Your CRM is probably your biggest GDPR risk — here's how to get it right.
Your CRM is the engine of your sales and marketing operation. It's also — in many organisations — the single largest repository of personal data you hold. Thousands of contact records. Names, email addresses, phone numbers, company details, conversation history, deal notes. Personal data at scale.
GDPR doesn't distinguish between data that sits in a polished enterprise platform and data in a spreadsheet. All of it is subject to the same rules: lawful basis, data minimisation, retention limits, and data subject rights. The question is whether your CRM is set up to support compliance — or whether it's quietly accumulating risk with every new contact you add.
This guide covers the most common GDPR issues in CRM use and what you need to do about them.
1. Why CRMs Are a Major GDPR Risk
Most CRMs hold personal data that was collected over years, often from multiple sources, often without clear documentation of how or why. When GDPR came into force in 2018, most organisations did a one-time cleanup — then returned to old habits.
The problems are structural:
Volume without purpose. Sales teams are incentivised to add contacts. No one is incentivised to delete them. CRMs grow, and the lawful basis for most of the older records becomes increasingly unclear.
Mixed data sources. Your CRM might contain contacts from website forms, trade shows, purchased lists, LinkedIn exports, cold outreach tools, and manual entry. Each source carries different GDPR implications.
No retention policy. Most CRMs have no automatic deletion or archiving. A contact added in 2016 who never engaged, never bought, and never heard from you in three years sits there indefinitely.
Consent records are missing. You may have collected consent at some point, but the date, source, and specific wording of what someone consented to are rarely stored alongside the contact record.
Data enrichment is unaccounted for. Many sales teams use tools like Clearbit, Apollo, or ZoomInfo to enrich contact records with data the individual never provided directly.
2. Lawful Basis for CRM Contacts: Consent vs. Legitimate Interest
Under GDPR, you need a lawful basis before processing any personal data. In CRM contexts, the two most relevant bases are consent and legitimate interest.
Consent means the individual actively agreed — clearly, freely, and specifically — to you holding and using their data for the purposes stated.
Legitimate interest (Article 6(1)(f)) means you have a genuine business reason that is not overridden by the individual's rights. It requires a three-part test: purpose test, necessity test, and balancing test.
B2B contacts: For business-to-business sales and marketing, legitimate interest is often a viable lawful basis. You still need to run the legitimate interest assessment (LIA) and document it.
B2C contacts: For individual consumers, consent is generally the more appropriate basis for marketing. Cold outreach to individual consumers using legitimate interest is risky territory.
Key rule: Whatever basis you choose, document it — per contact type, per use case.
3. Recording and Tracking Consent in Your CRM
If you rely on consent, you need to be able to prove it. Under GDPR Article 7, the burden of proof lies with you.
For every contact where consent is your lawful basis, your CRM should store:
- Consent date — when did they consent?
- Consent source — which form, page, or interaction captured consent?
- Consent wording — exactly what did they agree to?
- Consent version — which version of your consent language applied?
- Withdrawal record — if they withdraw consent, when and how?
Most CRMs allow custom fields for this. Create a standard set and make them required for any contact created via marketing channels.
Consent withdrawal must be as easy as giving consent. If someone unsubscribes from your email list, that withdrawal must propagate to your CRM and suppress all marketing contact.
4. Salesforce GDPR Features
Salesforce offers several built-in features for GDPR compliance, though they require configuration to actually work.
Individual object: Designed specifically for storing privacy preferences, consent, and data subject information.
Data Privacy Centre: Provides tools for managing consent, processing data subject requests, and implementing data retention.
Data masking: Salesforce Data Mask replaces real personal data with anonymised substitutes in non-production environments.
What Salesforce doesn't do automatically: Salesforce will not delete contacts after a retention period, will not alert you when lawful basis expires, and will not enforce data minimisation.
5. HubSpot GDPR Features
HubSpot has invested significantly in GDPR tools, particularly around consent management.
GDPR settings: Enable GDPR features globally in account settings under Privacy & Consent.
Consent to process and communicate: HubSpot distinguishes between consent to process data and consent to communicate (marketing emails).
GDPR-compliant email: When GDPR settings are enabled, HubSpot requires an unsubscribe link in every marketing email and respects global unsubscribes.
Gaps in HubSpot: Like Salesforce, HubSpot won't automatically delete or archive contacts after a retention period.
6. Pipedrive and SMB CRMs
Pipedrive's built-in privacy features include a privacy settings section where you can log reasons for storing personal data and set data retention periods. These are useful starting points but require manual setup per contact.
What you'll need to build yourself in Pipedrive:
- Custom fields for consent date, consent source, and consent status
- Automated workflows for retention
- A clear process for handling DSARs
The key principle for any CRM: the tool's built-in features define the floor, not the ceiling.
7. Data Enrichment Tools: Clearbit, Apollo, ZoomInfo, and GDPR
Data enrichment tools create a significant GDPR issue: the enriched data was not collected from the data subject.
Under GDPR, you still need a lawful basis for processing enriched data. You also have a transparency obligation under Article 14: if you collect data about someone from a source other than the individual themselves, you must inform them within a reasonable period.
Practical implications:
- Your LIA must account for enriched data
- If you enrich a contact and never inform them, you may be in breach of Article 14
- B2B enrichment is lower risk than B2C enrichment
8. CRM Data Retention: When to Delete or Archive Inactive Contacts
GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data not be kept longer than necessary.
Active contacts: Retain as long as there is an ongoing legitimate relationship.
Inactive contacts: A contact that has been in your CRM for 2 years with no activity, no purchase, and no recent consent refresh should be deleted.
Consent-based contacts: Have a re-consent workflow that prompts inactive subscribers to confirm they still want to hear from you.
Former customers: Retain as long as required for legal or tax purposes, then delete.
9. DSARs in CRM: Finding, Exporting, and Deleting Contact Data
Data Subject Access Requests (DSARs) require you to provide all personal data you hold within 30 days. CRMs are typically the largest data store in any DSAR response.
Finding all data: Consider all places a contact might appear: Contacts, Leads, Deals, Email threads, Notes, Call logs, Activity history, Custom objects.
Processing deletion requests: Deletion is rarely simple. Email threads, backup snapshots, and integrated tools may hold data independently.
Tools like Custodia can help you map data flows and identify which systems contain personal data for any given contact — reducing the risk of missing something in a DSAR response.
10. Compliance Checklist: Before You Import a Contact List
- [ ] What is the lawful basis for each contact in this list?
- [ ] Do you have documentation of the original consent or LIA?
- [ ] Was this list collected under privacy notices that cover your intended use?
- [ ] When was this list last cleaned?
- [ ] Are there B2C personal emails in a B2B list?
- [ ] How will consent status be stored in your CRM?
- [ ] What enrichment will be applied after import, and what is the lawful basis?
- [ ] What is the retention policy for contacts who never engage?
- [ ] Who needs to be informed that they are now in your CRM? (Article 14)
- [ ] Has your DPO or legal team reviewed the list source?
Get Your CRM GDPR-Ready
If you're not sure whether your website and data stack are collecting personal data in a compliant way, start with a free scan. Custodia's privacy scanner identifies trackers, third-party data flows, and common GDPR risks on your website in 60 seconds.
Run your free scan at https://app.custodia-privacy.com/scan.
This post provides general information about GDPR compliance for CRM systems. It does not constitute legal advice.
Top comments (0)