Helping your business comply with GDPR

May 25, 2018

On May 25, 2018, the General Data Protection Regulation (GDPR) began governing the use of individuals’ personal data in the European Union.

The GDPR applies to all organisations based in the EU and any organisation which processes personal data of an EU citizen. The GDPR sets out the standards to be reached by those who decide how to use personal data, and those which do processing on their behalf. And it gives individuals rights in relation to their data which are broader than rights that have existed in the past. Organisations, wherever they are located, should take care to comply with the GDPR – not only does it set out best practice about how to manage individuals’ information, but significant fines and adverse publicity for non-compliance will likely ensure that most organisations will want to be compliant.


How CRM systems can help businesses to comply with GDPR

If you are already using a CRM system – or considering it – you will likely be aware that it can be an extremely valuable tool to help with GDPR compliance if correctly adopted and used within your business.

Training - How Act! can help you with GDPR compliance

This 2-hour remote training session is designed to offer advice on how Act! can help your business with GDPR compliance. Contact your Account Manager for more information.

How Act! CRM can help businesses to comply with GDPR

Are you an existing Act! user? We’ve put together a guide for you to learn how to use Act! in compliance with GDPR.


GDPR stands for General Data Protection Regulation, which is the privacy regulation in force across the European Union (EU) since May 25, 2018. The GDPR lays down new principles – and reinforces existing ones – for the protection of personal data of EU citizens. EU organisations and those which process personal data of EU citizens will have to comply with the GDPR.

The GDPR is effective since May 25, 2018. In most of the EU it replaces the previous legislation which was in place from the end of the 1990s.

The GDPR is applicable to any company, non-profit, government agency or other organisation that is either based in the EU or processes the personal information of EU citizens. This means that GDPR knows no geographical bounds and even though it’s enforced by EU based institutions, companies from all over the world are affected.

Brexit – the UK leaving the EU – is set to happen on March 29, 2019 which is around 10 months after GDPR comes into force. This means that UK companies can’t rely on Brexit saving them from the need to be GDPR-compliant. Moreover, in 2018 the relevant UK government agencies indicated they expect to maintain privacy laws at least as strong as GDPR.

GDPR affects all businesses that deal with the data of EU citizens, regardless of the number of employees or turnover of the organisation. Small businesses will have to comply with new regulations – for example regarding the manner in which individuals can consent to their data being processed, their right to have their data erased, data portability, data governance responsibilities and notification requirements if data breaches occur. Small businesses in the EU should take guidance from the relevant regulatory agency (for example the Information Commissioner in the UK, CNIL in France) and appropriately experienced legal adviser.

GDPR requires that organisations handle personal data in certain ways. Organisations which have implemented a CRM system can harness it to enable (and require) users to handle that data in compliance with the GDPR. Our detailed guide which you can find here explains how.

There are a number of ways in which GDPR will impact marketers, but perhaps the most important is that the regulation reinforces the need for marketers to use people’s information only if they have a lawful basis to do so. While most marketers will have heard about having consent, there are five other bases on which an organisation can rely to process personal data. Of these there are three which are most relevant to small businesses: to perform or enter into a contract, to fulfill a legal obligation, or where it is in the legitimate interests of the small business, unless there is a good reason to protect the individual’s interests which is more important than the legitimate interests of the business.

Our commitment to Data Protection

Act! is committed to protecting customer data and ensuring GDPR compliance. We started our preparations in 2017 and, as with all applicable law, we comply with GDPR. We will continually review our measures and update them as necessary. For questions on how your data is handled by Act!, please contact us.

The GDPR requires that controllers and processors process in a way that ensures appropriate security of the personal data – this is called the GDPR’s ‘security principle’. The UK’s ICO has a very helpful webpage about the security principle. For more information about how Act! complies with the security principle, and how Act! products can help you comply with it please see our dedicated Security page here. If you are using Act! web based services you have an obligation to have a Data Processing Agreement in place with us in the form required by the GDPR. A sample copy of our standard contract can be seen here. To enable you (or the business entity you represent) to fulfil the GDPR requirement to enter into a contract with us covering your engagement of us as a data processor, please request a signed copy of our Data Processing Agreement from Please note that we do not make changes to this contract.

For information about how we collect, store and use personal information please see our privacy notice.

For a detailed guide on how Act! can help with GDPR compliance please download our ebook, available here.

Big results. Small investment.

Ready to take the first step?