The Regulatory Landscape
GDPR (EU, in force). CPRA (California, enforcement ongoing). PDPA (Singapore, India). CCPA/CPRA expanding. Brazil LGPD. Plus AI Act overlaying AI-specific rules. Enterprise CRM sits at the intersection.
Consent Management
Granular consent per data use. Unsubscribe respect. AI-training use requires explicit consent in most jurisdictions. Consent stores (OneTrust, Iubenda) integrate with CRM as source of truth.
Data Subject Rights
Access, rectification, erasure, portability, objection. CRM must support all. Erasure is the hard one — cascading across integrations, backups, analytics, AI training corpora.
AI Act Intersection
Automated decisioning affecting rights triggers AI Act overlay on top of GDPR Article 22. Document human oversight. Enable appeal paths. If your CRM’s AI makes credit or hiring decisions, you’re in Annex III territory.