A cloud-based CRM solution is compelling, especially for the small business. But the vendor decision should be based on more than product features, functionality and cost. Relying on a third party to manage, store and secure critical commercial information is a big step. From the legal requirements of the Data Protection Act, to data security, back up and access, organisations need to consider a raft of essential requirements.
However, to retain ownership and responsibility for business information, organisations need to closely assess the data security, storage and management capabilities of a prospective cloud based CRM vendor.
Data security remains the number one concern for organisations when assessing cloud based solutions. And yet once the decision has been made to move to the cloud, the vast majority of businesses appear to completely abdicate all responsibility for securing, managing and accessing this critical business information.
Taking the online CRM route offers a raft of benefits – from the lower cost subscription model and lack of requirement for internal IT expertise to access to new functionality. But it also creates new risks: this cloud based information is business critical. Organisations need to ensure it is both secure and accessible – both now and in the future.
Before taking this step, organisations need to consider some tough questions. What is the business implication if this CRM data is lost or compromised? How effectively could the company operate with no information on customers or prospects? How much would it cost the business in lost revenue? This is sensitive customer data – what are the legal requirements for data security and storage? How would the company’s brand and reputation be affected by data breach?
Without carefully assessing and considering these issues, organisations risk not only falling foul of data protection legislation, but also compromising both revenue and reputation.
It should be obvious that organisations need to verify the security, reliability and availability promises of any cloud based solution. Information should be, of course, routinely backed up; and the provider should have robust physical and technical security policies and processes in place.
However, there are too many incidences of CRM vendors experiencing data corruption problems that result in companies losing at least one entire day’s information. To ensure this critical data is not lost, therefore, the data centre provider must be replicating data across multiple data centres, with real time failover in the event of a problem to ensure continuous information availability.
But there are other considerations – not least an organisation’s legal obligation to safeguard data. This is information that relates to individuals; it typically includes telephone numbers and both physical and online addresses.
As a result, all data must be stored according to the requirements of the Data Protection Act (DPA) and, critically, the onus rests with the business, not the CRM vendor, to ensure DPA compliance. Outsourcing data storage does not mean outsourcing data ownership or responsibility.
So what are the compliance requirements? Firstly, any organisation storing personal information has to register with the Information Commissioners Office (ICO); secondly, the business has to appoint a Data Controller who is responsible for ensuring secure and appropriate data storage. And that includes data location, since under European Union legislation it is illegal to store data relating to European citizens outside the EU.
There is just one exception to this rule. Under the US Safe Harbor provision, compliant US organisations are able to store information related to European citizens, although it is important to understand that there is minimal enforcement of standards outside the EU.
A further concern relating to US based organisations, and their subsidiaries in Europe, is that under the US Patriot Act, any US government agency can request any information being held – whether in the UK, Europe or US, with no additional legal requirements – a fact that may deter many organisations, especially those within regulated industries such as financial services. In essence, it is far safer to ensure information is stored not only in the UK but also with data centre providers that have no US links.
Having safeguarded data from both a legal and commercial perspective, it is also critical to ascertain just what will happen to this data if the business decides to stop subscribing to the CRM service, or swap to another supplier.
How easy is it to get the data back? How much will it cost? And, critically, will it be delivered in a format that is easy to use? Most vendors will delete the data as soon as the subscription lapses; indeed, data can only be retrieved whilst the subscription is still active and even an immediate request for retrieval will incur a significant cost.
In contrast, some vendors will retain data for up to three months to give customers some leeway in the decision making process. And this is key: in some cases organisations, especially smaller businesses, find the focus has shifted to other aspects of the operation and simply let the subscription lapse – only to discover this critical business information has been deleted.
Organisations should also be taking a more proactive approach to data ownership. What happens, for example, in the event of vendor failure? Or failure of the data centre provider? Is there any provision for restoring the data? Far better to look for a vendor that offers an option to back up the data on a regular basis to ensure continuous access to this key information in the event of disaster.
Some vendors do not offer this option; others limit the number of backups to, for example, once a month; others, again, offer the option of daily backups or a backup on demand service. It is therefore important to determine up front how often the organisation wants to back up the CRM data and look for a solution that can support that business need.
Taking the cloud-based CRM route makes commercial sense on many levels. But out of sight should never mean out of mind. CRM information underpins business performance and business success. Organisations are not only obliged to meet legal compliance requirements for secure information storage but must proactively ensure that this critical information is securely stored, continuously available and accessible to the business to safeguard profitability and sales performance.