How do CRMs handle GDPR?
Reputable CRMs handle GDPR through data processing agreements (DPAs), right-to-delete tooling, and EU region hosting options. For most US contractors, GDPR doesn't apply — but if you have any EU customers or run ads to EU markets, it does. This post covers the basics.
Who GDPR actually applies to
GDPR applies to any business processing personal data of EU residents, regardless of where the business is located. A US contractor who happens to take one job for an EU citizen vacationing in Florida technically has GDPR obligations on that record. In practice, enforcement targets businesses with substantial EU traffic or marketing. If you're a US-only contractor with no EU customers and no EU ad targeting, GDPR is unlikely to affect you. If you have any EU exposure, it does.
The Data Processing Agreement
Under GDPR, you (the data controller) and your CRM vendor (the data processor) must have a DPA — a contract specifying how the vendor handles your customer data. Reputable CRMs have a standard DPA available for download or signature. If you're processing EU data, sign it. If the CRM doesn't offer a DPA, that's a sign they're not built for GDPR scope and you should reconsider. Most US-focused CRMs offer one as a courtesy even when not required.
Right to access and delete
Two GDPR rights affect CRM operations directly. Right to access: an EU customer can request all data you have on them. Your CRM needs to be able to export that customer's record on demand. Right to delete: an EU customer can request you delete their data. Your CRM needs a delete function that actually removes the record, not just hides it. Most modern CRMs support both, but verify before you sign up if EU is in scope for you.
EU data residency and transfers
GDPR restricts where EU personal data can be processed. Some CRMs let you choose EU-region hosting at signup (eu-west-1 or eu-central-1 instead of us-east-1). Others process everything in the US, which requires additional Standard Contractual Clauses to be GDPR-compliant. If you have meaningful EU exposure, ask for EU hosting. If you don't, US hosting with a DPA is typically sufficient for any incidental EU records.
Bottom line
GDPR affects CRMs if you process EU customer data. Get a DPA, confirm the CRM supports right-to-access and right-to-delete, and pick EU hosting if your EU customer base is substantial.