GDPR and its impact on CRM

If you’ve just heard about the GDPR, want to know more about it, or you’re looking for a GDPR compliant CRM software for your sales team, you’re on the right page. And here’s what you can expect:

fs 69 06 2x fs 69 06 2x


The information on this page is for informational purposes only and must not be considered as official legal advice. For specific information on the GDPR and its
implications on your business, we recommend having a conversation with your legal counsel.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a new legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU. The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.

On May 25th, 2018 a new privacy law goes into effect across the European Union (EU). It is called GDPR or General Data Protection Regulation. Any company that does business in the EU is required to adhere to GDPR.

In simple terms, it requires businesses to be transparent with people about what data they capture and store about a person, the ways in which they use that data, and how they achieve those purposes. It also grants people about whom the data is collected the right to deny storing or processing their data, as well as to request for a copy of the data, or request that the data be purged.

GDPR applies to all individuals and organizations regardless of country of origin, who collect and/or process data from EU citizens.

screen shot 2019 03 06 at 6 26 38 pm screen shot 2019 03 06 at 6 26 38 pm

                                        Benefits of the GDPR


Strengthen individual’s rights to protection of their data


Keep pace with technology, and enhance protection against unwanted use of personal data


Harmonize data protection laws inside and outside the European Union

Main Principles of the GDPR

Any data that you collect or control must pass the following tests, else it must be deleted.

Processed lawfully, fairly and in a transparent manner in relation to individuals.

In simple terms, you need to be upfront with using an individual's data in a lawful manner and let individuals know how and why you intend to use their data.

Collected for specific, legitimate purposes and not further processed in a manner that is not in line with the specific purposes.

After showcasing transparency in how and why an individual’s data is used, you musn’t use the data for any other purposes.

Adequate, relevant and limited to the purpose for which the data is being collected.

You shouldn’t collect data that has no purpose. For instance, you needn’t collect information about height, age, religion, etc. if it has no connection to what your business deals with.

Accurate and up to date.

You must take every step to ensure that personal data that is inaccurate is rectified without delay.

Data is stored in a form which permits the identification of data subjects for no longer than it is necessary.

There are some exceptions to this, like where data is stored for the benefit of public interest.

Processed in a manner that ensures appropriate security of the personal data.
Data collected must always be protected against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate measures.


Grounds for processing data

Congratulations! If you’ve passed the first set of tests, you now need to establish grounds for being able to process an individual’s data. These must include one or more of the following: Consent, Performance of a contract, To comply with legal obligations, To protect the interests of the data subject or other people, To perform a task in the public interest, Legitimate Interest


Penalties for non-compliance

Now this is where things get serious. You can be fined up to 4% of your annual global turnover or € 20 Million for breaching the GDPR. This is the maximum penalty that can be imposed for serious violations such as, not having sufficient customer consent to process data. There is, however, a tiered approach to penalties. For instance, you may attract a 2% penalty for violations such as not conducting an impact assessment, or not notifying a supervising authority about a breach.

How can my CRM software help with GDPR compliance?

Your CRM software is a vital tool to achieving and maintaining GDPR compliance.

Consider a scenario where your business policies clearly state that you only need to collect name, address, and email information, to carry out the required service to your customers, then your CRM needs to be configured such that this is all it is able to collect and store. Your CRM should not allow users to enter any other personal details such as age, relationship status, etc.

All your sales reps using the CRM need to be informed and trained on the implications of the GDPR. Because your CRM holds records about individuals you sell to, it is vital that you can identify where, when, and how the records have entered into your system. In Freshsales CRM, the 'Source' field of a Contact is to answer that question.

Bulk emailing/cold emailing individuals:

If you use the bulk Email or Sales Sequences features in Freshsales CRM for email campaigns you need to implement an “Opt-In” process for gaining permission to email to the individual stating when you gained the email address, and what you intend to do with the email address. For instance, let’s say you run a business that sells two products—A and B. If you get an individual’s details through a sale of Product A and then you start emailing them about Product B, this could be considered a breach of GDPR. You can mitigate this by setting up multiple opt-in conditions. 

Phone calls/Cold calling:

The GDPR currently does NOT prohibit you from making calls to potential customers but for accountability purposes, you must know when you made the call and how long the call lasted. The in-built phone channel in Freshsales CRM allows you to log calls and make notes and will now also come with the ability to turn on/off call recording at will.

For how long can a CRM store an individual’s data:

The GDPR legislation has rules around this policy which vary in terms of the extent of this data and the length of time it may be reasonable to store this data depending on your specific business needs. For instance, the legislation dictates that say, beyond product warranty period, there would be no reasonable need for a business to retain an individual’s data. Freshsales CRM now has a “Delete” feature that allows you to completely delete contact data from Freshworks. This holds good in the case of backup and archiving as well.

An individual’s rights and requests:

Under the GDPR legislation, an individual can request an update to their information, a report of what information you hold on them and the right to be forgotten. When such requests are made, a good CRM software with robust record management at its heart will make it easier for you to identify the right individual and ensure that this individual has only one record in your system. Freshworks makes it easy to view, export, and delete records in a single click!

User Access Rights:

Before GDPR kicks in, it is advisable that you review your team’s structure and how your team uses your  CRM software and accesses the records present in it. Most CRMs will generally allow you to define who has access to what kind of data and has rights to view, modify, and delete the said data.

User Access Rights:

Before GDPR kicks in, it is advisable that you review your team’s structure and how your team uses your CRM software and accesses the records present in it. Most CRMs will generally allow you to define who has access to what kind of data and has rights to view, modify, and delete the said data.

Freshworks commitment to GDPR-readiness

Before you begin, we recommend reading Freshworks’ statement on data protection and GDPR-readiness here.

We are taking a two-pronged approach towards this.

Lawful basis for processing

The GDPR legislation states that an organization needs to have lawful basis to collect and process personal information. The lawful basis can be consent (opt-in), performance of contract (sending an invoice to a customer of your organization), etc.

We are making enhancements to our Web Forms and Emails, making it easier for you to record consent.

Web Forms

Web Forms have an option to include “opt-in” checkboxes to record consent along with an editable text area for stating the intent of collecting the said data.


Emails in Freshsales CRM have a feature to include an “opt-in”. In case you have contacts for whom you do not have recorded consent, then you can make use of this feature to send out an email to these contacts and record their consent.

Built-in Phone

The in-built phone in Freshsales CRM has an option to turn On/Off call recording during an ongoing call. This is to enable you to seek explicit permission before recording the call.

Compliance with Individual Rights under the GDPR

GDPR gives EU citizens expanded rights with regards to the use of their personal data. Here are the individual rights applicable in the context of Freshsales CRM and how you can comply with them.

Right to be forgotten

An EU citizen can request the removal of their personal data at any point in time. We have introduced a new feature called “Forget” that will completely delete the contact from Freshsales CRM.

Right to data portability

An EU citizen can request a copy of their data for their own use. We are introducing an “export” option at the individual contact level. This one-click option will provide the complete data of an individual contact that is present in Freshsales CRM.

Rights related to automated decision making including profiling

Under the GDPR, you cannot process personal information in automated decision making or profiling without lawful basis (like consent). Keeping this in mind, Freshsales CRM allows you to turn off the “auto-enrichment” feature.


Additional features

Restrict sending emails when a Contact hasn’t opted-in:

Restrict export of Contacts data

Should you be GDPR ready?

TL;DR, Yes, you should be GDPR compliant. If you are in the EU, or have customers in the EU, GDPR compliance is mandatory. Because the GDPR professionalizes the way data is handled.

The internet has transformed the way we live and work. We search for everything online, consume news and entertainment, share personal views and messages, and buy possibly everything under the sun using the internet. In this process, many businesses capture our data, store it, use it, and often trade it in ways we have little control over. This data can often be lost or misused. GDPR ensures that organizations maintain a minimum standard of security to ensure that the data they store about individuals is stored and processed securely at all times, to minimize the risk of it being lost or misused. Given these concerns, the GDPR might just be the precursor to many such legislations that may come up in the future.

However, it is up to you to ensure that your policies, practices, and procedures comply with the GDPR. We at Freshsales CRM recommend reading the full GDPR text (yes, all 99 articles) to familiarize yourself with the legislation and taking the necessary steps required to become GDPR compliant.

Further reading