As we mentioned in our previous article, the GDPR provides for the principle of proactive responsibility. That is, the final company will be responsible for ensuring that the data it collects, even if processed by a third party, are protected. The final companies are considered responsible and guarantors of the treatment of data.
In addition to helping you manage business processes, our mission is to provide you with the tools so you can comply with the regulations and protect your data, so you only have to focus on growing your business.
How does the GDPR affect your ERP and CRM?
You can have an ad-hoc or custom developed system; a modular ERP or by license; in your facilities or in the cloud; transverse or vertical; an open-source; etc. In any case, it will be your company that ultimately must ensure that the data is protected and treated properly.
Basically, the points you should focus on are:
- Data security
- Guarantee the rights of individuals (ARCO)
- Security audits and documentation
- Notification of security breaches
The advantage of using an ERP or CRM which is modular or licensed is that they are backed by large multinationals that work 24/7 to maintain the security and protection of the databases they manage, without your company having to worry about whether they comply with the regulations or not, because they are the most interested in doing so. In addition, ERPs that operate by license, have the updates included – in the case of NetSuite twice per year – allowing the incorporation of possible legislative changes or regulatory tightening before they take effect. Remember that the LOPD, Spanish regulations to the European general regulations, is still yet to adapt, so more changes are yet to come.
The GDPR does not talk about technology, nor does it order any type of specific security control. In any case, in its article 32, it offers a guide for security measures that the companies could consider to safeguard the data that they manage and by extension, mitigate the potential risk of suffering a security breach.
Some of the examples included, and that NetSuite meets:
- the pseudonymization and encryption of personal data;
- the ability to guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services;
- the ability to restore availability and access to personal data quickly in case of physical or technical incident;
- a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of the treatment.
If you want to know all the security measures of both the data and the centres where they are kept, you can check it at this link.
Protect personal data. – The GDPR extends the consideration of personal data to all those that can serve to identify an individual and those that help to create a profile, even indirectly, such as ethnicity or gender.
The law establishes that the company must adopt certain security and privacy measures that must be maintained with periodic tests to avoid vulnerabilities, and if these occur, notify them in less than 72 hours.
ERPs such as NetSuite already carry out these processes and since their inception, no security breaches have occurred. Not to mention that, due to the rigorous controls, any possible attack or breach would be detected immediately.
To ensure the protection of stored data, NetSuite uses SSL encryption.
Another great advantage of using an integrated ERP / CRM is that the fewer databases that need to be managed, the less resources will be needed to maintain them. NetSuite works with a single database, so a single management will be necessary.
Customers / Users – For use in CRM, the consent of the individuals to appear in a database must be express and unambiguous, in the case of web subscriptions you must check the box of each of the activities for which your information will be used. In addition, ARCO rights must be able to be exercised. It is necessary to limit the data to those essential to maintain the service for which they have given their consent.
A centralized and up-to-date CRM solution such as NetSuite will help consolidate data and facilitate active management, since it manages a single database where customer files are maintained, without duplication and without depending on third parties, so a single click will allow the updating/ modification/rectification and/or elimination of authorizations granted by individuals.
Employees. – For HR which collects and manages sensitive personal data is considered high impact. It is necessary to review the consent to obtain data from employees. The modern solutions allow, through the “self-service” options, that the employees manage the consents and accesses by themselves.
Training for employees
Make sure to train your employees in the use of your ERP / CRM, so that they are aware of the requirements necessary to obtain data in accordance with the regulations.
When evaluating your ERP solution you should consider its capabilities and limitations, as well as the reaction capacity of your service provider and the software you use. The old ERP and CRM systems require more effort when adapting to new regulations such as the GDPR. They will need a profound reform to adapt to the standards.
To ensure that your company complies with the legislation in a quick, easy and economical way, you should consider moving to a modern ERP / CRM solution, with periodic security updates and revisions and hiring the services of a provider familiar with the specifications of your system, that can help you harmonize your business needs with new legal requirements.