The General Data Protection Regulation (GDPR) has been in effect for over a year, and for Professional Service firms there's more to compliance and effective data management than sending a marketing consent email.
The GDPR came into effect on 25th May 2018, bringing with it the threat of waves of multi-million dollar fines and a looming spectre of potential reputational ruin for global businesses.
After the legislation was adopted by European Parliament in April 2016, member countries and global businesses had two full years to prepare in the lead up to its commencement.
Contrary to anticipation, the GDPR hasn't quite had an immediate, wide-reaching, catastrophic impact.
For Professional Services in 2019 the focus is on maintaining information management which is organised and transparent
Secondly, the main users of your information systems are using these in better ways when prospecting and managing your clients, making your business a compelling option for prospective clients.
Becoming GDPR compliant starts with a sound Information Management strategy and building a detailed resource to become a pillar of your company.
Psst, We’re giving you a head start with this template we built:
The fear surrounding the GDPR as an information-centric law, has quietened since May 2018. Today, we are solidly within the sphere of implementation - one where better practice has been implemented, but now requires maintenance.
By accident or intention, some firms will negate to maintain good practice from here on in; the firms that commit to best practice for information management, are the ones who will succeed at a level above all others.
Approximately three out of four people are fine with a company collecting their data
Whether it's for marketing or client engagement, this statistic feels contrary to the uneasy/negative sentiments towards the GDPR and similar laws - e.g. Privacy Amendment (Notifiable Data Breaches) Act 2017 in Australia - were less than two years ago.
The individuals or end users who become your clients are still willing to consent to having their data collected and processed. The difference is they are more aware than ever, how companies value it and must secure it.
With the clarity of a year, the focus of GDPR compliance is on Information Management, as opposed to frantically trying to avoid a €20 million penalty
For Professional Services, this means there is a greater responsibility to protect the information they have - but to structure it better to enhance their compliance.
For a business like yours, better management creates the opportunity to improve services, for all the work your business has put towards GDPR (or any compliance legislation) it creates a feasible starting point.
It's time to stop thinking of the GDPR as another piece of compliance legislation, but one which simply stipulates accountable information management.
A year on, some challenges which have remained and some which have evolved:
It's no secret resourcing is a recurring challenge for any business, even more so relating to GDPR compliance. Finding suitable people to do compliance work either internally or as contractors is particularly challenging. Aligning schedules, approaches, budgets and task delegation are just some of the sore points for big data firms who are processors and/or controllers.
The demand for experienced privacy professionals is increasing, and this is unlikely to change.
There's still a significant risk firms can haemorrhage money to people who don't fully understand the long-term goals of your business
This is the apex of all GDPR/compliance legislation challenges. The core of the GDPR's purpose is to change behaviour of how organisations use the data they collect and their proactivity towards information management.
The way in which businesses are held accountable is by their processes and behaviour, against this legislation. This not only impacts client data, but employee data too - tax file / VAT numbers, contact details, financial details.
Penalties still carry panic. If your board, senior leaders or I.T team fear any company-ending penalties - there is now a year of contextual data at your hands.
Monitoring the rulings and penalties issued from your national information authority is the most realistic way your managing (or mobilising) levels of fear or concern at your firm. In Australia, this is the Office of the Australian Information Commissioner (OAIC).
The commencement of the GDPR has brought in some interesting initial results.
The last year has seen the first few GDPR violation penalties issued;
European watchdogs are classing the first year as a 'warm-up'.
In January 2019 Google was fined €50 million by the French Information Commission (CNIL) who ruled "the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation." (2)
Data reporting obligations can be met much easier, in the event of a breach or audit, if your data is organised and processes are clear.
Your business needs a cost-effective maintenance solution to continue to do business globally. Drilling down through the collection and retention processes you have, and discerning:
Both local and global businesses have gone to great efforts to comply with the GDPR and similar legislation, the data your business legitimately collects and protects can be legitimately mobilised to benefit you and your clients.
However you achieve and maintain your compliance, whether it's internally or with a contractor - you can go in prepared, and save valuable time and budget.
The Information Management template has the questions to set your firm on track for ongoing compliance, accountability and success.
Download our free Information Management Workshop template to get started:
DISCLAIMER: the above article is an Overview and is not intended to replace legal advice.
Please contact the governing body, the Office of the Australian Commissioner for specific advice on how the NDB relates to your business, or relevant national authority for the GDPR.
Header Image, Top Body Content Image: katemangostar via Freepik
(1) European Data Protection Board, "EDPB LIBE report on the implementation of the GDPR", published 26th February 2019
(2) The Register, "French data watchdog dishes out largest GDPR fine yet: Google ordered to hand over €50m", published 21 January 2019