In this blog we’ll discuss the forthcoming changes to the data privacy legislation and outline some of the implications for professional services firms.
We’re no strangers in the European Union to legislation governing data protection and data privacy. In the UK we’ve had legislation since 1984 but the forthcoming changes that are to come in to force have major implications to the way in which we use data for sales & marketing.
The objectives of the legislation changes, in addition to giving data subjects greater control over their data are to:
- Reduce red tape
- Increase responsibility and accountability
- Ensure consistency of approach irrespective of the marketers country of origin to avoid the current situation where there are 27 different state specific laws on data protection in the EU
- Introduce the right to data portability (i.e. to move your personal data from one provider to another), although this latter objective is aimed more at consumer services providers
So what are the changes and how do they affect professional services firms?
The first change is that organisations that wish to process a subject’s data must now ask for explicit consent (where consent is already required) to do so rather than assume that they have consent.
For those professional services firms who use eMarketing a great deal there are a number of implications.
Secondly, whilst providing an opt-out from all communications will continue to be best practice, firms should now build into their data management plans an exercise to gain explicit consent from their clients and contacts at least once a year. This should also be built into the process of taking on new clients, with clear statements describing how the firm intends to use their clients’ personal data for marketing purposes and giving the client the opportunity to provide their explicit consent (or not as the case may be).
Ease of Access to data
At present a small charge is levied for what is called a “subject access request” (this is where by a person can request a copy of all the personal data that you may hold on them). It is proposed that this fee will be dropped and the expectation is that this will increase the number of requests for data from subjects.
Right to be forgotten
One of the most striking changes is the “Right to be forgotten”. Essentially this means that a subject now has the right to demand that their personal data is deleted if there is no “legitimate grounds” for that data to be held. This is particularly challenging for a professional services firm, on the basis that as relationships with contacts can be so spread out across the firm, the risk of deleting someone from a database is that someone else might add them to the database, unaware that the contact has been deleted. To that end firms should include clear wording in their communications that advises contacts that their basic data will be held purely for suppression purposes. However ultimately the contact has the right to request even this to be deleted and therefore training for users of any system where data is held should include an explanation of the firm’s policy for managing this particular issue.
Data Protection Officer
It is proposed that all organisations with more than 250 staff must have a dedicated data protection officer. Although most firms have someone who has responsibility for data protection, this proposed change requires that the officer is dedicated. This role would naturally fall under the remit of the CRM or database manager, but of course this will most likely have an impact on the workload of the data management team, which will have to be taken into consideration.
Non EU Organisations
For those firms that have offices out of the EU, the proposed changes will equally apply to these offices if services are offered to EU citizens. This doesn’t affect the need to ask data subjects if they consent to their data being processed outside the EU, but means that global firms with, US offices for example, will have to tighten up on their intra-office data management policies when it comes to the non EU offices having access to and using EU data for marketing their services.
One of the most high profile changes is the obligation on companies to report breaches in data security “as soon as possible”. The current feeling is that this is defined as “within 24 hours”, although this is currently being discussed as often it is not clear to a company that there has in fact been a breach for this period. However the implication to professional services firms is that they should revisit their current data security and disaster recovery policies as soon as possible, to ensure that there are processes in place to identify, manage and report data security breaches.
In future blogs we will delve more deeply into these issues as the debate on them develops.