Is your CRM GDPR ready? | Consent

In this series I want to unpack what the new General Data Protection Regulations (GDPR) mean for CRM. I’m writing as an entrepreneur and technologist: I want to help good people use good tech. I founded SheepCRM in 2011 to help startups, SMEs, and charities with their technology and business problems. My background is not the traditional C = Customer sales focused CRM. The C in SheepCRM is much broader: C = member, donor, supporter, employee, volunteer, attendee and customer.


The Information Commission’s Office (ICO) have published some great material on GDPR. See our GDPR reading list. In this article I’ll unpack a few elements from the ICO draft guidance on consent.

The GDPR sets a high standard for consent. It builds on the DPA standard of consent in many areas and it contains significantly more detail that codifies existing European guidance and good practice.

OK — fair warning. GDPR is going to be tougher than the Data Protection Act (DPA)

The GDPR is clearer that a sign of consent must be unambiguous and involve a clear affirmative action.

Consent should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service.

The GDPR specifically bans pre-ticked opt-in boxes.

So far so good, this guidance is about page design, form structure and good UX — work for our web developer friends. Can we all agree that ‘unambiguous’ means no more double negatives? “Click here if you don’t want to be excluded from receiving marketing from our selected spammers” . 🎉 an explicit clause banning the weaselly pre-ticking.

You must keep clear records to demonstrate consent.

can of worms opened you have

We must keep explicit records that know when, what and the context of consent.

Context is particularly important here. [In Sheep we call this context provenance. Provenance helps us to understand the genealogy of a record. We can root out bad data sources and make smart decisions when processing updates.]

The context may be within your control (a signup form on your own website) or it may be through a third party. At Sheep we encourage our clients to use the best tools available for the job: MailChimp for mailing lists, Eventbrite for selling tickets, GoCardless for direct debit payments, Xero for accounts. Personal information is therefore flowing in from a number of tributaries. How these third parties adapt to GDPR will be interesting. I hope and expect consent data to become available through their APIs.

Even if you don’t use third parties you will occasionally change your privacy policy. To show a clear record of consent you will want to know if the data subject gave consent under policy 1 or policy 2.

It requires granular consent for distinct processing operations.

What are you doing with the personal data that you hold? For many of us we’re going to need a bit of time to think that one through. Until now we’ve been able to collect a vague implicit consent and then decide later how we want to use that data. GDPR is forcing us to be transparent and upfront.

The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

I need to keep records when consent is given. So it seems pretty clear that I also want to keep clear records showing when it is withdrawn.

Next Steps:

Information Audit

  • List your distinct processing operations (What are you collecting information for?)
  • Review the consent you are asking for. Does it match your processing operations? Be upfront, be transparent
  • Test: Can you identify the consent from a random record? Do you understand the context for that consent?

Ask yourself: is your CRM ready?

  • records: Have you got explicit consent records?
  • clarity: When was the consent given?
  • clarity: What is being consented to?
  • clarity: What was the context of the consent?
  • demonstration: Can you find the consent record on demand?
  • granular consent: Can you capture many different kinds of consent?
  • distinct processing operations: Can you record the operations you’ve been granted consent for?
  • withdraw: Can you record that consent has been withdrawn?
  • withdraw: Are withdrawals granular or is it a blanket opt-out?


If your CRM isn’t ready: talk to your provider about their plans. If you are looking to change providers please consider Sheep.

Sheep’s splendidly simple back-office solution helps not-for-profit organisations streamline their communication, membership, fundraising and event management activities.

Get ahead with our GDPR reading list

Disclaimer: I’m an entrepreneur and technologist, not a lawyer. However I’d love to chat informally and talk through how Sheep might be able to help you manage your data.

Photo credit: John Robert Marasigan

Let’s have a quick chat to see if Sheep is right for you.

Consultations are informal and usually no more than 25 minutes (we know you're busy).

book a consultation