

  • lawful, responsible and accountable handling of personal and in special sensitive data
  • right of access to data stored about one
  • clear rules on B2C Marketing
  • right to be forgotten

While you of course can still accomplish this with a set of excel sheets flying around a structured and controlled CRM system is a solid base to manage GDPR Compliance. Also in SpiceCRM there are several features to accomplish this.

Lawful, responsible and accountable handling of data

One of the key principles of the GDPR is data protection and clear processes how data is handled in a company. It requires a clear inventory to understand what data is kept where and clear processes in case of a data breach or similar. SpiceCRM is a web based system that can be hosted on site or be consumed as cloud service. In any case it is a central managed instance that holds clear described customer data. It has fully transparent access rules and if operated out of services like the GCP is fully compliant with data privacy acts.

Managing customer data in a CRM system rather than in Rolodexes, Outlook files and Excel sheets is a mandatory first step to be able to complete a data inventory.

Right of Access

SpiceCRM offers a transparent view on a customer (Contact, Prospect, Lead) and all the data you as a company are storing about the customer.

Flexible Reports also allow printed statements that can be shared with a customer and guarantee full transparency on the data stored about a customer.  Of course there will be other systems (Accounting, Fulfillment that you also need to cover where the data is not originally stored in CRM that you also need to cover. Yet the flexible API structure and webcomponent framework also allow to integrate the reports from other systems and consolidate one view on the customer data in your company in one central tool that support your customer facing organization.

Clear Rules on Marketing

On the level of a person in SpiceCRM you can clearly state the data agreement including the source why you are entitled to manage the data and also the marketing agreement and the source where the marketing agreement came from. Simple Pills indicate in red or green if you are entitled to keep the customers data and also if you are entitled to use the customer data for marketing purposes.

The additional comments enable you to keep information on the data protection agreement the customer accepted when you gather the customers information and stored it in your CRM system.

For the Marketing agreement you can also further indicate if there was no specific agreement by the person itself when the data was created, if it was specifically agreed or if the person refused the marketing agreement.,

This also enables you if a customer still allows you to keep and maintain data (or you might be legally obliged to do so) to revoke the right to use the personal data for any marketing related purposes.

In case of mutlichannel marketing the permission might also come from other sources like a newsletter the customer signed up to or a webshop registration or portal registration for an online service you offer to prospects and customers. specifically for these cases SpiceCRM also has the option to maintain “Online Profiles” for customers that linke the customer record with a specific online offer of yours.

Data and Marketing agreement can also be consented over the phone or in a meeting or with other objects. So in many places you can gather a customer consent. SpiceCRM offers a quick and easy way to get information on when and where and with whom of your organization a customer agreed. This might also include reproducing original documents like a report a customer filled in at an event, or terms a customer agreed to at a trade show to participate in a draw.

With one click in the system you are able to communicate to a customer what the status is and why you are using his contact information in marketing services.

Right to be Forgotten

You need to be able to fully remove and erase customer data if the customer explicitly requests and if not for an other legal reason you are required to keep the customer information. With the built in recovery manager you can on the one hand recover accidental deleted record but you can also permanently delete information from your database.

Again this only covers the data stored in CRM but with the open architecture also these functions can easily be extended so you can manage all customer related data within or outside of CRM and manage it with one click from your customer service team.

CRM – an essential part of a GDPR compliant organization

GDPR can be way demystified if the proper toolsets are in place in an organization. Yes – there is an overhead. But also looking at your own data it is positive that companies start to think about the value of data and the fact that the data has to be kept safe and protected. Data i already the currency of this century. Regardless if we like it or know it in many case we already personally pay for services with our own personal data.

Do your homework, invest into a prepared CRM system and there is literally nothing to be afraid about when it comes to the term GDPR and data compliance.