The European Union’s General Data Protection Regulation (GDPR) is almost upon us. It comes into force on 25th May, but one key marketing platform for fund managers may fall through the cracks of detailed preparations for the big day – that is your website.
Preparing for GDPR goes well beyond a database cleaning exercise. The complexity involved in such tasks can be enormous. At Hawksmoor we have been working with clients who have harvested large amounts of personal data on EU individuals as part of their research efforts. For some firms this data forms a critical part of the value of their business and they may have been and be planning to continue to use their website as part of their data collection efforts. GDPR makes that harder, but it is not the threat some make it out to be.
Data out this month from the World Federation of Advertisers, based on a survey of 34 companies with a collective advertising spend of more than $65 billion, has found slightly more than half of them admitting to ‘major knowledge gaps’ in their understanding of GDPR regulation and its implications. These companies put as their highest priority, reviewing their procedures for handling customer requests related to their personal data (e.g. erase or rectify), but only 12% had implemented such procedures as of the beginning of May.
Almost half of these giants said they were hiring data protection specialists or outside consultants to get them GDPR ready, accepting that, even for big firms, all the answers to GDPR do not exist internally.
GDPR should not be a cause for firms to go on the defensive. It represents an opportunity to address how you are collecting personal data and managing it internally.
Stuart Fieldhouse Hawksmoor Partners
And it is not just companies in the EU which need to be taking action urgently. Even non-EU firms are covered if they are handling the data of EU citizens.
US-based Janco Associates, which works with US firms on their GDPR compliance, reckons that 34% of companies in the US are not ready to meet GDPR. Janco has reviewed the compliance plans of more than 200 US-based SMEs. Most claim they find the GDPR requirements to be too complex, saying they lack the internal skills to meet them and have not allocated sufficient resources to do so. Dozens of the firms Janco has spoken to are operating under the misconception that compliance will only be required at some point in the second half of this year, not this month.
GDPR rules may apply differently depending on how you have been collecting data and how you are using it within your business. For many firms this will be as basic as using cookies or other third party tracking methods on your websites, for others, data harvesting will have been much more comprehensive and sophisticated.
But let’s think ahead. Many of the firms we begin working with on GDPR compliance have paid little attention to some of the things they can use their website for, which includes generating leads rather than simply acting as a static shop window.
Post-GDPR it will still be possible to integrate your website with your CRM system in new and exciting ways, but you will need to make sure that you are doing this correctly and in compliance with the regulation’s requirements. This covers the way in which firms acquire sign-ups and opt-ins for their marketing activities.
Given that the day will shortly be upon us when a large proportion of your databases will no longer be usable for direct marketing activities, those interested parties you acquire in the future will be far more valuable. All the more reason to ensure that these leads are being acquired in a compliant way.
The maximum fine for GDPR non-compliance is €20 million or 4% of turnover.
Websites can be an important tool in the ongoing building of your engagement with your client base – but it is essential that a full audit is carried out to ensure that a site is compliant with GDPR. A full information audit can throw up some key areas where a company is missing a trick in terms of potential new lead acquisitions.
An audit should also be able to evaluate the sensitivity of the information being collected and the relative risk of storing and processing that data. Going forward, any changes to systems, for example in the way data is being harvested and stored, will need to be evaluated by the firm’s Data Protection Officer (DPO) or an outsourced equivalent.
It is important to remember that right now there is no compliance badge that can be slapped on a website. While all kinds of certification courses are being pandered around, none of them bring with them an official seal of approval from the Information Commissioner. Such courses might bring with them some level of ISO compliance only. Information regulators like the UK Information Commissioners Office (ICO) will be looking for companies to take appropriate steps to comply with the GDPR regulations, and companies could potentially see them knocking on your front door on day one.
Indeed, Richard Nevinson, the policy and engagement manager at the ICO, recently told a gathering at the Law Society that following a template approach to GDPR is not necessarily going to ensure a company meets the regulation’s requirements. In the UK the regulation is replacing the 1998 Data Protection Act with principles-based legislation, which means that there is not necessarily a right or wrong answer.
Nevinson even admitted that “as the regulator, we won’t have all the answers on day one.”
The new regime brings in several new obligations for UK-based firms that did not exist under the previous legislation, like time limits for notifying the ICO of serious data breaches and increasing the authorities’ fining powers to a maximum of €20 million or 4% of turnover.
What it does mean is that there is no convenient one size fits all application for hedge funds or indeed any firms active in the asset management sector.
Companies should be prioritising a full audit of their websites, including how their websites are being used or can be used to collect and process personal data in a GDPR compliant manner. For small to medium sized financial firms, it may be worth retaining a part-time DPO. A DPO is not required for all firms, but where one is needed it is important that they have a proper understanding of what must be done.
GDPR defines a few roles that are responsible for ensuring compliance with the regulation. This includes the data controller, the data processor and the data protection officer. These are the individuals who will be responsible for GDPR compliance across your organisation. The data controller, for example, will have to define how data is processed and the purposes for which it is being processed.
GDPR should not be a cause for firms to simply go on the defensive, however. It represents an opportunity to address how you are collecting personal data and managing it internally. Many of its requirements represent good practice for handling the personal data of any client, regardless of whether they are an EU citizen. From a marketing perspective, it may also generate new ideas on how to use your website to promote your business and build up your database with leads that are genuinely interested in your offering.
Stuart Fieldhouse is a Director with Hawksmoor Partners, a London-based marketing and digital communications firm which works with hedge fund managers and their service providers.