How to Make Your CRM GDPR-Compliant (Dubsado Included)

Disclaimer: I'm not an attorney and the information outlined in this post should not substitute legal advice.

What is GDPR?

In simple terms, it's a European Union regulation created to give internet users more control over what data they share with the world.

It requires websites and apps to be transparent with how they collect user information and what they do with it.

Pretty much everything you do on the internet is tracked and collecting data in some way. Ever wonder why you search for something like "best mattress" and suddenly all of the advertisements you see are for sleep-related products?

How to make Dubsado GDPR-friendly is covered in this post. Find out if you need to comply and how you can do so in Dubsado. This post covers all other CRMs, too.

That's because sites like Facebook and Google collect data on your behavior. They then sell advertising space to companies who want to target certain users -- and you agreed to that when you used those sites whether or not you were aware of it.

When you go onto a website or use an application embedded in a website, you are complying with that site’s Terms of Use. However, many people are unaware that they are supplying sites with data, or unaware of what/how much data they are giving.

GDPR is designed to give users more explicit control and awareness of the data they share.

Does GDPR affect you?

In your business, you likely use an array of tools that collect personal information. If you use an email marketing software, Google Analytics, have the Facebook Pixel installed on your site, etc., you are collecting personal information.

If anyone from the European Union goes to your site, you’ll need to comply with GDPR to keep trouble at bay.

GDPR also applies to all information you collect over the internet. That means you need to make the software applications your users interact with compliant as well.

Find out which countries currently belong to the European Union here.

Do I need to make my CRM GDPR-friendly?

It depends.

If you have a local business located outside of the EU, you probably don't need to worry about making your CRM GDPR-compliant.

For example, if you are a wedding photographer, you probably shoot photos in your local region only. You wouldn't have clients from the EU, except for the off-chance a couple wanted a destination wedding in your area.

Now, if you're someone who works remotely, you could have clients from anywhere. This could apply to stationers, designers, virtual assistants, etc. This applies to people like me. I offer consulting and Dubsado CRM setup services and it’s all done virtually. 

That means my clients can come from anywhere in the world.

Essentially, if anyone from the EU could interact with your CRM account, you will want to make it GDPR-compliant.

If you need more help with compliance, you can check out these resources from The Contract Shop:

What parts of my CRM collect personal information?

Services like 17Hats, Honeybook, Dubsado, and Bonsai are popular CRMs among creatives that have many of the same core features.

Here are three common places you might collect personal information in these software:

  1. Contact forms

  2. Questionnaires

  3. Proposals

Simply ask yourself, “Where do I collect private information?” to use as a gauge. Those are the places you’ll need to comply.

Collecting Information in Dubsado

Lead Captures are your contact forms, so you will always collect some kind of personal information here. An email address counts as personal information.

When a lead fills out your lead capture, do you put them on your email list? Are they aware they will be receiving marketing emails from you when they fill out your lead capture? With GDPR, they need to provide consent.

In Dubsado's questionnaires and proposals, you also have the option to ask questions. If that's the case, you are collecting personal information.

To be clear, you might not collect personal information in questionnaires or proposals depending how you have things set up. You might also collect info in other areas, so that's something to think about.

Need to crack Dubsado's setup code? Here's a step-by-step checklist.

How to make your CRM GDPR-compliant

You do can do this by stating what you do with the information you collect and then ask users to verify consent.

Consent is often given with a checkbox. You’ve seen something similar before when signing up for new accounts: "By submitting this form, you agree to the terms and conditions…”

Check with your legal counsel to see what language they suggest for your consent boxes. You will likely need to be more explicit with how you use information.

Side note: Work with your attorney to see what you should do when users don't consent.

How to Make Dubsado GDPR-Friendly

To make Dubsado GDPR friendly, you can add consent boxes in the forms of a checkbox or a yes/no question.

Note: You'll want to make the consent boxes a "required" field. This means your clients won't be able to submit a form without explicitly giving consent. This is to ensure you're always covered.

Watch the video below to learn how to add consent boxes to any form in Dubsado. This will work for all forms, including lead captures, questionnaires, and proposals. In this video, you'll also see how to make the consent box a "required" field.

It's really that easy to make your CRM GDPR-friendly.

Hopefully this article eliminated some of the GDPR questions you may have had.

Did you realize GDPR affects more than just your website? Share in the comments below.

Think Dubsado’s the CRM for you? Take it for a free 3-client test run here. Use can use my affiliate link “productiveco” when you sign up to get 20% off when your trial expires.


This post may contain affiliate links to products I recommend. I may receive a commission at no extra cost to you. Read my disclosure for more info.

Need a hand with Dubsado setup?

Download a FREE guide to get your workflows running without a hitch.