It is hard to imagine working in any CRM system without saving personal data of current and potential customers. For several months now, the famous GDPR has been in force, i.e. the regulation on the protection of personal data, which everybody is trying to scare us with and around which many false myths have arisen. Is there really anything to be afraid of?

Firstly – don’t panic

It is worth knowing that all the confusion surrounding the entry into force of the EU GDPR regulation resulted from the very fact that someone reminded us of the need to deal with the quality of personal data processing, rather than the requirements resulting from the content of the document.

Those requirements are, in fact, very often more liberal than the previous ones and deliberately give us more freedom.

My favorite example is the matter of the password format to the system – In the “pre-May” rules and laws we had an imposed number of characters that had to be used, whereas the current regulations do not do this.

As a result, they will not get old when we all start using iris or fingerprints for this purpose. At the same time, GDPR “trusts” that we know best how to secure data in our own company and does not impose the same standards on all companies, whether they are international banks or local shoemakers.


What are our obligations?

The first one seems to be obvious in principle, but it is the first one to start with. It is looking after the entrusted data – above all, the awareness of what data in general and where we keep them.

In many companies I have audited it wasn’t so simple. Besides the CRM issues, we often have a problem with personal data management even on our own computers. As part of an experiment, answer two sample questions: When you have the “Old Desktop” folder on your computer, do you know whose data and what kind of data it contains? Do you still need the list of participants from years ago with their PESEL numbers on a flash drive that you can lose?

The second question suggests another task – In accordance with the principle of privacy by default we should collect a minimum number of data categories.

Are we sure that in order to send someone an e-mail, we need their phone number? Is it worth including the ID card number in a contract if, in order to recover money at court, all you need is the PESEL number, which is unlikely to change?

In addition, it would be worth answering “in advance” a possible question about why we need a particular type of a specific data. Translating this into CRM – if it places a contact form on your website and asks, for example, for your name or phone number try to prepare a meaningful justification for collecting this data.


Who do you share the data with?

There is nothing wrong with the fact that you entrust your customers’ data to other entities – like in the case of an accountant’s office or CRM. On the other hand, you would probably prefer to know about it if you were them. If there is a leakage of data from accounting, it is better not to have an unpleasant surprise such as “not only didn’t I know about the leak, but I did not even know that they have my data”.

That’s why you should pay careful attention to CRM – there is no doubt that you keep your data in it. Maybe someone who granted you access to the system also has access to the data or maybe they share servers with you; there are many possibilities. On top of this there is the country issue.

To put it simply, there are three possible scenarios.

  1. The company that creates the CRM is also from the EU, so it also observes the GDPR.
  2. The company that creates the CRM is from the United States and, as you have checked, is on the Privacy Shield-compliant list – under agreements between the countries, the Privacy Shield has been recognized as corresponding to GDPR. This is the case with Salesforce.
  3. The company that creates the CRM is from another country – then it is worth obtaining some written guarantees from it.


What are data sets?

After GDPR entered into force, the life-incompatible obligation to notify the General Inspector for Personal Data Protection of the data sets held in the company has disappeared – by the way, the GIODO has also disappeared, as it has been replaced by the President of the Data Protection Office, i.e. the PUODO.

It is still worth having such data sets for one’s own needs, and CRM will be very useful for this purpose. Based on it, simply write down the internal documentation according to your division, e.g. “inquiries”, “leads”, “deals”, “archive” and in which data sets you already have a phone number, in which you store only invoice data, etc.

Similarly, the need to authorize staff members to have access to specific data sets in writing disappears – GDPR offers more contemporary solutions and takes into account, among other things, CRMs. In other words, authorization can be simply understood as a wider or narrower access to CRM resources for specific people.


GDPR vs. CRM – to sum up

As you can see, GDPR takes into account the specificity of CRM and accommodates its characteristics. And where it imposes certain obligations on us – it is simply due to the welfare of our customers and the requirements are not too burdensome. It’s worth taking GDPR-related requirements into account in your CRM just because they make sense and not for fear of penalties.



The introduction of the GDPR should be a great convenience for customers. For companies, it also poses a technological and organizational challenge. Activities inconsistent with GDPR carry the risk of financial penalties and problems that we would prefer to avoid. Companies conducting marketing and sales activities are particularly exposed here, as it is them that most often collect huge amounts of data.

Salesforce, whose CRM system is the best solution of its kind in the world, cannot afford to leak information. After all, it supports the US government, American Express, GE, Phillips and 150,000 other organizations. That is why it ensures the highest security standards, which are still being improved as a result of technological progress.

The advantage of the solution offered by Salesforce is that it handles information on a single platform. In this way you can process events and all the accompanying data related to one customer without logging out of the tool. Another advantage is the fact that all processing mechanics and all the functions are located in the cloud. Nowadays, this is an important feature of modern solutions.


  • Tomasz Palak
  • Legal Counsel
Did you like my article?
If you cannot see the form, consider turning off adblock.

If so, I invite you to the group of the best-informed blog readers. Join our newsletter and you will not miss any news.