Well, for starters, let's figure out what kind of data you will collect.
For example, full name + phone number.
Name - this is something that needs to be protected.
However, if the data is processed for the purpose of fulfilling the Agreement, a separate consent, for example, is not required.
Therefore, first you determine what data and how you will process it, enter this happiness directly into the Agreement (in fact, it is likely that they will already be there) and add something like “informing about new goods and services” to the Agreement, and this will give the right from time to time time to call.
In general, this is everything.
But this is the case if you are doing business from scratch. If you used to do business in Google doc (conditionally), but now you decide to implement ERP, re-read the documentation that is available. Probably, you don’t need to do anything at all (almost always there are general phrases about automated processing and storage methods ), or write the name of your ERP next to it (in most cases, you don’t need to certify it).
MOST IMPORTANT: do at least something superficially, do not score. In this scenario, in the event of a check, there will be a requirement for a fix, and not a suspension.

Processing of personal data - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of data (Article 3 of the Personal Data Law).
The Personal Data Act obliges the employer to comply with certain requirements for the processing of this data. For example, the processing of personal data is carried out only with the consent of the employee (clause 1, article 6, article 9 of the Law on Personal Data). In order to avoid litigation, it is better if this consent is in writing. The same rule applies to applicants.
In some cases, the written form of consent is expressly provided for by law (Part 4, Article 9 of the Law on Personal Data). For example, the employee's written consent to the processing of his personal data is required:
1) upon receipt of the employee's personal data from a third party (clause 3, article 86 of the Labor Code of the Russian Federation). But in this case, the employee must first be notified of this and obtain his written consent (clause 3, article 86 of the Labor Code of the Russian Federation).
The notification must indicate (clause 3 of article 86 of the Labor Code of the Russian Federation):

• the purpose of obtaining personal data of the employee from a third party;
  
• intended sources of information (persons from whom data will be requested);
  
• methods of obtaining data, their nature;
  
• possible consequences of the employer's refusal to obtain the employee's personal data from a third party.