The area of legal compliance currently dominating discussions in the relocation industry is, of course, data protection and the General Data Protection Regulation (GDPR). The GDPR goes "live" on 25th May and I have highlighted below the various forms of training and support which EuRA will be providing to its members over the next few months. In particular, look out this month for the new EuRA Guide to the GDPR, which aims to explain the practical compliance steps which relocation businesses should now be taking.
One question I have been asked is how does the GDPR affect the normal practice of collecting business cards at industry events and then following up with all your new connections. Below, I give the legal answer - and also my practical suggestions!
I always welcome your feedback on legal compliance issues, including any personal experiences which you are happy to share in confidence. So please feel free to e-mail me with any comments.
Gordon Kerr
Strategic Consultant - Legal Services
(gordon.kerr@morton-fraser.com)
The GDPR: what should my business be doing now?
Probably the most common questions asked about the GDPR are:
The answer to the first question is straightforward: yes, the GDPR has practical implications for all businesses which handle personal data, i.e. almost every type of relocation business. But, this does not mean that you need to employ an expensive consultant or invest in new "GDPR-compliant" software. Instead, your starting point should be to carry out a detailed review of the flows of personal data which occur in your business, ensuring that you have a clear picture of exactly how and why you process the data.
In carrying out this review, bear in mind that "processing" includes any interaction with personal data, e.g. collecting, storing, using, altering or deleting; while "personal data" is any information that can identify a living individual.
You should try to answer the following questions:-
Based on the information you have collected by answering these questions, you can start to identify what your business needs to do to comply fully with the GDPR. If you are compliant with current EU data protection law (1995 Directive), you will find that GDPR compliance is relatively straightforward and certainly nothing like the management ordeal which some consultants like to portray.
Here are the main areas which relocation businesses should be focusing on:
Your precise obligations under the GDPR vary according to whether you are acting as a data controller (e.g. when you have contracted directly with an individual) or as a data processor (e.g. when you are part of a larger relocation supply chain).
EuRA has now produced a Guide to the GDPR which addresses all the above issues in more detail.
Following up your conference contacts: in a GDPR-compliant way!
When you attend a relocation conference, it is very likely that you will exchange business cards with some new contacts. In GDPR terms, you are collecting personal data (i.e. name and contact information) and you will probably wish to follow-up by e-mailing at least some of these individuals after the conference. But what do you have to do in order to be GDPR-compliant?
The first important point here, in legal terms, is that this exchange of personal data has taken place in a business context. By providing you with their business cards, your new contacts will reasonably expect that you will use their details to make further contact for business purposes (unless there has been an indication to the contrary). There is no need to obtain consent from such individuals in a business to business context. Instead, you can rely on the "legitimate interest" ground in the GDPR, as the "lawful basis" for sending out your follow-up e-mails.
The next technical hurdle before you start firing out these business-seeking emails is the question of the theoretical need to provide a GDPR-compliant "privacy notice". However, this is where we all have to use some common-sense and apply the law in a way that is proportionate and appropriate to the real world.
For example, if you are operating a stand at a EuRA conference, it would be advisable to provide a prominent statement regarding the intended use of business card information at the time of collection. This could take the form of a notice on your table, including a statement that further details are available on request. If there is no stand, it is preferable to make it clear from your conversation that you intend to follow up after the event. Ideally, you would ask your new contact specifically if he or she would like to be included in your mailing list. Under the GDPR, you need to be able to demonstrate that you are being fair and transparent about how you are going to use personal data.
When you send out your follow-up communication, you are expected to indicate where the individual can find your privacy notice, usually by a prominent link to your online privacy notice. To be GDPR-compliant, you should only send marketing materials to individuals that they would expect to receive (i.e. not marketing materials which are wholly unconnected to your conversations) and you should always remind individuals of their right to opt out from future newsletters etc.
Lawyers may have a lot of fun picking over this stuff, but in the real world of relocation industry events, it really is just a case of making sure that you are paying reasonable regard to the stricter GDPR rules. Unwanted communications should be dropped, but otherwise it looks as if traditional business card swapping will continue to be a feature of EuRA conferences for many years to come!
Further GDPR Support from EuRA
EuRA is providing a range of support to assist members with GDPR compliance as we get closer to the "go live" date of 25th May 2018:
• EuRA Guide to the GDPR - you can obtain a copy by contacting maree@eura-relocation.com
• GDPR session at EuRA conference in Dubrovnik on 26th April.
We are also able to assist members with GDPR training workshops and webinars, tailored to the needs of members' own businesses. For further information, please contact Gordon Kerr.
Finally, you should not get overly concerned if you think that you will not have everything in place by 25th May. The important point is to get started down the compliance path without delay and to be clear about the steps necessary to ensure that your business will be fully compliant within a realistic timescale.
The Legal & Tax Report is produced for The EuRApean by Gordon Kerr, EuRA's Strategic Consultant - Legal Services.
Gordon can be contacted at gordon.kerr@morton-fraser.com or +44 (0)7850 080170