Cloud-based CRM is compelling, especially for small businesses, but the all-important choice of vendors has to be based on more than product features, functionality and cost, according to John Paterson, Chief Executive for cloud-based CRM provider Really Simple Systems, who here discusses the legal requirements and ramifications of relying on a third party to manage and store critical commercial data.
From the legal requirements of the Data Protection Act, to data security, back up and access, organisations need to consider a raft of essential requirements. In order to retain ownership and responsibility for business information organisations must therefore closely assess the data security, storage and management capabilities of any prospective cloud-based CRM supplier.
Data security remains the number one concern for organisations when assessing cloud based solutions. And yet once the decision has been made to move to the cloud, the vast majority of businesses appear to completely abdicate all responsibility for securing, managing and accessing this critical business information.
Taking the online CRM route offers a raft of benefits - from the lower cost subscription model and lack of requirement for internal IT expertise to access to new functionality. But it also creates new risks: this cloud based information is business critical. Organisations need to ensure it is both secure and accessible - both now and in the future.
Before taking this step, organisations need to consider some tough questions. What is the business implication if this CRM data is lost or compromised? How effectively could the company operate with no information on customers or prospects? How much would it cost the business in lost revenue? This is sensitive customer data - what are the legal requirements for data security and storage? How would the company's brand and reputation be affected by data breach?
Without carefully assessing and considering these issues, organisations risk not only falling foul of data protection legislation, but also compromising both revenue and reputation.
It should be obvious that organisations need to verify the security, reliability and availability promises of any cloud based solution. Information should be, of course, routinely backed up; and the provider should have robust physical and technical security policies and processes in place. However, there are too many incidences of CRM vendors experiencing data corruption problems that result in companies losing at least one entire day's information. To ensure this critical data is not lost, therefore, the data centre provider must be replicating data across multiple data centres, with real time failover in the event of a problem to ensure continuous information availability.
But there are other considerations - not least an organisation's legal obligation to safeguard data. This is information that relates to individuals; it typically includes telephone numbers and both physical and online addresses. As a result, all data must be stored according to the requirements of the Data Protection Act (DPA) and, critically, the onus rests with the business, not the CRM vendor, to ensure DPA compliance. Outsourcing data storage does not mean outsourcing data ownership or responsibility.
So what are the compliance requirements? First, any organisation storing personal information has to register with the Information Commissioners Office (ICO); and second, the business has to appoint a Data Controller who is responsible for ensuring secure and appropriate data storage. And that includes data location, since under European Union legislation it is illegal to store data outside the EU that relates to European citizens. There is just one exception to this rule: under the US Safe Harbor provision, compliant US organisations are able to store information related to European citizens, although it is important to understand that there is minimal enforcement of standards outside the EU.
Having safeguarded data from both a legal and commercial perspective, it is also critical to ascertain just what will happen to this data if the business decides to stop subscribing to the CRM service, or swap to another supplier. How easy is it to get the data back? How much will it cost? And, critically, will it be delivered in a format that is easy to use? Most vendors will delete the data as soon as the subscription lapses; indeed, data can only be retrieved whilst the subscription is still active and even an immediate request for retrieval will incur a significant cost.
In contrast, some vendors will retain data for up to three months to give customers some leeway in the decision making process. And this is key: in some cases organisations, especially smaller businesses, find the focus has shifted to other aspects of the operation and simply let the subscription lapse - only to discover this critical business information has been deleted.
Organisations should also be taking a more proactive approach to data ownership. What happens, for example, in the event of vendor failure? Or failure of the data centre provider? Is there any provision for restoring the data? Far better to look for a vendor that offers an option to back up the data on a regular basis to ensure continuous access to this key information in the event of disaster.
Some vendors do not offer this option; others limit the number of backups to, for example, once a month; others offer the option of daily backups or a backup-on-demand service. It is important to determine in advance how often you want to back up your CRM data, and then look for a solution that does so.
Taking the cloud-based CRM route makes commercial sense on many levels. But "out of sight" should never mean "out of mind". CRM information underpins business performance and business success. Companies are not only obliged to meet legal compliance requirements for secure information storage but they must proactively ensure that this critical information is securely stored, continuously available, and accessible.