2018

M AY

GDPR and How It Changes Your

Customer Relationships

Disclaimer: The content in this guide is not to be considered legal advice and should be used for information purposes only.
Content

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is GDPR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How does it affect your business? . . . . . . . . . . . . . . . . . . . . . . . . . 7

Initial preparations to consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

GDPR and your CRM system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 2 of 11
Executive Summary
On May 25, 2018, a new European privacy law called
The General Data Protection Regulation (GDPR) will come
into effect.
It provides citizens of the EU with greater control over
their personal data and assurances that their information
is being securely protected across Europe, regardless of
whether the data processing takes place in the EU or not.
A lot of attention has been focused on the negative
impact the GDPR is predicted to have on businesses
and organizations and the steep costs associated with
non-compliance. This makes it even more important to
begin the research into how you, as businesses and
organizations, gather and use data for personal data for
monetary gain.
Personal data is the “new black” in today’s digital world.
Companies like Facebook and Google collect massive
amounts of data in order to offer more personalized
campaigns. Transportation industries collect data in order
to offer personalized transportation proposals. Credit card
companies use the data to come up with the right credit
score on you.
GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com
There’s nothing wrong with collecting personal data and
using it commercially as long as no individuals rights are
being violated.
As a matter of fact, this change is actually a great
opportunity for companies to build even better
relationships with their customers, in addition to their
sales, marketing and customer service activities.
The GDPR is about privacy, security, transparency and
ultimately, trust. And believe it or not, these elements
are an important part of whether or not a consumer or
a business customer will choose a specific company.
This paper explains a little bit about the background of the
GDPR and what it is. We will also touch on the regulation
itself, and explain how it will impact the way you do
business with new and existing customers.
As a CRM company, we are, of course, concerned about
how our software and services can help you become GDPR
compliant. It is clear that the time is now to consider a GDPR
CRM compliant system, if you don’t already have one.
Page 3 of 11
Introduction
The Internet has dramatically changed the way businesses
find, catch and keep their customers. Today, the whole
buying process can easily happen digitally and online.
Every time you visit a website, your digital footprint is
recorded. For example, your IP address, geographical
location, gender, income, interests and the websites you
visit are all collected and gathered to create a profile
on you. Based on this information, an advertiser can tell
if you’re looking for black high-heeled pumps or a new
washing machine.
Technologies such as tracking, automation,personalization
and Big Data all make this possible. These new
technologies create profiles about a person or
groups of people based on browsing history, updates to
social media, articles that have been read and products
bought on the Internet. Big Data is then used to analyze
and look for patterns in large amounts of data which can
then be used to predict behavior.
With this data, advertisers know a lot more about an
individual’s habits, interests, tastes and contacts and can
GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com
target their advertising better than ever.
You’ve probably noticed how banner ads suddenly start
following you around on various websites with promotional
offers on something that you were just looking at a day or
two ago.
The collection and use of this personal data all happens
in the background and usually without a person’s
knowledge.
This new way of doing business has created a huge
market for personal data. The more specific the personal
data is, the more an advertiser is willing to pay for it.
The way personal data is collected, bought, sold and used
directly conflicts with Europe’s fundamental belief that
every person has the right to privacy, that every individual
is free and independent, and is in charge of his or her own
affairs without outside influence.
And here lies the crux of the GDPR.
Page 4 of 11
What is GDPR?
On May 25, 2018, a new European privacy law called The General Data
Protection Regulation (GDPR) will come into effect.

It provides citizens of the EU with greater control over their own data and less power to the organizations that
their personal data and assurances that their information collect and use such data for monetary gain.
is being securely protected across Europe, regardless of
whether the data processing takes place in the EU or not. Under the GDPR, individuals have the following rights
when it comes to data collected about them online:
The GDPR is the EU’s way of giving individuals, prospects,
customers, contractors and employees more power over

1 Consent has to be given

Businesses may not process the personal information of individuals unless they
have been freely given a specific, informed and unambiguous indication of
consent either by a statement or by a clear ‘affirmative action’.

2 The right to access

This provides individuals with the right to request access to their personal
data and to how their data is used by the company after it has been gathered.
The company must provide a copy of the personal data, free of charge and in
electronic format if the individual requests it.

3 The right to be forgotten

If consumers are no longer customers, or if they withdraw their consent for a

company to use their personal data, then they have the right to have their data
deleted.

4 The right to data portability

Individuals have a right to transfer their data from one service provider to another.
And it must happen in a commonly used and machine readable format.

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 5 of 11
 5 The right to be informed

This covers any gathering of data by companies, and the fact that individuals must
be informed before data is gathered. Consumers have to opt in for their data to be
gathered, and consent must be freely given rather than implied.

6 The right to have information corrected

This ensures that individuals can have their data updated if it is out of date or
incomplete.

7 The right to restrict processing

Individuals can request that their data is not used for processing. Their record can
remain in place, but not be used.

8 The right to object

This includes the right to stop processing their data for direct marketing. There
are no exemptions to this rule, and any processing must stop as soon as the
request is received. Similarly, this right must be made clear to individuals at the
very start of any communication.

9 The right to be notified

If there has been a data breach which compromises an individual’s personal data,
then the individual is entitled to be notified within 72 hours of first having become
aware of the breach.

This is all about building trust and transparency between
businesses and individuals. Personal data is just that, it’s
personal.
You have to be able to trust that the company who has
your data is using it in the way that you want it to be used.
The GDPR forces companies to take the handling of
personal data seriously.
up to 4% of annual global revenue or 20 million Euros,
whichever is greater.
In addition to the rights of privacy, all organizations and
companies that work with personal data are encouraged
to appoint a data protection officer or data controller who
is in charge of GDPR compliance.

There are tough penalties for those companies and

organizations who don’t comply with GDPR with fines

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 6 of 11
How does the GDPR affect
your business?
Obviously, the GDPR applies to you if you’re a B2C company, but it applies just
as well to you if you’re a B2B company. After all, a B2B company also deals
with the business of people and not in entities.

Let’s say you’re a B2B company. You collect data on your
customers such as name, address, business email, postal
code, interests, purchased products, and usage patterns.
You may even collect information that is considered
unique identifiers (personal or passport ID, pictures etc.)
or even sensitive information about an individual.
You collect this data because you want to offer
complementing products to your customers, send them
relevant email offers and service them better. Together
with automation and data analysis, you use the customer
information you’ve collected to help you create even
better personalized recommendations for your customers.
All this makes for great business, but in light of GDPR,
you’ve got to ask yourself a few questions.
For example, where is the customer information that
you’ve collected stored?
You also have to ask yourself where this data is stored.
Maybe you have your customer data kept in various
spreadsheets or in email systems spread across different
devices such as laptops or mobile devices? If so, do you
have any idea who in your company might have copies?
Many businesses have their customer data stored in
one central location, maybe even integrated with a CRM
solution.
GDPR also forces you to take up other questions such
as: Has the person given his consent for us to store this
data and can I document that fact? Is it really relevant or
necessary for me to have this data? Can I explain why this
data is collected and used? What happens if the data we
have ever gets hacked?

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 7 of 11
Initial Preparations to Consider
Two key components of the GDPR legislation are privacy by design
and privacy by default.

Privacy by design means that companies and organizations
need to consider privacy at the initial design stages and
throughout the complete development process of new
products, processes or services that involve processing
personal data.
Privacy by default means that when a system or service
includes choices for the individual on how much personal
data he/she shares with others, the default settings should
be the most privacy friendly ones.
Both require that employees, and especially those
involved in the development of new products and
services, have enough basic knowledge on privacy. Clear
guidelines, policies and processes have to be developed.
In order to help you answer some of the questions that
we posed in the above section, here are a few steps you
should consider implementing as you start your journey to
becoming GDPR compliant:

1. Map your company’s data 3. Put security measures in place

Map where all the personal data in your entire Develop and implement safeguards throughout your
business comes from, where and how you store this infrastructure to help contain any data breaches. This
information and document what you do with the data. means putting security measures in place to guard
Identify exactly where the data resides, who can against data breaches, and taking quick action to
access it and if there are any risks to the data. notify individuals and authorities in the event a breach
does occur.
2. Determine what data you need to keep
Make sure to check with your suppliers also.
Don’t keep more information than necessary and get
Outsourcing doesn’t exempt you from being liable.
rid of data that isn’t used. If your business collects a
You need to make sure that they have the right
lot of data without any relevant purpose or need, you
security measures in place also.
won’t be able to do this in a GDPR world. GDPR will
encourage a more disciplined treatment of personal
data.

In the clean-up process, ask yourself:

• Why are we saving all this data?
• What are we trying to achieve by collecting all these
categories of personal information?
• Is the financial gain of deleting this information
greater than saving it?

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 8 of 11
 4. Review your documentation
Under GDPR, individuals have to explicitly consent
to the acquisition and processing of their data. Pre-
checked boxes and implied consent will not be
acceptable anymore. You will have to review all your
privacy statements and disclosures and make sure
they are adjusted, if needed.
5. Establish procedures for handling
personal data
As we mentioned in an earlier section, individuals
have 9 basic rights under GDPR.
6. Appoint a data protection officer
If storing and using personal data is part of your
business, or your company employs more than 250
people, you should appoint a Data Protection Officer.
The DPO must have professional experience and
expertise in protecting data and a deep understanding
of the EU Data Protection Regulation. This person
should be a clear and capable communicator and
needs to be able to effectively share his knowledge.
Additionally, the DPO needs to be skilled in using his
understanding to develop and implement concrete
data protection practices.

You will need to establish policies and procedures for

how you will handle each of these situations.

For example:
• How can individuals give consent in a legal manner?
• What is the process if an individual wants his data to
be deleted?
• How will you ensure that it is done across all
platforms/systems and that it really is deleted?
• If an individual wants her data to be transferred, how
will you do it?
• How will you confirm that the person who requested
to have her data transferred is the person she says
she is?
• What is the communication plan in case of a data
breach?

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 9 of 11
GDPR and Your CRM System
By May 2018, all companies have to have a plan in place to handle each
of the 9 privacy rights. They will also need a formal system to house
consents, partner agreements, privacy agreements, as well as customer
data.

Since we are talking about customer data, our belief is that We are now making it even easier for you to do so, with
the best place to house all of this information is in a GDPR ready GDPR configuration options and additional features
compliant CRM system. that support the new requirements.

SuperOffice is fully committed to GDPR, and we take it The first of these new GDPR features will be launched in
very seriously. Our system already lets you handle most the Fall of this year.
of the GDPR requirements today, provided you have
configured the solution correctly.

A GDPR compliant CRM system can help you

• Manage all your customer relationships, from sales to •O

marketing to customer service
• Be your master consent database
• Allow you to categorize and administer control of your
privacy data
• Give you full privacy lifecycle support - from the time an
individual gives you his or her consent until the time the
individual asks to be erased from your system.
 ffer built-in incident management in case of a data
breach
• Give you control and transparency of your privacy data.
•O
 ffer you GDPR safe storage requirements according to
ISO 27001 standards

GDPR and How It Changes Your Customer Relationships SuperOffice AS - © 2017 www.superoffice.com Page 10 of 11
Conclusion
Data is a valuable currency in today’s digital world. Whereas a person before this new regulation
didn’t have any control over his personal data, the GDPR is now a refreshing change that puts the
power back into the hands of the individual.

Companies are required to be upfront and honest, with no hidden agendas. You might think
that the GDPR creates a lot of noise and hassle. This is only true if your business doesn’t take it
seriously. On the other hand, if you do take it seriously, it, in fact, creates a whole new world of
opportunities for you.

The GDPR is about privacy, security, transparency and ultimately, trust. And these elements play
an important role in whether an individual customer or business professional will choose to do
business with a certain company.

Companies who show they value an individual’s privacy (beyond mere legal compliance), who are
transparent about how the data is used, who design and implement new and improved ways of
managing customer data throughout its lifecycle build deeper trust, and therefore increase their
number of loyal customers and brand ambassadors.

superoffice.com