CRM systems are a convenient set of tools that help
businesses deliver a personalized customer experience. They help teams build strong relationships with customers, gather valuable insights, and create better products over
the long run.
However, the value of customer data often outshines the
responsibilities that companies have with respect to regulatory compliance and
The regulatory landscape has become increasingly complex
over the years, leaving companies with a number of requirements to meet and
hefty fines in cases of non-compliance.
So, here are the key rules to
keep in mind when retaining customer data in CRM systems.
Treat CRM Data as Official Business Records
Any business communication (email, social media, instant
messaging) with customers, as well as data stored in CRM systems is treated as
official business records.
This is especially important to bear in mind when working
with international clients, either from the US or Europe, where data privacy
laws are becoming increasingly stringent by the year.
Last year, the California Consumer Privacy Act went into
effect, enhancing consumer rights for how companies can collect or store their
personal information. For example, customers can request that you delete their
email address or any other contact information from your CRM system.
Similarly, under GDPR, any of your customers can ask to see
what information you have stored about them in your CRM tools. And a number of
similar laws are expected to come into force over the next several years.
So what does this mean in
For one, companies need to follow certain rules when
collecting, preserving, and disclosing all those bits of information.
For example, any email exchanged with prospects or customers is considered a business record, as well as
any chat bot message, social media comment or direct message, Whatsapp
archive, Slack message, or voice message.
All these various data sources are an integral part of your
compliance strategy. As such, you need to make continuous improvements to the
ways in which you monitor and capture information coming from them.
Ensure Data Retention Compliance
Virtually any business-related communication, in any
format, via any medium, is an official business record. This means that it can
be used in any future litigation cases or eDiscovery requests.
So what are some of the key rules that you need to follow
to ensure all this data is properly managed?
- First, make sure to preserve all the business records in line with relevant retention periods (for specific retention periods, check the next paragraph).
- Create a well-defined records retention strategy that will be transparent and define:
- Where and how these business records are stored
- Who has access to them: do only relevant roles have access rights, or can anyone find and use this data?
- In which format and for how long this data is to be stored
- How are these records captured, collected, and exported when required?
- Tech skills your employees should possess and how these can be improved to ensure data safety
- Preserve these data points
along with their metadata. Metadata is essential as it proves the authenticity
of your records. Unlike screenshots (which once were the dominant method of
preserving data but can be easily tampered with), metadata shows that your
business records are genuine and can be used as a vital piece of evidence in a
legal proceeding. Make sure that your CRM or a third-party tool you’re using
for data preservation supports metadata.
The bottom line is that you need to be transparent about
the information you store in your CRM system. You also should have a robust
mechanism to prove record authenticity, and an automated way to present this
information to regulatory authorities or when customers request to see their
Follow Retention Periods
The third major part of a sound compliance process for
companies using CRM tools is respecting various data retention periods. As
companies collect data on customers and deals and store them in their CRMs,
they are required to preserve this information for a specified period of time.
The particular retention period largely depends on the
industry a company works in and the type of business records, but there are
some key pieces of regulations that need to be followed, especially if you work
with clients from the US.
Here are the essential pieces of legislation that you need to follow:
- GDPR: Privacy and security laws for EU and European Economic Area that regulate data protections and the transfer of personal data outside the European Union. Retention periods can vary depending on how data is being collected, used, and archived.
- CCPA: A state statute for California that enhances data privacy right and protections for residents of that state. Retention period can be up to four years.
- HIPAA: Regulates the healthcare industry and health records, with a retention period of seven years.
- FOIA: FOIA requires information to be maintained for a period of three years, and applies to all industries.
- SOX: All public companies need to follow SOX rules and preserve records for seven years.
- FERPA: FERPA regulates educational records and requires educational institutions to preserve business records for a period of five years.
- FINRA and SEC: Under FINRA regulations and SEC rules, brokers, securities firms, investment bankers and dealers, must preserve their records for seven years.
- FCC: Governs telecommunications and requires records be preserved for two years.
Once you ensure your pillars of record maintenance are in
order, you can build on and expand the channels you use to grow your business. It’s easy to apply a robust information management
strategy to different channels, but it’s essential to understand that all your
information in CRM, email systems, and social media is official business and
that it should be treated with great care.
After all, CRM holds invaluable information for your
business growth, but it is your responsibility to keep the information within
the CRM system properly managed and groomed.