Is your CRM GDPR ready? | The right to be forgotten

In this series I want to unpack what the new General Data Protection Regulations (GDPR) mean for CRM. I’m writing as an entrepreneur and technologist: I want to help good people use good tech. I founded SheepCRM in 2011 to help startups, SMEs, and charities with their technology and business problems. My background is not the traditional C = Customer sales focused CRM. The C in SheepCRM is much broader: C = member, donor, supporter, employee, volunteer, attendee and customer.

The right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing..

The right to be forgotten has made the news through new UK legislation and a number of court cases where individuals have asked search engines to remove results. The context for CRM may be different but the principle is the same. GDPR gives individuals the right to request that their personal data is ‘forgotten’. Individuals just want a little respect.

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

To know when data is no longer necessary and to know the purpose for which it was collected are key foundations (see GDPR Consent). If your CRM isn’t giving you that data you will find it hard to know if you should or shouldn’t comply with the request. You’ll ask yourself: am I right to erase or should I take a chance?

Delete or obfuscate?

Deleting data gets database administrators all up-tight. If you blindly remove a record from a database you will almost certainly break referential integrity.

For example, if a person has paid you money in the past you will have a payment record typically with a link back to the person record. Removing the record will leave the payment record with a reference to a person that no longer exists. You could forget the person and all their linked records but, in this example, payment records are historic facts that you may need to audit against.

Soft delete: A common approach is therefore to mark a record as deleted but not actually remove the record. (Removing the record from the database is known as a hard delete.) That’s great but arguably you haven’t really forgotten anything.

Obfuscation: Obfuscating or pseudonymising data means blanking or replacing data on a field by field basis. You’ll be familiar with this approach when your credit card is referred back to you on a transaction. The first 12 numbers on a card are frequently replaced with ‘X’s leaving just the last 4 numbers visible.

Whatever approach is chosen the data needs to be ‘put beyond use’. Technical or procedural steps need to be in place to prevent accidental re-use. Sheep has always offered a soft-delete and as part of GDPR preparation is introducing pseudonymisation. Fields which can uniquely identify an individual are wiped. The record status is set to ‘forgotten’. (We briefly considered updating the recorded name to Andy or Vince but decided against it.)

Other organisations

You must endeavour to inform other organisations that you have disclosed information to. Some organisations will be independent of you but others will be providing services on your behalf. If you use a third-party mailing list service to send me email I would expect you to remove me from that list not just from your CRM database. Sheep, for example, will automatically remove or obfuscate (pseudonymise) user details where API methods permit.

Next Steps:

Information Audit

  • Do you have a process for handling erasure requests?
  • Do you have a data fading policy? data fading is removing certain fields over time
  • When consent is removed what data will you keep, what data will you obfuscate or remove?


If your CRM isn’t ready: talk to your provider about their plans. If you are looking to change providers please consider Sheep.

Sheep’s splendidly simple back-office solution helps not-for-profit organisations streamline their communication, membership, fundraising and event management activities.

Get ahead with our GDPR reading list

Disclaimer: I’m an entrepreneur and technologist, not a lawyer. However I’d love to chat informally and talk through how Sheep might be able to help you manage your data.

Photo credit: Andrew D, Hurley

Let’s have a quick chat to see if Sheep is right for you.

Consultations are informal and usually no more than 25 minutes (we know you're busy).

book a consultation