GDPR (General Data Protection Regulation) affects every business that holds personal data about EU and UK residents – regardless of where the business is headquartered. For most sales and marketing teams, the primary GDPR concern is their CRM: the system that holds contact information, communication history, lead data, and customer records. Using a CRM without GDPR-appropriate controls exposes organisations to fines of up to ?20 million or 4% of global annual turnover, whichever is higher. This guide covers the specific GDPR requirements that affect CRM operations, how to configure major CRM platforms for compliance, and the practices that cause the most common GDPR failures in sales and marketing.
The best compliance approach is the one that makes rights requests, retention cleanup, and lawful basis decisions manageable inside the CRM instead of scattered across side systems.
GDPR changes CRM work because customer data is no longer just a sales asset; it is regulated personal data with rules around access, consent, retention, and deletion. That means the CRM has to support not only selling but also data handling discipline.
How GDPR Applies to CRM Data
| GDPR Principle | CRM Implication | Practical Requirement |
|---|---|---|
| Lawful basis for processing | You must have a legal reason to hold and process every contact’s data | Document the lawful basis for each data type (consent, legitimate interest, contract) |
| Data minimisation | Collect only the data you actually need for the stated purpose | Review CRM fields; remove fields collecting data with no business use |
| Purpose limitation | Data collected for one purpose cannot be repurposed without re-consent | Don’t use a contact list collected for a webinar as an outbound sales list without basis |
| Accuracy | Data must be kept accurate and up to date | Regular data hygiene processes; mechanism for contacts to update their data |
| Storage limitation | Data shouldn’t be kept longer than necessary | Define retention periods; automate deletion or anonymisation of stale contacts |
| Right to erasure | Contacts can request deletion of their personal data | Process for deleting all data about a contact across CRM and integrated tools |
| Right to access | Contacts can request a copy of all data held about them | Process for exporting a complete contact record and related data |
| Data portability | Contacts can request their data in a machine-readable format | CSV or JSON export of contact record on request |
Lawful Basis: The Most Important GDPR Concept for CRM
Every piece of personal data in your CRM must have a lawful basis for processing. The three most relevant bases for sales and marketing CRM:
Consent: The contact explicitly agreed to their data being held and used for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don’t constitute consent. Marketing email lists require consent unless another basis applies. In CRM, consent should be recorded as: the consent date, what the contact consented to, and how consent was obtained (form URL, event registration, etc.).
Legitimate interest: You have a legitimate business reason to process the data that doesn’t override the individual’s rights. B2B prospecting to contacts at companies that fit your ICP can often be justified under legitimate interest – a business professional’s work email address used for business-relevant outreach is typically acceptable. Personal email addresses, consumer data, and data collected without the contact’s knowledge are more difficult to justify under legitimate interest.
Contract: Processing is necessary for a contract with the contact (i.e., they’re a customer). Customer records in CRM are processed under the contract basis – no separate consent is required for holding and using customer data necessary to fulfil the contract.
Consent Management in CRM
For contacts where consent is the lawful basis, CRM must record consent status. Implement this with custom fields: a checkbox field “Marketing Consent” (Yes/No), a date field “Consent Date,” and a text field “Consent Source” (form URL, event name, etc.). Most major CRMs have built-in GDPR tools:
- HubSpot: GDPR settings under Settings ? Privacy and Consent – enable “Record a contact’s consent to communicate” on all forms; HubSpot automatically logs consent to the contact record
- Salesforce: Marketing Cloud Consent Management; Data Protection and Privacy settings in Sales Cloud; Privacy Center add-on for consent workflows
- Zoho CRM: GDPR module under Settings – Data Subject Requests management, consent fields on contact records
- Pipedrive: Data privacy and consent management available from Settings ? Personal data
Handling Data Subject Requests
Right to erasure (Right to be forgotten): When a contact requests deletion of their data, you must delete (or anonymise) all personal data held about them across all systems where it exists – not just CRM. This includes: CRM contact record, email marketing lists, marketing automation contact data, any third-party tools synced with CRM, and backup data. You have 30 days to comply. Create a documented deletion process so you can demonstrate compliance if challenged.
Right to access (Subject Access Request): The contact has the right to receive a copy of all data held about them, within 30 days, free of charge (for routine requests). In CRM, this means exporting the full contact record including all fields, all activities, all email history, and any custom object data linked to the contact.
Retention Periods: Automated Data Cleanup
Define a data retention policy: after how long should a contact with no commercial activity be anonymised or deleted? A common B2B policy: contacts with no activity (no email opens, no meetings, no deal progress) in 36 months are removed from marketing lists and anonymised (name and email replaced with a hash or deleted, company and industry retained for analytical purposes). Automate this with a CRM workflow that flags contacts approaching the retention limit and triggers a re-consent campaign – contacts who re-engage are retained; those who don’t are removed.
Sources
ICO (UK Information Commissioner’s Office), GDPR Guidance (2025)
European Data Protection Board, Guidelines on Legitimate Interest (2025)
HubSpot, GDPR Compliance Features Documentation (2026)
Salesforce, GDPR Compliance Guide (2025)
Handling Data Subject Rights Requests Through Your CRM
GDPR grants individuals several rights over their personal data: access, rectification, erasure, and portability. Your CRM is typically the system of record and you have a legal obligation to respond within 30 days. Most organisations handle these requests manually and inconsistently, which creates compliance risk as volumes grow.
Do we need consent to store a prospect’s business email address in our CRM?
Not necessarily. Consent is just one of six lawful bases under GDPR, and for B2B prospecting most organisations rely on legitimate interest instead. This is appropriate when you have a genuine business reason for the processing, the processing is necessary for that reason, and the individual’s privacy interests do not override yours. B2B contacts in decision-making roles generally have a lower expectation of privacy for their professional contact details. You must still provide an opt-out mechanism in outbound communications and honour requests promptly. Consent becomes required when your processing goes beyond what the individual could reasonably expect, such as tracking website behaviour or processing sensitive personal data categories.
What happens if someone’s data is held in multiple connected systems?
A right to erasure request applies to all systems where that individual’s personal data is held, not just the primary CRM. Your CRM is likely the originating system that pushed contact data to your email marketing platform, ad audiences, customer support tool, and analytics systems. Each must be included in your erasure process. Some integrations replicate data automatically but do not replicate deletions, meaning a contact deleted from your CRM may persist in a connected system indefinitely unless you manually remove them. Document your data flows in your GDPR records and test your erasure process end-to-end at least annually.
How long do we have to respond to a data subject access request (DSAR)?
Under GDPR, you have one calendar month from receipt of a valid request to respond. This can be extended by two further months in cases of complexity or volume, but you must inform the individual within the first month that you are exercising the extension and explain why. A DSAR requires you to provide the individual with a copy of all personal data you hold, how it is being used, who it has been shared with, and your retention periods. Prepare before you receive one: know which CRM fields constitute personal data, how to export a single contact’s complete record, and who is authorised to review and redact the response.
Does GDPR apply to our CRM if we only sell to businesses?
GDPR applies to the processing of personal data relating to natural persons. In a B2B context, this includes the contact details of individuals at the businesses you sell to: name, work email, phone number, and job title. This falls within GDPR’s scope even though your commercial relationship is with the company. GDPR does not apply to data about legal entities (company name, registered address, company number), but the moment a human being’s contact details are associated with a company record, GDPR applies to those fields. Sole traders, where the business and individual are not legally distinct, are covered in full.
Problem: No Defined Process for Right to Erasure Requests
When a contact requests deletion of their personal data, many sales teams are unsure what to delete, where to find all the data, and how to confirm deletion. Ad hoc responses lead to incomplete deletions: a contact removed from the CRM may still exist in email lists, event registrations, or connected third-party tools.
Fix: Build a documented Data Subject Rights (DSR) response process before you receive your first request. Map all systems that receive contact data from your CRM and include each in your erasure checklist. In HubSpot, use the GDPR Delete function (Contacts → Actions → GDPR Delete) which removes the contact and suppresses re-entry. In Salesforce, use the Individual object to track data subject requests and the Data Deletion functionality. Log each request, the actions taken, and the completion date in a secure record outside the CRM as your audit trail.
Problem: Cold Outreach Lists With No Documented Lawful Basis
Many B2B sales teams build prospecting lists from LinkedIn or data brokers and load them into the CRM without a documented lawful basis. GDPR requires one for processing each contact. For outbound cold prospecting, legitimate interest is typically relied upon, but this requires a documented balancing test that most organisations have never performed.
Fix: Document a Legitimate Interest Assessment (LIA) covering three steps: identifying your legitimate interest, confirming the processing is necessary to achieve it, and balancing your interest against the individual’s rights. Store this with your GDPR compliance records and review annually. Add a lawful basis field to your CRM contact records, populate it during import, and include an opt-out mechanism in every outbound email.
Problem: CRM Data Retained Indefinitely With No Retention Policy
Most CRMs accumulate years of stale contacts with no systematic review or deletion. Holding data indefinitely violates GDPR’s storage limitation principle and increases your exposure in the event of a data breach.
Fix: Define a data retention policy with specific periods for each contact type: active customers (retain while in contract plus three years), unconverted leads (18 months from last interaction), marketing contacts (24 months from last engagement). Configure automated workflows in your CRM to flag or anonymise contacts who exceed the threshold. Anonymisation allows you to retain the analytical record while removing personal identifiers.
Compliance becomes much easier when the CRM can support routine cleanup and response workflows. If those tasks are manual, the process becomes harder to trust as data volume grows.