CRM and GDPR

[Michelle Casey]

Hey there - we are a small business. I am comfortable with what I need to do regarding the 2000+ people we email to ( that I need to email them and ask them for consent to carry on emails) but
what if they dont want to receive our newsletter/ comms? Understand I dont communicate with them but what do I do about storage of their data ( they are currently in Salesforce)? I dont lose all my business contacts over the last 12 years. I also have additional business contacts who aren't on our newsletter database but are in SAlesforce. I will need their details for future business. I need to know what to do with the details of all those contacts I have gathered over the last years,

Thanks a lot

 

[Devcorp]

Hi Michelle I am definitely no expert on GDPR but I read on the ICO (sorry too new to post the link directly but its at the bottom of the post) that Honda was fined for emailing customers "aiming to clarify certain customers’ choices for receiving marketing" - so emailing to ask to be emailed could be breaking the rules.

In general if someone opts out I think its ok to keep their details if there is a business need for it e.g. during a warranty or refund period but otherwise you can't just keep data indefinitely. I'm not sure how that's supposed to work out in real life for creating any sort of useful marketing database though.

ico.org.uk/ action-weve-taken/enforcement/honda-motor-europe-limited/

 

[Alan]

If you already emailing 2,000 people you should think hard before emailing for consent, consent should be your last port of call - you should assess legitimate interest, as if they expect emails and have the opportunity to opt out they may well pass your legitimate interest assessment see https://ico.org.uk/for-organisation...ul-basis-for-processing/legitimate-interests/

If you are keeping data in salesforce for no particular reason ( i.e you have never emailed them or they have opted out ) then why do you want to keep their data? If you can think of a reason, then document that, if you can't think of a reason - make up a retention policy and destroy the personal information parts after that amount of time.

 

[Michelle Casey]

Thank you for your answers. I should have added that we are a B2B company. ( selling training products, among other things) to companies and individuals within that company. An individual may have bought training from us two years ago - but there is the potential they want training in the future. Or, we may need to contact them but not in a sales capacity in the future e.g to ask their involvement in an event we are running ..how long can I keep their data. It is a rich source of industry contacts .....unsure how I should be storing them. Thank you

 

[Alan]

It is totally up to you to assess how long and write & publicise your policies. The rules are 'no longer than necessary' and you must have a 'lawful basis' (there a 6 I think) to process the data.

I would say that GDPR is actually targetted at business like yours, that think it is a good reason to hoarde personal data for no particular reason that is 'might be valuable in the future but I can't say why'

Probably best, if you are concerned, to either read all the ICO material, or get trained, or watch a video ( there are several out there by lawyers ).

 

[Alan]

An individual may have bought training from us two years ago - but there is the potential they want training in the future

Here is my assesment

Lawful basis - legal obligation - HMRC requires 7 years of records - you can keep these for 7 years

Or, we may need to contact them but not in a sales capacity in the future e.g to ask their involvement in an event we are running

Not enough info here - what is their involvement in the event? How is it not sales or marketing?

 

[cjd]

Lawful basis - legal obligation - HMRC requires 7 years of records - you can keep these for 7 years

HRMC only requires informationation necessary to prove a VAT return and if you keep data for that purpose it can only be used for that purpose. ie not for an emailing marketing list.

Our OP needs opt-in to email historic customers that he no longer has a provable business relationship with. I would imagine you could make a reasonable case for emailing a recent customer that he gave training to within say, 12 months, with updates to the training given, but a general marketing email is less easy to justify even within that time.