From a data protection perspective, it is important when using CRM systems to ensure that there is a working role and authorisation concept in accordance with the principle of integrity and confidentiality (Art. 5 para. 1 lit. f) and Art. 32 para. 1 lit. b) of the GDPR – the so-called need to know principle).
It must be ensured that only those persons have access to customer data who directly need it for the fulfilment of a specific task. Unauthorised persons may not gain access to this data.
A comprehensive role and authorisation concept should ensure who is authorised, for example, to read, change or delete personal data
The more sensitive the personal data (e.g. data on political opinions or health data), the more differentiated and strict the role and authorisation concept should be.
The role and authorisation concept should also contain replacement regulations. It should be noted that the replacement belongs to the same department, works at the same level in a legally secure manner and has the same professional competence.
If employees change departments or leave the company, for example, the authorisations must be adjusted immediately.