What Is GDPR And How Will It Affect Professional Services Firms?
GDPR is the current favourite acronym of marketers everywhere, and for good reason.
It will affect every business in the EU and the way they work and look after data on their customers and suppliers. But what does GDPR stand for and what will it actually do to the way we store data?
GDPR stands for ‘General Data Protection Regulation’ and it’s the outcome of 4 years’ work by the European Union to modernise and bring up to date data laws. Not only will this mean that data protection is more stringent, it also means that it will be uniform across the entire EU. GDPR will replace the 1995 data protection law in the UK.
It comes into force on 25th May 2018 and it will apply to any business that holds data on their customers in any way, even overseas businesses who work with EU clients.
So when it comes to the professional services industry how exactly will these new regulations affect your business and what can you do to become compliant?
Who does it affect?
GDPR isn’t something that your company can ignore, there are a lot of different ways that your firm can break compliance rules and the fines can be huge!
Once GDPR comes into effect there will be a two tiered sanction in place for fines with lesser incidents subject to a maximum fine of €10 million or 2% of an organisation’s overall turnover. The more serious incidents can result in fines of up to €20 million or 4% of a firm’s overall turnover (whichever is greater). As you can see, it’s no laughing matter and serious violations have the power to put firms out of business. A worrying statistic around GDPR, given the above, is that only 36% of UK firms say they are already in compliance…
So, just how do you go about making your firm compliant for GDPR?
Before we get to how you can be compliant, it’s important to understand that there are two types of company roles that GDPR applies to: Data Controllers and Data Processors.
As stated in article 4 of the GDPR –
Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
You should define exactly which your firm would sit under. Remember, if you work with an external agency that handles your data and customers data, they will also need to be GDPR compliant.
How to be compliant
GDPR is split into a number of different regulations:
Awareness – The first step for any firm is to make sure that the key people in the firm know what GDPR is and why it is so important. They need to know how it affects the company and especially what the repercussions can be.
The information you hold – Unfortunately, GDPR isn’t going to be an easy ride which you can sort in a day – it affects all of the data you hold on customers. It’s important to document and organise all of the data you currently hold and organise it correctly. If you have a CRM system then this should be a little easier than having to sort through reams of documents and rows and rows of spreadsheets.
Individual’s rights – Under GDPR, individuals actually have pretty much the same rights as they do under the current Data Protection Act with some slight additions (and the massive fines if not adhered to). So, if you are already set up for the current DPA then it should be a smooth transition to GDPR. Just remember to cater for the following rights:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- The right not to be subject to automated decision-making, including profiling.
Consent – It’s imperative that when handling anyone’s data that you have their consent to have it and to use it. There has to be some sort of opt-in process and opt-out process for your customers. It needs to meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
This really depends on how your firm collects and uses data, but if it’s online then things like an opt-in checkbox on website forms and a preference centre for email comms can help you with compliance.
Subject access requests – It’s time to update those procedures and how you will handle any sort of data request from individuals. What you don’t want to happen is that GDPR comes into place and you get inundated with data requests and have no idea in what format or which process you should be using to send to individuals.
Data breaches – In the online world, data breaches can happen at any time, either internally or externally. For some firms it’s already required that they notify the ICO (Information commissioner) when there has been a data breach. In May, it will be required for all businesses to notify the ICO.
Again this is about putting the right procedures in place to detect, report and investigate any breaches.
Data protection officer – The ICO states that businesses should designate someone to be the data protection officer, whether that be a formal position or a role that someone takes on as an extra responsibility. By having a person in charge of data it will stop any chance of breaches, procedure and compliance issues being missed.
Prepare sooner rather than later
GDPR is complex and it’s definitely worth taking a look at the full ICO guide on their website. Of course, there are still a lot of grey areas around GDPR and it remains to be seen if the ICO can even handle and enforce it properly in the next few years. But, it’s always better to prepare for this now before it comes into effect as you don’t want to be left in the lurch or break compliance.