Legal Report - Gordon Kerr - EuRA Strategic Consultant Legal Services

The area of legal compliance currently dominating discussions in the relocation industry is, of course, data protection and the General Data Protection Regulation (GDPR).  The GDPR goes "live" on 25th May and I have highlighted below the various forms of training and support which EuRA will be providing to its members over the next few months.  In particular, look out this month for the new EuRA Guide to the GDPR, which aims to explain the practical compliance steps which relocation businesses should now be taking.

One question I have been asked is how does the GDPR affect the normal practice of collecting business cards at industry events and then following up with all your new connections.  Below, I give the legal answer - and also my practical suggestions! 

I always welcome your feedback on legal compliance issues, including any personal experiences which you are happy to share in confidence.  So please feel free to e-mail me with any comments.

Gordon Kerr
Strategic Consultant - Legal Services

(gordon.kerr@morton-fraser.com)

The GDPR: what should my business be doing now?

Probably the most common questions asked about the GDPR are:

• firstly, does it really affect my day-to-day business? 
• secondly, where do I start?

The answer to the first question is straightforward: yes, the GDPR has practical implications for all businesses which handle personal data, i.e. almost every type of relocation business.  But, this does not mean that you need to employ an expensive consultant or invest in new "GDPR-compliant" software.  Instead, your starting point should be to carry out a detailed review of the flows of personal data which occur in your business, ensuring that you have a clear picture of exactly how and why you process the data.

In carrying out this review, bear in mind that "processing" includes any interaction with personal data, e.g. collecting, storing, using, altering or deleting; while "personal data" is any information that can identify a living individual.

You should try to answer the following questions:-

• Whose data do you process? e.g. your individual customers and their families, individual corporate contacts, your employees, business development targets and any other 3rd party data (individuals, not businesses)
• Is any "sensitive" data included? this is referred to in the GDPR as "special categories" and includes personal data relating to health, religion, sexual orientation, political affiliations or genetic or biometric data
• How do you obtain personal data? e.g. direct from individuals and/or from corporate clients, RMCs etc
• What do you do with data? e.g. used only for delivering authorised relocation services and maintaining employee records? - not used for marketing purposes?
• Why do you do these things? e.g. a necessary part of delivering agreed relocation services, complying with employment law and good employment practices
• Where do you store data? - and for how long?
• Is all stored data up-to-date, accurate and relevant?
• Do you share personal data with any 3rd parties? e.g. with partners or sub-contractors
• Do you ever transfer data outside the EU?

Based on the information you have collected by answering these questions, you can start to identify what your business needs to do to comply fully with the GDPR.  If you are compliant with current EU data protection law (1995 Directive), you will find that GDPR compliance is relatively straightforward and certainly nothing like the management ordeal which some consultants like to portray.

Here are the main areas which relocation businesses should be focusing on:

1. "Consent" - if you currently rely on some form of individual consent (e.g. from the assignee) to "process" data, then the wording will need to be reviewed to ensure that it complies with the stricter wording requirements of the GDPR.  Note that you may not need to rely on a separate consent form provided that you have a contract  in place with your individual customer (and the contract contains appropriate wording on data processing).
2. Notifying individuals of their rights - the GDPR places a strong emphasis on the need to be completely transparent.  The information that must be provided to individuals (usually in the form of a privacy notice) has increased, along with an obligation to use clear language and to ensure that the notice is readily accessible.
3. Data retention - you should only collect data which is necessary for your service delivery and you should delete data when it is no longer required.
4. Data security and breaches - the GDPR requires businesses to take "appropriate technical and organisational measures" to secure personal data, but does not lay down specific requirements on aspects such as encryption and use of cloud services.  The security steps which you take are expected to be proportionate to risk and you are also able to take cost factors into account.  If, despite your best efforts, a security breach occurs, there are new rules to be followed on when it is necessary to notify other parties of the breach.
5. Contracts - there are new wording requirements for contracts which relate to personal data, including the respective obligations of data controllers and processors.   

Your precise obligations under the GDPR vary according to whether you are acting as a data controller (e.g. when you have contracted directly with an individual) or as a data processor (e.g. when you are part of a larger relocation supply chain).

EuRA has now produced a Guide to the GDPR which addresses all the above issues in more detail. 

Following up your conference contacts: in a GDPR-compliant way!

When you attend a relocation conference, it is very likely that you will exchange business cards with some new contacts.  In GDPR terms, you are collecting personal data (i.e. name and contact information) and you will probably wish to follow-up by e-mailing at least some of these individuals after the conference.  But what do you have to do in order to be GDPR-compliant?

The first important point here, in legal terms, is that this exchange of personal data has taken place in a business context. By providing you with their business cards, your new contacts will reasonably expect that you will use their details to make further contact for business purposes (unless there has been an indication to the contrary). There is no need to obtain consent from such individuals in a business to business context. Instead, you can rely on the "legitimate interest" ground in the GDPR, as the "lawful basis" for sending out your follow-up e-mails.

The next technical hurdle before you start firing out these business-seeking emails is the question of the theoretical need to provide a GDPR-compliant "privacy notice".  However, this is where we all have to use some common-sense and apply the law in a way that is proportionate and appropriate to the real world.

For example, if you are operating a stand at a EuRA conference, it would be advisable to provide a prominent statement regarding the intended use of business card information at the time of collection.  This could take the form of a notice on your table, including a statement that further details are available on request. If there is no stand, it is preferable to make it clear from your conversation that you intend to follow up after the event. Ideally, you would ask your new contact specifically if he or she would like to be included in your mailing list.  Under the GDPR, you need to be able to demonstrate that you are being fair and transparent about how you are going to use personal data.

When you send out your follow-up communication, you are expected to indicate where the individual can find your privacy notice, usually by a prominent link to your online privacy notice.  To be GDPR-compliant, you should only send marketing materials to individuals that they would expect to receive (i.e. not marketing materials which are wholly unconnected to your conversations) and you should always remind individuals of their right to opt out from future newsletters etc.

Lawyers may have a lot of fun picking over this stuff, but in the real world of relocation industry events, it really is just a case of making sure that you are paying reasonable regard to the stricter GDPR rules.  Unwanted communications should be dropped, but otherwise it looks as if traditional business card swapping will continue to be a feature of EuRA conferences for many years to come!

Further GDPR Support from EuRA

EuRA is providing a range of support to assist members with GDPR compliance as we get closer to the "go live" date of 25th May 2018:
•    EuRA Guide to the GDPR - you can obtain a copy by contacting maree@eura-relocation.com 
•    GDPR session at EuRA conference in Dubrovnik on 26th April.

We are also able to assist members with GDPR training workshops and webinars, tailored to the needs of members' own businesses.  For further information, please contact Gordon Kerr.

Finally, you should not get overly concerned if you think that you will not have everything in place by 25th May.  The important point is to get started down the compliance path without delay and to be clear about the steps necessary to ensure that your business will be fully compliant within a realistic timescale.

The Legal & Tax Report  is produced for The EuRApean by Gordon Kerr, EuRA's Strategic Consultant - Legal Services.

Gordon can be contacted at gordon.kerr@morton-fraser.com or +44 (0)7850 080170