Support Portal ContactGet in touch


   Words by Paul McQuillan

   on 26/02/2018 09:00:00

imageData is more important than ever - and so how we store and use data is under increasing scrutiny.

In a way, the last 15 years have seen a kind of 'data wild west' where companies could collect, use and store data in any way they like without worrying unduly about the consequences.

But with increasing interconnectedness and analytic power in big data, the value of data has risen dramatically and now companies must show that this is being stored securely and that the ownership of this data resides with the consumer - and not solely with the company who happens to be holding the data.

This is part of the process that has led to GDPR and steps taken by regulation to ensure that Customer data is being stored both securely and in a well governed structure that ensures a Company can respond to a Customer's request to view, amend or completely delete the data held about them.

GDPR is likely the first step here in ensuring that the value of our data is respected and this is not left vulnerable to misuse.

In a way this is not new for the CRM world, as this is mandating that we hold our data in a more customer-centric fashion and place the customer at the heart of how we store their data – but to be compliant we must understand GDPR and the requests this places on us.

To help us here, we have documented some of the key tenants of GDPR below – as this involves compliance, this is an area where doing your own research and working with good trusted Suppliers is crucial, however the following is aimed at being a good summary:

Storing Data

Data Access Requests


We should have a documented map of our data, what we hold, and where this is stored.

Where data is communicated to 3rd Party companies or structures, this should be documented as this is our responsibility to correct inaccuracies or communicates changes.

Our Data Protection Officers should have an awareness of the different points of storage and key suppliers to be fully aware of our storage and any possible implications of our approach.

In this we should be aware of our Data Real Estate as the totality of the data we store on Individuals – this includes both structured data of the fashion we hold in CRM, ERP or other Line of Business Systems + unstructured data we hold in Documents, Spreadsheets and Email Attachments.

As both Structured and Unstructured data constitute the data we hold on individuals and so both should be compliant with GDPR – this makes the use of loosely structured or ad-hoc file shares difficult, as these may store individual data without reference back to individual for a Data Access Request.

Individuals may request a copy of the data we hold on them.

Similarly individuals may also invoke their ‘right to be forgotten’ as way of requesting an organisation delete or remove the data they hold about them.

To handle these Data Access Requests, we should have an Access Request Process in place between our Data Protection Office(s) and our Suppliers to accommodate such requests – and these should be completed within 30 days.

Privacy Notices explain the Legal Basis for storing and processing their data, including our retention period for this data.

This empowers the data subject for:

  • subject access
  • to have inaccuracies corrected
  • to have information erased
  • to prevent direct marketing
  • to prevent automated decision-making and profiling
  • data portability

Many of these points are similar to the earlier Data Protection Act that GDPR effectively replaces – however the right to data portability is new. This is an enhanced form of subject access where we have to provide the data electronically and in a commonly used format.

Many organisations will already provide the data in this way, but if we currently use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make the necessary changes.

Documented process for Data Breaches and ideally a Security Incident Register between yourself and your suppliers.

Have the relevant contracts in place with IT and Data Suppliers, preferably for a 3 year period for continuity and robustness to our approach.

Have a Data Protection Officer armed with the right tools and knowledge to take responsibility for how your data is protected and stored.

Remember that your security is only as good as your weakest link – and so again, having a good awareness of your Data Real Estate is key in ensuring we have sufficient security and knowledge of potential breach points. 

Limiting the number of systems and touch-points for data storage here will then help us still secure.

Penetration Testing and working with strong Hosting Partners or Cloud Service Providers will help manage the complexity of modern system security and good data storage.

What defines Personal Data? What defines Sensitive Personal Data?

Any information relating to an identified or identifiable natural person – this relates to a series of possible identifiers such as Name, any Online Identifier (such as IP Address) or Locational Data.

Consent – the data subject whom the personal data is about has consented to the processing

Contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

Legal obligation – processing is necessary for compliance with a legal obligation

Vital interests – processing is necessary to protect the vital interests of the data subject or another person

Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business

Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

(a) Racial or ethnic origin of the data subject;

(b) Political opinions;

(c) Religious beliefs or other beliefs of a similar nature;

(d) Membership of a trade union;

(e) Genetic or Biometric Data

(f) Physical or mental health or conditions.

(g) Sexual life or orientation

Previously data on prior criminal convictions was considered sensitive personal data, whereas under GDPR this is tagged separately and treated with a higher protection controls.

Explicit consent – the data subject whom the sensitive personal data is about has given explicit consent to the processing (unless reliance on consent is prohibited by EU or Member State law)

Employment, Social Security or Social Protection Laws – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject

Vital Interests – processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent

NFP – processing is carried out by a not-for-profit with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent

Public – processing relates to personal data manifestly made public by the data subject

Legal Matters – processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Public Tasks – processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Medical Purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional (provided that professional is subject to the obligation of professional secrecy under EU or Member State law) or by another person also subject to an obligation of secrecy under EU or Member State law

Public Health – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy or

Archiving, Research or Statistical Purposes – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

As a follow-up article to this information, we can also look at how Dynamics 365, SharePoint and supporting Apps can help meet these points for GDPR Compliance.

Further Reading

GDPR is a hot topic at present (to say the least!), and so there is a wealth of information available to us.

The most useful if lengthy read is the original legal document itself:

Share this Article

Search Articles

Filter Articles

CRM Tech DocMan

Recent Articles

CRMCS Quick Start Guide: How To Produce a Microsoft Teams Live Event Dynamics 365 Marketing: Lead Scoring and Sales Acceptance Designing and Developing Microsoft Power Apps Portals Thank You for Attending CRMCS’ Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Thank You for Attending Our Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Webinar: Discover How CRMCS Have United Dynamics 365, SharePoint and Microsoft Teams To Create Sales Excellence Ignite your workflow by adding DocDrive365 to Office 365 The CRMCS guide to everything you need to know about integrating Teams with Dynamics 365 Saving Time By Keeping Documents In One Place TDE Database Encryption with On Premise Dynamics The Key to Successful Compliance in 2020 Part 2: Let’s get GDPR Compliant with Microsoft Power Automate Top 3 Essential Tips for Remote Working Dynamics 365 Marketing: Top 5 Best Features Dynamics Day in the Life - Puma Investments Can you use Teams to amplify collaboration in Dynamics? Part 1: Using a Scheduled Power Automate to Trigger Expiry Date Reminders The secrets of successful document collaboration in Dynamics CRMCS launches new AppSource approved DocDrive365 Dynamics Day in the Life - Moneypenny Release Management Add the App to Dynamics DocDrive365 Security: Day One - Getting Started with Dynamics to SharePoint Permissions Building a New Scheduled Process using Flow
  • "Paul has made a real difference to how my team of 24 people record and store valuable customer data and sales opportunities. Highly recommended."

    James, Operations Director

  • "Understanding your business allows us to advise when to implement aspects of CRM and, likewise, when not to."

    Paul McQuillan, Managing Director

  • "Dynamics 365 and CRMCS have made a real lasting difference to our business, allowing us to replace older systems that were holding back our performance."

    Grahame, Chief Operating Officer

  • "James worked well with us to help connect CRM with Outlook and relate how this might benefit our team using CRM for Property Care."

    Natalie, Property Care Supervisor

  • "Matt was really good with helping us run User Testing on the new Compliance Module of our CRM System."

    Tom, Compliance Administrator

Prefer to go old-school?

Write to us using the below addresses.

Head Office
CRM Consultancy
61 Oxford Street
M1 6EQ

London Office
CRM Consultancy London
Grosvenor Avenue

Content © CRM Consultancy.