The EU General Data Protection Regulation (GDPR)

Changes to the governance of data will have far-reaching consequences for your business. The new General Data Protection Regulation (GDPR) will determine how your organisation does business, and particularly how it manages, protects and administers data in the future.

Days to become compliant...


Is your CRM GDPR ready?

Many systems claim they are GDPR compliant although are yet to introduce new functionality specifically for the changes in regulations.

Here at FIVE CRM, we have invested in creating our own Personal Data Rights Management System, which is designed to provide organisations with the functionality needed to be GDPR compliant.

Our latest functionality includes:

Management of lawful reason information for every contact

The regulation states that every contact within your database must have a lawful reason for being there.

There are six allowable reasons:

1. You have consent from the individual

2. It is necessary for the performance of a contract with the individual or to take steps into a contract

3. It is for the purposes of legitimate interests pursued by the controller or a third party

4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official  authority vested in the controller

5. It is to protect the vital interests of a data subject or another individual

6. It is needed for the compliance with a legal obligation


“FIVE CRM have proven to be proactively working to make their CRM GDPR compliant on multiple levels”

Shobha Bentley
SierraBravo Consultancy Ltd


Ability to store extensive details for consent reason by channel and category 

As well as a reason for storing a contact within a database you must also have details as to which channel and category they would like to be contacted through.

Channels could include:
> Phone
> Email
> Post

Categories could include:
> Pet Insurance
> Customer Service
> Marketing

Complete management of “Right to be Deleted”, including backups

If an individual asks to be deleted from your system you must do so within a month, and you must be able to give proof of the deletion.

GDPR and ePrivacy compliant email campaign management

All tracking of email campaigns will be against the new regulation, therefore you must be able to turn extensive tracking off.

GDPR is fast approaching, receive your free copy of our leaflet which gives you everything you need to know about the data protection changes!


What is it?

The General Data Protection Regulation (GDPR) is a new European ruling, which governs the data protection rights for all individuals within the European Union. It serves to strengthen and unify all data protection rules and practices across the EU.

What is changing?

GDPR will put the power back into an individual’s hands. They will gain the rights to access, amend, and restrict the personal data organisations have about them.

In the unfortunate event that an organisation suffers a data breach which could compromise the security of individual’s personal data, those individuals must be told within 72 hours of the start of the breach.

Individuals also have the “right to portability”, this is the right to move data and services to another provider with no hassle or strings attached.


The greatest change within GDPR is the way consent is granted. Consent must be knowingly and willingly given by the individual, with organisations making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.

Organisations must keep a record of why, when and how they were granted permission. There must also be details of what they were told at the time. If oral permission was granted, a script of what was said will work fine, call recordings are not essential.

Right to be forgotten

Individuals will have the right to retract consent at any time, and have the “right to be forgotten”, which means that if they request an organisation to delete their data, it should be done so immediately. It must be deleted from all backups, and the organisation should have proof of the deletion.

Right of access

Every EU citizen will have the right to ask how an organisation is using their personal data, where it’s used and why. They also have the right to request a digital copy of the data that is being held about the individual.

Right to object

All individuals will have a legal right to opt out of marketing communications. If an individual does opt out you must withdraw them from that activity immediately.

“There’s a lot in the GDPR you’ll recognise, but make no mistake, this one’s a game changer for everyone.”

Elizabeth Denham
ICO Information Commissioner

Who does it apply to?

The new regulation will apply to any organisation around the world, who deal with EU residents. While there is a possibility it can change, it currently applies to both B2B and B2C.

What will you be able to do?

You can call and email organisations, as these are generic and not personal data.

It is currently unclear by the EU and ICO if you can contact potential clients through social media platforms.

Take action now!

You must be compliant of this regulation by 25th May 2018, otherwise you could face penalties of up to €20 million or 4% of your companies worldwide annual turnover (whichever of the figures are greater).

Want to know how GDPR compliant your organisation is, why not take our quiz?


How long does consent last for?

According to the Regulation, consent decays with time. However, 6 to 12 months seems to be a reasonable time frame.

Do I need consent to contact my customers?

No, it will either come under the lawful basis of “performance of a contract”, or it would be “Legitimate Interest” as you already have a relationship with them and it won’t be unexpected for them to hear from you.

I already have consent gained under DPA do I need to re-consent everyone?

Only if the methodology did not match the requirements of GDPR and/or it would have decayed in that time.

The regulation specifically states marketing can be used as a Legitimate Interest, isn't there a conflict there?

On the face of it, yes there is a conflict. But the general understanding of the text is that an individual has a reasonable expectation that you will process their data, i.e. you would probably have a current relationship with them.

Will I still be able to buy lists of data?

If you cannot justify Legitimate Interest as the lawful basis, then you must rely on consent. If you buy data from a company that says they have obtained consent you need to be careful. The ICO guidance states “You must as a minimum include the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough”.

Will I have to change the contact forms on our website?

The regulation says that consent “must be a freely given, specific, informed and unambiguous indication of the individual’s wishes”. Which means your text going forward beyond 28 May 2018 must comply with that statement, and any pre-selected tick boxes are not allowed.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

How does GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of organisations that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

Can I still market to my existing customers?

Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.

Does GDPR apply to cold calling?

Yes it does apply to a specific individual, however you are able to call an organisation’s mainline.