Role-Based CRM: Securing Customer Privacy

Secure Systems

A role-based security plan for your company's Customer Relationship Management Software needs to fit in with larger company guidelines dictating customer privacy. Companies need to map existing business processes and compliance requirements and adopt current practices as a starting point.

In a CRM database, each record has numerous fields that may include confidential information, not just about your customers, but also about your sales team and business operations. In the B2C world selling to consumers, confidential customer information often includes personal information, credit card details, and home addresses. While in the B2B world, confidential information can include purchase histories that represent millions of pounds in sales, as well as potentially confidential information about your sales team, like sales commissions, sales goals, and a multitude of other strategic details. 

The benefit of gathering so much information in a single database is that it can give a crystal-clear image of each customer's relationship with your company, both in terms of past behaviour and potential future actions. But is it such a good idea to allow full access for everyone who uses your CRM database, from sales reps to support personnel, consultants and warehouse workers, all the way up to your C-Level executives? Certainly not.

Sometimes it's not good business for colleagues to see each other's commission information. Or perhaps it creates a security risk for consultants to have access to all customer data if they could also be working for a competitor. Even in-house staff can be a major cause for concern. It's not uncommon, in previous years, for companies to see their customer records "transported" to another firm when a disgruntled employee leaves. 

Ensuring that customer records have some measure of privacy doesn't mean shutting users out completely, or forcing them to ask permission every time they use the system. Instead, creating a role-based structure can keep privacy controls in place without sacrificing productivity. 

Role Playing

Role-based security is fairly straightforward as a concept. Basically, an administrator blocks out or allows information viewing based on the user's role or function within the organisation. Working with a role-based security process involves setting permissions for different users to ensure that each person only has access to information that is essential or appropriate for their position. For example, a company may decide to let only senior-level marketing executives see specific customer data that's tied to a recent campaign. Or they could release sales commission notes to the vice president of sales and no one else. 

The role-based function could be deepened by limiting access based on other factors like geography so that reps would only see the records within their particular region. Or just certain fields could be blocked, letting users view nearly all of a record without having to ask to see the relevant data.

This type of functionality is embedded into CRM applications, but it's up to each company using the software to tweak the settings so they are appropriate. Simply creating a block against transferring data or emailing records falls far short of what's needed.

Tailor Shop

How a company chooses to limit its record viewing will depend on a number of factors, including the company culture. Some companies are very open with their systems. They can have a transparent data-sharing model, and that extends not just to employees, but to customers. Those who prefer to eschew role-based security often say that such measures would hinder collaboration. If the sales team can see some parts of a record while the marketing department cannot, for instance, a discussion might be hampered by the restriction. 

The key here is to have clear guidelines and a configuration that restricts information in a way that makes sense. Other companies might opt for a role-based security simply to prevent information overload among reps. 

Sometimes, less information really does help people be more productive, an example is an online shopping site where a viewer might be bombarded by product data even if they're just looking for some basic information such as the company address or phone number. 

Its easy to get distracted with more information, role-based security doesn't only help with privacy, it actually gives people only what they need to get the job done, more quickly and efficiently. 

Feeling Flexible

Implementing role-based security isn't much of an administration hassle; it simply involves setting up certain rules in the system. We would recommend that a single administrator have ultimate authority for the management of requests and changes, rather than giving the ability to numerous department heads. 

It is also important to make sure the system can handle the security in a way that's flexible. The roles that are put in place for the CRM application should be able to extend to other applications as well. For example, an administrator should make sure that a user can't circumvent security controls by accessing the data through a digital window rather than the standard door. 

Flexibility and security relate also to how data is being inputted and making sure that reps and other employees are entering information properly. Quickly uploading data and then planning to slot it into the right fields later can be a problem. That data, which would be restricted when it's in the correct format, would be able to be viewed if it were simply dropped into a general field likes 'notes'!

In general, role-based security should fit in with larger company guidelines dictating customer privacy, allowing companies to map existing business processes and compliance requirements and adopt current practices as a starting point. From there, management is likely to see its privacy initiatives in a new way.