GDPR compliance in Zoho is mostly configuration, not custom code. Three features ship in every edition above Standard and most teams never turn them on.
Step 1: Enable the Compliance Settings
Setup -> Users and Control -> Compliance Settings. Toggle:
- Compliance Settings = ON.
- Default Lawful Basis (Consent / Contract / Legal Obligation / Legitimate Interest).
- Modules to track (start with Leads, Contacts, Deals).
This adds a Compliance section to every record with a “Data Processing Basis” field and consent timestamps.
Step 2: Capture Lawful Basis on Entry
Web Forms can write the lawful basis directly. Add a hidden field tied to Data_Processing_Basis and set it based on form context:
Demo request form -> Contract (pre-contract steps)
Newsletter signup -> Consent
Customer support form -> Legitimate InterestWithout this, every lead defaults to your global setting and you can’t defend mixed handling.
Step 3: The Right-to-Be-Forgotten Workflow
Zoho ships a native “Erase Personal Data” action. Wire a Blueprint or Approval flow around it so:
- Customer request lands in a queue.
- DPO reviews within 30 days.
- On approval, the action runs across CRM, Desk, Books, and Marketing apps.
- Audit log records the deletion.
Don’t let reps run the erase action ad-hoc — it’s irreversible and you need the audit trail.
Step 4: Consent Refresh Reminders
Consent isn’t permanent. Add a workflow that flags contacts whose consent is older than your policy (typically 24 months) and routes them into a re-consent campaign in Zoho Campaigns. Without this, you’ll be marketing on stale consent and not know it.
Step 5: Sub-Processor List in Your Privacy Policy
Pull Zoho’s DC-specific sub-processor list at least quarterly. Add it to your privacy policy via a public link. GDPR requires you to inform users when sub-processors change — Zoho updates the list, you update your reference.
DSAR Export
Zoho’s “Data Subject Access Request” export bundles a contact’s data across CRM modules into a downloadable archive. Test it once before you need it — the file format and what’s included surprise people the first time.
What to Do This Week
- Turn on Compliance Settings if it’s off.
- Add lawful-basis hidden fields to every web form.
- Build the right-to-erase Approval flow.
- Run a test DSAR export against your own contact record.
