You might be thinking, if I hear those four letters one more time!
But there’s no censoring this four letter word. The GDPR is nearly live. It’s coming into full force on May 25, 2018 and it will impact any business handling European data.
I imagine, by this point, you’ve been subjected to a sizable barrage of scaremongering marketing messages.
We don’t want to add to the anxiety.
Instead, we want to get practical.
In the spirit of GDPR, we want to keep our content relevant, helpful and targeted.
Many Pipedrive customers have been asking us how we are preparing for GDPR. Business owners, managers and sales reps around the globe want to be assured that their CRM is doing all they can to prepare for GDPR.
We want to explain the steps we are taking to make sure Pipedrive customers can keep their data safe and secure. If you’re not a Pipedrive user, we’ll help you understand how your CRM should be getting you GDPR-ready, so you can get as much help as possible to prepare for the changes.
Is Your CRM Taking the GDPR Seriously?
We wanted to benchmark our efforts to make sure we are doing as much as we possibly can to prepare Pipedrive users for the GDPR, so we took a sneaky peek at what kind of actions other CRMs are taking.
Firstly, we looked for whether other leading CRMs had European data centres. Ten Pipedrivers divided and conquered our biggest competitors, eighty-two CRM providers in total.
We found that of our main competitor plans, only two currently have a European Data Center.
Two out of 82.
And neither of the two providers with European data centers were from Gartner Front Runner CRMs.
This suggests GDPR is relatively low on the industry agenda, especially with US-centric CRM providers. This is a surprising (and somewhat troubling) discovery.
Our research team unearthed another discovery, sharing that people were moving from Salesforce to Pipedrive for a number of reasons. One of the most significant drivers of migration to Pipedrive was directly related to GDPR.
Switching From Salesforce to Pipedrive to Comply With GDPR
Jared Ranere, a Partner from thrv.com, reached out to our team in early 2018 with an interesting story. He and his team decided to migrate from Salesforce to Pipedrive - almost entirely because of their GDPR preparation.
thrv.com is the first and only jobs-to-be-done product management software, providing training, services and software to help your product, design, engineering, marketing, and sales teams align around your customer’s needs.
Jared explains exactly why his team made the switch to Pipedrive:
“One of the trickiest things about preparing for GDPR has been the unexpected changes in the outside services we use.
We were on SalesforceIQ, then one day we got an email saying we had to move from SalesforceIQ to Sales Cloud. We were surprised that instead of changing their product to comply with the GDPR, they forced us to switch which product we were using! The process required conversations with their sales team, reviewing and signing new contracts, creating new accounts, adding new payment information, and migrating data. There were a lot of steps!
Basically, it was easier and faster to move to Pipedrive than to deal with the Sales Cloud transition logistics. As far as I'm concerned, GDPR compliance should be handled by the company providing the software, not by its customers. If the software is compliant, I can go about my business using the software without worrying about the GDPR.”
Jared’s story is shared by so many other businesses handling European customer data. These new regulations are significant and you can’t afford to risk the security of your data.
Why European Data Centers are Important for GDPR
If your CRM is partnering with a European data center, you can be confident this provider is prioritizing GDPR preparation.
Germany is world-renowned as a leader in data security management, so if your customer data is housed in a German facility, you might have a promising head start.
Pipedrive has acquired a data center in Frankfurt, Germany, within the European Union. This facility allows Pipedrive to process European data within the region.
Every EU Pipedrive customer is contractually partnered with our EU entity, based in Estonia. These European roots make sure both Pipedrive and the customer are abiding by European legislation.
You might want to inquire about your CRM’s data management facility. If your data is housed in Europe, you can be confident that your provider is taking GDPR and your European data very seriously.
Make Sure Your CRM Offers Secure Data Transfer
Do you know how your business should be handling data transfers out of the European Economic Area (EEA)?
This question is repeatedly posed to our Customer Support team and the answer is even more important with GDPR pending.
The new legislation commands strict protection requirements for moving data outside of the EU in order to maintain the integrity of the laws in place, which makes sense to stop loopholes.
Translating from the legal-speak: It is OUR job as a CRM provider to make sure that we transfer customer data lawfully.
Your CRM is responsible for secure data transfer.
If you're not using Pipedrive, it is worth checking that your CRM is GDPR-ready in this regard.
We work with technology leaders like Google, Amazon and Rackspace because they, like us, are responsible for moving lots of data in and out of the EU. Frankly, these market leaders are the brands we trust. These companies take secure data transfer very seriously. You should too.
“Making sure your data is protected even after it leaves the EEA is a black and white issue for us at Pipedrive. We do this by only working with third-party service providers that are EU-US Privacy Shield framework certified or have signed the EU Commission’s standard contractual clauses for data transfers. It’s that simple, or we won’t work with them!”
Martin Ojala, Pipedrive’s Data Protection Officer and GDPR Expert
Pipedrive had our users covered on this count well before the introduction of the GDPR. Your CRM should understand the critical importance of secure data transfer without the need for a GDPR-inspired prompt to update.
We have been working directly with trusted third party partners to develop and deliver a bunch of new Pipedrive features for some time (like our Google Maps integration and our Smart Contact Data feature).
You might want to investigate the data security of your CRM’s third party partners just to make sure all of your activities are GDPR ready.
The GDPR Dictates That You Need Deletable Data
The rules state that you have to delete any data when you no longer have a legal basis (a good reason) to keep this data.
Martin Ojala, Pipedrive’s GDPR Expert, explains that customer friendliness is at the heart of the regulations. He is urging our team, and our customers, to take this opportunity to develop more helpful marketing practices:
“Respect towards the privacy of all individuals is at the core of Pipedrive’s operations. We see a more considerate approach to processing personal data as the next qualitative leap in all areas, including sales, and we strive to be at the forefront of this change.”
In GDPR speak, the people you store as “Contacts” are your data subjects, and you are considered the “data controller”. We call it ‘Client data’ for clarity purposes.
Nevertheless, you are responsible for the data and Pipedrive is responsible for giving our users the power to delete AND process it securely.
The same currently goes for “accounts”, also referred to as companies.
When ‘controlling’ the data, you can simply instruct us to delete data you need to and we then action that request.
We’ve developed this process to match the needs of our users. Many Pipedrive users accidentally delete contacts and the need to reinstate deleted contacts is a very common problem for our users - so at the moment, you don’t fully delete contacts directly from Pipedrive - we do this for you when instructed.
Without this provision, your CRM may put you in a dangerous position. On accounts where there are several admins, you may be exposed to the risk of losing important data and not being able to retrieve it.
This way you mindfully comply, we assist and you are not exposed to any negative repercussions from a simple mistake.
Update Your Web Forms for GDPR
Not all web forms require consent. If your web form obtains only company data you won’t need to make changes as company data is excluded from the GDPR.
However, if your web forms request personal data - you do need to comply with the regulations. Here’s how to determine:
You need consent if the data you’re asking for is beyond what you need to provide the service they are asking you to do by filling in the form.
For example, they’re requesting you get in touch with them about your service.
You collect their email and telephone number.
This is a clear information exchange in seeking contact.
If, however, you also ask for their income, the street they live on and their middle name, you would need to seek content for that part of the form clearly (or the field/s).
Pipedrive’s own sales and marketing teams are preparing for GDPR in many of the same ways as you. We have our own sales and marketing operations, so we too are working hard to make sure our practices adhere to GDPR in safeguarding the personal data we have about you!
This includes the way we collect it, manage it and market to you.
If you’re looking for more specific information about the ramifications for your sales operations, we prepared an entire article dedicated to your GDPR email marketing and sales requirements. Read through these requirements and share them with your team.
Do you have any specific GDPR concerns?
Contact us or leave your comments or thoughts.