When Privacy Laws and Hosted CRM Collide

Updated: April 30, 2009

Every corporation needs to keep information on its customers close at hand. How else could a company expect to adequately service thousands of virtual strangers or appropriately dote on big spenders? But to do so can put your business at odds with pesky privacy laws that can do more than just dampen its good intentions — they can seriously cut into profits.

"Unfortunately, some enterprises are not addressing this issue at all because they are not aware of the danger," said Jennifer Albornoz Mulligan, an analyst at Forrester.

The issue is particularly blindsiding if your company uses a hosted CRM solution and hasn't safeguarded itself from liabilities outside of its premises and its control.

"Common pitfalls are not asking or thinking about where your information is stored ," warned Mulligan. "Laws in the EU , Canada and other privacy-sensitive countries forbid the transfer of personally identifiable information outside of the country to countries with nonadequate privacy protection. This includes both customer and employee information."

"Using an outsourcer or hosted CRM makes it very easy to accidentally or blindly transfer data outside of the country without the necessary legal protections," she said.

Where It Is Viewed Is Where It Is

But just ensuring that your hosted CRM vendor is storing your data in the U.S. is not adequate protection against prevailing privacy laws.

"Information that is even viewed on a screen in a different country is considered to have been transferred, even if the database isn't stored in that country," said Mulligan.

Even in the U.S., the law is tightening its grip on who knows what, when and how.

"There is a very wide range of local legislation in place and emerging in the various states," warned Michael Weathersby, an attorney and partner of Evert Weathersby Houff. "There is little doubt that these restrictions will become more prevalent as irresponsible dissemination of personal data results in or becomes an attributed source of identity theft."

In short, privacy laws are growing in reach and number in the U.S. and elsewhere.

To combat these problems, many companies are battening down the hatches.

"I worked at a large health care company and implemented a national CRM application based on a hosted CRM system. Although they were OK with contact information, they would not approve any health-protected information [HPI] from being stored on outside servers," said Lonny Nathanson, partner at Levitate IT. "Regardless that the information was encrypted , stored apart from other companies' data, could not be 'seen' by the vendor and had strong passwords for users, they were not about to let any HPI data outside their own firewalls."

Avoiding Missteps

There are a number of steps your company can take to build its own shield.

"The best practices are to thoroughly investigate what your outsourcers and hosted companies are doing with your information. Their promises of compliance to laws should be included in your contracts, and penalties [should be] listed for noncompliance," said Mulligan.

Ultimately, the burden of responsibility lies with your company.

"You cannot transfer the risk to the outsourcer. If you are the data owner, and that data violates data privacy laws, it is your responsibility, no matter who you hired," said Mulligan. "Therefore, you need to have serious conversations with your vendors so that you understand what they intend to do with your data and if it meets your needs."

Featured Research
  • The Social Intranet: A guide to getting better business results

    This whitepaper describes why the shift from a traditional to a social intranet is imperative to staying competitive, and analyzes the costs and benefits associated with implementing one. You will also find useful KPIs to measure performance and further leverage your intranet's success, raising employee engagement and boosting your competitive advantage. more

  • The New 2016 SMB CRM Comparison Guide

    Selecting a CRM system is not easy. That's why our CRM expert has compiled this new SMB CRM comparison guide to provide you with the information you need on the top 40 CRM software solutions available on the market. more

  • How to Get the Most out of CRM

    Studies suggest that 63% of CRM projects fail. But your business doesn’t have to be among the failures. You can see ROI on your investment in CRM by implementing an effective plan. more

  • CRM on a Budget in 2017

    With some businesses spending hundreds of thousands of dollars on CRM, it’s easy to fall into the trap of thinking that you need a hefty budget in order to purchase a quality CRM solution. Not so. more

  • 2017 CRM Buyer's Guide

    Customer Relationship (CRM) software has become one of the most important business tools in today’s world. By allowing you to better connect with new and existing customers, CRM is an indispensable tool for sales teams and customer service teams alike. But with so many choices available, it can be difficult to decide on a solution. more