After our previous article exploring the risks that destination service providers (DSPs) can face as a result of the tightening of data protection regulations across the globe, we are now focusing on the problems that relocation management companies (RMCs) may encounter. Those in the global mobility industry need to look carefully at where and how they need to tweak their day-to-day processes to conform to these new laws. Relocation professionals need to hold personal private data to do their jobs, and uncareful handling of this information is where problems, and potentially severe penalties, can occur.
Although many countries care about the protection of personal data to some degree, the European Union (EU) is leading the way with legislation. The Data Protection Directive (DPD) currently in law across the region demands that member states act to protect citizens data, but only gives rough guidelines. The General Data Protection Regulation (GDPR), however, changes this when it comes into full force on 25th May 2018.
The GDPR is a new set of legislation focusing on the protection of personal data and will reach far and wide, beyond the nations of the EU. It tackles multiple problems founds when the DPD came effect and dramatically expands both the requirements and potential punishments for those who break the rules.
Previously, breach of DPD laws could be met with financial penalties for the parties at fault. The GDPR will allow governments to levy fines of up to €20M, or 4% of the offending company’s yearly global income, whichever is greater. For individuals at serious fault, jail time can also be applied where necessary.
Although the GDPR is a European set of laws, the jurisdiction of these rules is not necessarily that small. The legislation is written in such a way that any companies who want to business within the EU will have to look carefully at their actions when it comes to data protection. In fact, many other countries outside of the EU are looking to integrate parts of the GDPR into their own laws, as to counteract any possible barriers to trade.
For the relocations industry, this means that when working with an EU citizen, or moving a client to, or from, a member state, following the GDPR guidelines should be a priority. You should be careful when deciding which points of data to share with your DSPs. The GDPR has also expanded the definition of personal data to include special personal data. Special data is that which is related to topics that could potentially cause discrimination, such as sexual orientation and ethnicity; the incorrect use of this information, in particular, can be severely punished under the new laws.
RMCs, also referred as Supply Chain Management companies, hold an important role over other businesses in the global mobility industry, as they manage many aspects of global moves, and are therefore required to handle a significant amount of personal data with a substantial number of third-party providers. As the regulations expand to protect private data further, it is essential that RMCs know the risks of the business, and act to protect themselves, their service partners, and clients.
It is no longer acceptable for those in the global mobility industry to use unlogged forms of data sharing, such as emailing spreadsheets to DSPs. Actions like this hold very little in terms of private data accountability and should be avoided at all costs. Is imperative that RMCs keep accurate records of all data transfer and processing activities, along with accurate logs of any and all privacy policies signed by clients. Some of these may be already in place, or easy to implement; regardless, now is the time to re-evaluate your current processes, and mage changes accordingly. In fact, many of the global mobility software solutions on the market are both affordable, and GDPR-ready.
The advantage of using an end-to-end software solution designed for the relocation industry is that they significantly reduce any change of private data being mis-shared or misplaced. As all customer information is kept in the cloud, there is no chance of staff accidentally downloading customer information onto a personal device, an action which will count as a breach under GDPR.
For RMCs, it is especially important to have full control and accountability over the data which is provided to DSPs. This entails successful managing and tracking of a variety of factors, from signed consent forms from clients, to actively monitoring and ensuring that only the correct information is sent out to the right people at the proper time. Slip-ups in these areas could result in extremely costly fines from governments across the EU.
Some of the most prominent questions when it comes to GDPR for RMCs will be over how to handle relationships with their many service providers. The daily interactions between you and your DSPs will often require private customer data to be shared, so that the necessary tasks can be carried out in a timely and accurate manner. Although some of your DSPs may not reside in EU nations, do you still hold them to the same standards as your partners which are required to be GDPR compliant by law? It is always wise to ensure the same standards of working and data protection across your entire network, although some may find it hard to remove established service providers from their group.
Another point to consider should be the software systems which are in use across your network. Modern software solutions aimed at the relocations industry offer substantial levels of process integration across companies, allowing for efficient task sharing, and the secure transmission of data. RMCs should actively look at what their partners are using, and seriously consider the benefits of encouraging all network members to choose a software package to work through. Even if you are not currently working on a project together, ensuring that secured software and workflows are the norm can provide significant benefits for future working, as well as protecting against potential GDPR non-compliance. Overall each RMC will need to make these decisions for themselves and look at the potential benefits and costs in each case.
How then can RMCs properly equip themselves for impending risks of GDPR non-compliance? The answer is to prepare thoroughly, and early. The benefit of getting ahead of the game in this regard cannot be overstated, and with not long to go until the legislation comes into full force, businesses should be looking for answers now. As mentioned earlier, finding a sound and secure technological service for your relocation project management needs can go a long way to achieving regulatory harmony.
One of the many benefits of these software solutions is that they are created with GDPR compliance in mind, and will have many of your data accountability needs built-in. They remove the need for having to actively keep track of spreadsheets and emails containing private customer information, by having inbuilt communication tools, designed for the industry. Relocation management software tools can also provide a standardised platform through which you can communicate with DSPs, intermediaries, clients and assignees, without ever having to worry about accidental data breaches. Using these tools in turn automatically creates a trail of data movement, ensuring that you are fully accountable in the case of an audit.
It is essential that everybody in the relocations sector prepare themselves for the incoming GDPR legislation, and RMCs are at the centre. If you were to take a chance with any part of your business, compliance with the new laws should not be it, as the penalties will be extreme for any company to cope with. Make your preparations now and show your clients and partners that you value the privacy of their data.