Dear MCG… GDPR grievances
Dear MCG,Whilst I understand and support the goals of GDPR, I have to say that I have come to hate it. The deadline is looming and we really haven’t done enough to prepare for the 25th May. We are struggling to understand the extent that we are affected (we know that we are, in some ways) and, to be honest, part of the problem is that nobody here wants to engage. I’m not the most senior person in the team here and I am struggling to get the Partners to take it seriously. They just want me to “sort it out”. It’s driving me up the wall…Can you help?
Thanks for your question – I expect you are not the only person wringing their hands this month. No doubt you will have been receiving a steady stream of “let’s stay in touch” emails from firms that have you on their databases and, hopefully, you have already contacted everyone on your databases to get them to confirm that it is fine for you to send communications to them. Remember: it’s not enough to give each individual the option to opt out; they have to actively “opt in” (and you need to be able to record an audit trail for this); you have to show that consent was “freely” given.
Now, there are many better placed than me to advise on your various obligations under GDPR, so I’m going to limit myself to highlighting a few areas that might easily get overlooked. Then I’ll attempt to tackle the second part of your problem: how to get senior team members to engage with the process. Obviously, you shouldn’t consider any of this legal advice, and you mustn’t act on any of it – make sure you get specific advice from your lawyers.
So, what might get overlooked? Frankly, quite a lot (and this just scratches the surface):
Disclosure and confidentiality agreements
GDPR captures those that “process” as well as “control” data. Make sure you have properly worded confidentiality agreements with anyone with whom you share data. This includes your suppliers and service providers (fund administrator, investor portal, data room etc.), but also those involved in transactions, whether as buyer, seller or intermediary. If you receive data as a buyer, you will need to make sure that it is stored securely. If you are disclosing data, you must ensure that what you are disclosing is only that which is necessary.
Look backwards as well as forwards
The likelihood is that you will need to revise most of the service agreements you have in place, as they are unlikely to ensure explicitly compliance with the GDPR principles. And you are going to have to look at your fund subscription documents, too…
Data due diligence
Make sure that any target acquisition has the right systems, staff and processes in place to be GDPR compliant. Businesses operating in industries that deal with significant amounts of (sometimes sensitive) consumer data, you can expect special scrutiny.
As well as an obligation to the individuals outside the company and your investors, you have an obligation to those within the firm, whose data you hold. Don’t neglect your own systems and make sure that the personal information of the individuals in your team is held securely and only accessible to those that need to see it.
If there is a data breach, the clock starts ticking as soon as you become aware and you have just 72 hours to inform the relevant body. In the UK, this is the Information Commissioner’s Office, for example. If the information breach contains sensitive information (including but not limited to medical information or financial data) EACH affected data subject must also be notified as soon as possible.
Outside of Europe
Regardless of where you are based, if you hold or process the personal data of even just one individual from the EU, you are caught by GDPR and must comply. Don’t forget that the maximum penalties are severe: €20m or 4% of total group revenues (globally).
These are just some of the issues that need to be dealt with, but once you have identified what needs to be done, you still have to secure the necessary resources, which will typically involve gaining the attention of senior staff.
Here are three techniques that you might find useful.
Remember that executives like executing
Make sure you bring decisions, not issues, to the table. Do the leg work to make sure all that is required is a signature or an agreement to proceed. Don’t say “we need to discuss how we are going to map our data processing activities”. Do say “ we need to map our data processing activities and Firm X can do it for this fee. Can you please approve the spend”.
Keep choices to a minimum
If you want to provide options to a decision maker, make sure that you identify your preferred choice. Hands-on micro managers can still evaluate the options themselves, but those with a hands-off style won’t feel like you are taking up any more of their time than absolutely necessary. Don’t say “here are 12 options for how we can take this further”. Do say “I suggest we do X, but there are some other options if you want to look at them – here is a summary.”
Make it personal
If you still can’t get the right level of attention, you need to work harder to tie the activity to something that directly and obviously impacts the natural focus of the decision maker you are talking to. Don’t say “ we ned this to be GDPR compliant”. Do say “if we don’t do this now, it will almost certainly delay our ability to execute on transaction X, potentially by as much as 3 months.”
MCG (Matthew Craig-Greene) is Managing Director | IR& Marketing for MJ Hudson, the asset management consultancy. He can be reached at firstname.lastname@example.org