Viewing archives for IT

How systems and digital drive business value for private equity (PE)

Private Equity (PE) ownership of mid-market companies is increasing. Of course, PE houses are driven by valuations and these days IT/tech is at the heart of business value.

There are 4 areas where IT strategy and execution drive value in the PE space:

1. Building in scalability

PE houses building an integrated group of companies will often aim for one of the companies to be the “platform” onto which the other businesses can be added.

The platform company will have well-implemented processes, technology and organisation in order to run smoothly, provide good service at low cost, and to provide clear, flexible and timely management information. It will have the capability to grow and deliver high margins.

Most importantly the platform company may be valued at twice the multiple of the others due to its ability to assimilate and support acquisitions.

2. Due diligence

IT/tech due diligence in mid-market deals is often overlooked or a box-ticking exercise because traditional DD providers use lengthy old-fashioned checklists. These provide limited real value and lack commercial insight (and are often hugely over-priced!).

The basics need to be carefully checked: security, compliance, risks, contracts, people, suppliers and cost and legal exposures need to be assessed and itemised. But in the mid-market, DD expectations need to be realistic and, most importantly, value-focussed buyers need insight into future opportunities (rather than endless lists of risks).

3. Enabling marketing innovations

These days almost every marketing innovation has its roots in technology. Both businesses and consumers are increasingly finding, choosing and buying products and services online.

Brands that want to engage with consumers will tend to do so by establishing a 1-to-1 relationship with them and offering them immersive digital experiences that provide value to the consumer and insight and lock-in for themselves.

For B2B suppliers, the ability to integrate your systems with your clients can be critical, and areas like security and reliability can enable you to acquire and retain high-value corporate clients.

For marketing innovations to work successfully, marketing and tech execs need to work hand-in-glove.

4. Digital transformation

Even a smaller company can radically improve its internal operations and market proposition using digital technology. These days, a company’s size is no indication of its ability to transform the entire market.

We define 4 types of digital transformation depending on whether you are looking to transform your business or marketplace, your customers’ experiences, or your internal operations and risks. You can read more about it here. For PE-owned businesses, or businesses looking to maximise their value to PE houses, all 4 are important areas.

Our Principals work with companies on these issues every day. To discuss these or any other business IT strategic challenges just contact us. It all starts with a conversation.

To find out more, watch the video Focus on Private Equity, where Graeme Freeman explains four areas where well planned and executed IT strategy really drive business value.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

CEO’s Briefing: Technology Roadmap for Growth

As companies grow, their IT inevitably needs to change and develop. In reality, few companies follow a well-planned path, so the result is often a complicated mixture of different generations of infrastructure, business systems, and digital activities. The situation can be further complicated by informal ways of working, such as spreadsheets, manual tasks by key individuals, and other workarounds.

An IT Roadmap—also know as a Technology Roadmap for Growth—is a solution. It gives you a plan for streamlining the inefficient processes and workarounds whilst laying the groundwork for growth. It shifts the discussion from IT as a budget line-item to how technology can drive business growth.

What makes a good technology roadmap

Companies planning growth need a plan for how IT can support and drive this growth. The right IT Roadmap allows them to scale up confidently, whilst maintaining or improving their margins and customer service. It ensures the Board have up-to-date information regardless of the increasing size of the operation. It allows the team to delegate authority to managers, who can make judgements based on accurate data. And it allows the Directors to move swiftly and to take opportunities for partnerships or acquisitions because their operation is a solid platform for growth. Furthermore, it optimises the value of the business in the event of an exit.

Why you need an IT Roadmap for Growth

Admittedly, it’s not easy to create an IT Roadmap. But without one, we typically see businesses impacted in the following ways:

  1. Inefficient processes eroding margins and making good service difficult or expensive. Errors and issues increase as the business grows, which damages profitability and cash flow. Short-term problems dominate management and there is little time or money to plan for expansion.
  1. Poor reporting tools means that analysing costs, revenues, efficiency and profitability is difficult. Comparing trends and plans versus actuals should be easy. Which products and customers are profitable shouldn’t be a matter of opinion! Marketing and sales ideas run aground due to lack of data.
  1. Lack of standardisation means the business is reliant on individuals. People keep their own vital lists and system workarounds which makes them ‘choke points,’ limiting growth and expansion. When these key people are on holiday or sick then the whole business is affected. If they leave it’s a major problem!

Download the full CEO’s Briefing, which explains:

Watch this video where CEO and co-founder Graeme Freeman explains what a Technology Roadmap looks like and how to start planning yours. Or visit our Knowledge Centre which includes all content related to this topic.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Managing Partner’s Briefing on IT’s Role in Successful Legal Services

The context for IT in the legal sector is changing but the winners are those with, amongst other essentials, a defined IT strategy where IT spend is targeted at driving their business performance. Many of our IT Directors have wide experience in this sector and they have created this Briefing Document specifically for Managing Partners/CEOs in this sector.


Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

IT’s evolving role in an evolving legal sector

The context for IT in the legal sector is changing. Legal Aid cuts, new flexible legal service providers, referral fee bans, new ABS and the Big 4 accountancy firms form an increasing threat to the typical traditional mid-sized ‘partner-led’ legal firm.

A higher level of freelance and temporary legal professionals and growth in outsourcing creates new cost-pressures and new threats, but also new opportunities.

The winners are those with, amongst other essentials, a defined IT strategy where IT spend is targeted at driving their business performance. Firms must determine their vision; for example simply to use technology to drive automation and cost-savings; or to free up partners and equip them to leverage their personal relationships and to provide the highest levels of personal service.

How can IT make this happen? We see the following areas of focus for our clients:

Optimised Practice Management & Reporting – Smooth-running, effective and efficient processes are the bedrock of a well-run firm. Systems need to provide clarity on matter and client profitability, billing, WIP, expenses and cash management and to free up highly-paid professionals from excessive administration. Firms living with ageing Practice Management Systems need to untangle their processes, identify a clear Target Operating Model and select and implement a PMS to make that a reality.

Mobility – Some firms still need to move from a paper-based, solely office-based culture where senior staff assume IT is for junior staff! This means ensuring that the IT works well, for everyone, anywhere, anytime. It means good access to the full range of systems and collaboration tools for people working remotely or on the move. All staff need proper training and support and need a positive and enthusiastic attitude.

Sales & Client Engagement – Effective CRM and relationship nurturing initiatives go hand-in-hand. Successfully implementing these initiatives is partly about technology but also about process, training and behaviours. Changes to organisation and incentive structures may be required.

Cybersecurity, Risks & Compliance – Reputable law firms can easily lose their reputation as a result of technology-based fraud or IT catastrophe. Adoption of security standards and external audits can help drive programs of security and business continuity planning. Getting these right often involves getting a wide range of technology and process issues sorted out, so this can be good all-round. But there is no end to the money that can be spent, and a commercial and real-world attitude is needed.

Innovation – Most firms have very unremarkable websites, and are not taking advantage of on-line marketing or sufficiently leveraging client portals. Forward-looking organisations are already embarking on a journey to automate ‘low end’ activities using machine learning and artificial intelligence (AI). Mid-tier legal firms must be wary of another cycle of ‘IT industry hype’ but also need to avoid being left behind as gradual change can overtake them!

In every case the key issue is IT leadership and culture. IT must be at the top table; all senior leaders must be engaged with innovation, but there must be healthy scepticism and constant attention to ROI. The aim of IT must always be to deliver business outcomes.

IT needs to be owned by a confident, competent leader, well connected and influential around the firm. Good IT can significantly contribute to a unified and collaborative culture; and this can be self-reinforcing as more unified firms tend to adopt good IT more effectively.

Adoption and commitment are often the key factors in successful IT (and perhaps in success more broadly!) and strong IT leadership is the basic ingredient.

Read our Managing Partner’s Briefing on IT’s role in the Legal Sector here.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Giving Back

Our Principals consistently tell us when they join that one reason they  got out of a corporate environment and have decided to make a career as a Portfolio IT Director is because they want to give back. We work mostly with fast growing companies usually with revenues in excess of £5M, but that doesn’t stop our Principals wanting to do more, particularly with charitable organisations that would benefit from our skills. We do donate to charities, both as a business and as individuals, but money can sometimes be limiting. Giving our time and effort will, we believe, provide a far more significant difference.

This was why we got very excited when we found out about CITA, the Charity IT Association, because it is exactly what we were looking for; an organisation set up to help other Charities find people in the IT profession who could help them with IT Strategy or sometimes specific IT issues within their particular charity. It couldn’t have been a better fit and after talking with Tracey Phillipson of CITA, I was struck by how much alignment there was between the two of organisations. CITA enables charities to register on their website and explain why they need help. Volunteers, like our Principals, sign up and can view those requests and, if they want, take them up on the requirement and get in touch. Most of them want some help with IT Strategy or similar which is why the fit is so good for us.

Until now, Tracey explained, CITA has mostly concentrated on London because that was were most of the volunteers came from, but with our national coverage through our Principals, the opportunity to grow throughout the UK is immediate. This can only be a good thing. Freeman Clarke’s aim is to make a long-term commitment to CITA and provide an opportunity for our Principals to give back and for the Charities associated with CITA to benefit from this relationship.

You can find out more about CITA here:

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Preparing for Strategic IT Demands from Corporate Clients

Providing services or product to corporate clients can be a lucrative opportunity. Large, stable clients can be a good market and they can be powerful advocates for your brand and a feather in your cap. But these kinds of clients often come with challenges.

Corporate procurement departments often impose stringent IT demands. Although meeting these demands can be a pain, once you are able to confidently tick these ‘checklists’ then you do have a tangible competitive advantage.

We are often called in to help so have created the below CEO’s briefing on the subject to shed some light on some of the most common issues and opportunities.

This area is of specific interest to our clients in the logistics/3PL sector and we have a specific briefing on this sector which you can find here.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

CEO’s Briefing on IT Risks, Compliance and Security

No doubt you worry about growing your business and being successful, but as the business grows and becomes successful, protecting it against risks becomes a new source of worry!

New concerns range from compliance with Data Protection regulations, ensuring the business will survive a climatic event, or fall victim of a cyber attack that destroys all your data.

This document covers compliance, data management and data protection including DPA (Data Protection Act), GDPR, ICO, PCI (credit, debit and payment cards), FCA and related topics. It explains practical cyber security protection measures to prevent attacks, viruses, hacking, data theft, data leaks, cyber insurance, cyber crime, ransomware, phishing. It also makes reference to backups, system failure, risk management, risk registers, risk and issues logs. It makes particular reference to SME and mid-market companies and specific sectors like life sciences, pharma, defence, builds and construction, legal and accounting, transport, supply. It provides independent advice on anti-virus, patching, IT security experts and IT suppliers, and firewalls. The document covers passwords, audits, audit trails, cyber insurance, security accreditation like Cyber Essentials Plus, and how to get started.

Visit our Cyber Security and Compliance Knowledge Centre which includes all content related to this topic.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Using IT to Succeed in Third Party Logistics (3PL)

In an increasingly competitive market, the best 3rd party logistics (3PL) firms capture the lion’s share of the opportunities. IT is often a key aspect of their competitiveness and profitability.

As well as the summary below, we have created a more detailed CEO’s briefing on using IT to succeed in 3PL. Click on the link to download the full CEO’s briefing.

In our experience there are 5 key areas where IT is integral to their success.

1. Cost reductions. Both in IT and across the business every cost must be scrutinised and all investments must have a well-defined ROI with a director accountable for its delivery. IT and process efficiency go hand-in-hand, and the narrow margins and competitive nature of the industry require an ongoing focus on minimising IT costs, and maximising IT’s impact on process efficiency, clarity of information, and business cost reduction.

2. Automated tracking. Key to slick operation is effective, up to the minute and consolidated visibility and tracking of consignments, both internally and externally to customers, whether they are B2B or B2C. This can be complex and may involve 3rd parties, and an array of mobile and handheld devices as well as web portals. Customer expectations are ever higher, but IT can offer ever smarter tracking.

3. Streamlined processes. Integration and standardisation of processes and IT within the company and with external partners/customers is critical for cost reduction but also to minimise errors and maximise simplicity. The focus must be on scalability, cost reduction and achieving tight connection to customers, suppliers or franchised operations.

4. Flexibility. The ability to deploy rapidly and efficiently to support quick take-on of new business, acquisitions and mergers or site start-ups is critical to win business and then deliver on planned profit. Taking down operations is an inevitable part of logistics business as well, and knowing you are able to efficiently contract occasionally whilst maintaining overall profitability not only provides financial stability, but also gives business leaders confidence to expand without fear when opportunities present themselves.

5. Strategy and points of difference. A company with a clear business strategy needs a clear IT strategy as well. That means a strategic/executive view of the current IT capabilities, the capabilities needed, and a roadmap for getting there. Streamlined and low-cost operations, automated tracking and flexibility are the pillars for finding points of difference which allow you to win business and to avoid competing purely on cost.

Already some less efficient players are beginning to struggle and more successful business are achieving greater scale and greater success as a result. Mergers and partnerships between the winners will cause further gaps to open up between winners and losers. In our experience, the 5 key areas above allow our 3PL clients to prosper.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Successful IT in Digital & Creative Agencies

We have a large number of Digital and Creative Agency clients and they have specific IT challenges. For these clients, our IT Directors need to both enhance their work and enable creativity, whilst boosting their profitability and reducing risk.

Creative agencies typically have many talented staff most of whom are highly web literate, but they may have little interest, training or motivation to ensure their own IT systems and infrastructure are well organised, structured and maintained.

Specifically, agencies have IT challenges because:

1. They have complex estates of IT kit including large numbers of Macs, remote working, temporary associates, and large file storage requirements.

2. Staff need reliable IT so they can spend their time doing great work, have the freedom to innovate, and are able to access IT facilities rapidly when they need them.

3. At the same time, cybersecurity must be maintained and disaster recovery plans must be in place as the whole operation is completely dependent on smooth running IT.

Addressing these issues is difficult. But, once overcome, our clients’ efficiency and effectiveness has been significantly improved.

Key areas where we believe focus is necessary are as follows:

IT Strategy – A simple, agreed IT strategy, regularly reviewed and kept alive. With so many IT literate staff, and cultures which are often open and inclusive this may need wide-ranging discussions, and “the discussion process” may be as important as the actual conclusion.

Internal Infrastructure – Overhaul of internal IT facilities for data storage, networking, email, video, phone and other communication/collaboration. Cloud services like Google, Box or Office365 should be used where possible, but large files need to be properly handled, as well as home working and facilities for associates. In particular, backups need to run smoothly (despite large files) and restores need to be tested. Good asset management practices ensure no money is wasted and licenses are compliant. Whether IT support is inhouse or outsourced, it needs to be effective and managed, and urgent issues tackled effectively.

Hosting – Cloud hosting needs to be setup and monitored. Typically this will be based on Rackspace or AWS, but configuration should be standardised, and centralised.

Cybersecurity & Business Continuity – Practical policies must be agreed, properly communicated and enforced. This ranges from “traditional” issues like safeguarding personal, financial or client information. But may also include agreeing policies and practices for building secure websites or software applications. Security tools and products must be properly configured and maintained. Appropriate business continuity plans must agreed and occasionally practiced.

Systems, Management Reporting & BI – All agencies share the same challenges in terms of timesheets, billing, WIP, pipeline and resource management – though realistic practical solutions depend on the size and shape of the business. Managers typically want high quality regular reporting and, in businesses with strong visual cultures (!), then it’s important that these reports are well presented. This may be based on Excel, Power BI or a more specialist product like Tableau.

Dev team management & DevOps – In some cases our Principal needs to create and oversee an Agile development process. This may mean implementing a story backlog, standups, retrospectives and a Kanban. In addition there are detailed issues of separating development, test and live environments and automating test, build and deployment.

Client hosting packages – We often work with our clients to create standard hosting plans for their sales teams so they easily understand the hosting options available when pitching.

Although these points are central to smooth running Creative and Digital Agencies, they’re normally not issues they find very interesting!

Our Principals focus on getting this sorted, so the rest of your team can focus on your clients.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it ‘fractional’) IT Directors, CIOs and CTOs. We work exclusively with SME and mid-market organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

GDPR Essentials: The Impact on IT, Legal and Marketing for Your Business

GDPR – the EU General Data Protection Regulation – is among the biggest legislative changes to hit UK businesses in years. Organisations that fail to adhere to the new rules face fines of €20m or 4% of their global turnover. And there’s no limit on size of business; it affects everyone.

As a business owner, you need to get to grips with GDPR, how it affects your business and what you need to put in place to prepare. The ramifications impact many different departments and, as such, you’ll need a holistic plan of action which involves key members of your team.

With this in mind, The Marketing Centre gathered three partners and experts around the boardroom table to discuss the regulation’s impact from the perspective of legal, IT and marketing. Let’s meet them.

(From L-R)

The IT view: IT expert Andy Hart, Freeman Clarke Regional Director
The marketing view: Pete Jakob, Marketing Director for The Marketing Centre
The legal view: Founder of My Inhouse Lawyer, Trupti Harding-Shah

The Marketing Centre: Hi all, firstly, can we get a bit of background to GDPR. Why are the laws changing?

Trupti Harding-Shah: We’ve been operating under outdated legislation for some time now in that the current Data Protection Act (DPA) doesn’t address many of the challenges thrown up by our digital way of life. Under GDPR, businesses will have to be more proactive in their data management, and customers will have a much more dynamic right of consent around their data. They can give or withdraw consent at will, port their data or have it erased completely. It’s encouraging a real shift away from a compliance and box ticking mindset towards businesses being much more transparent and accountable to their customers.

Andy Hart: Exactly right. It’s a “sign of the times” thing. We’ve seen a continual and exponential explosion of data over the last ten years, and privacy has changed a lot. People used to easily give away data to things like Facebook, but the pushback has begun – giving people ownership over their data and enabling them to say, “that’s not right, I’m not happy with that. I want that changed or deleted.”

You may like: GDPR Overview – What is it, and why does it matter?
I’m not sure GDPR is the right way to handle this, but something has to be done because many service providers aren’t as secure as they should be. Nothing is totally secure. It’s a bit like buying a house in a high-crime area, sticking the Crown Jewels in it, and then working out how to secure them afterwards.

Pete Jakob: Ultimately, GDPR brings our data protection laws in line with the rest of Europe; the world, even. The laws will hand power to individuals about what data businesses hold on them and, importantly, how they can use it.

TMC: OK, let’s cover the basics. What do the laws mean for businesses in each of your departments, and what are the key challenges?

Andy: From an IT perspective, a business needs to understand what data it has, where the data is, who has access to it, and what it’s used for. Within that data there will be a subset which is personal information – defined much more broadly than under the Data Protection Act. Personal data isn’t just names and ID numbers or payroll numbers; it includes things like your computer’s IP address and demographic information.

There are therefore basic security controls that need to be put in place, whether the data is at rest or in transit. Data should be encrypted or anonymised, so it can’t be immediately tied back to an individual. Privacy notices need to be clear and easy to understand, outlining why data is collected, what it will be used for and how long it will be kept. It must be as easy for users to opt-out as it is to opt-in, and opting in must be positive. That means not pre-ticking email sign-in boxes, for example.

Trupti: Legally speaking, GDPR sets a much higher standard for consent, so we’ll be assessing the current mechanisms employed by our clients to obtain consent and revising them to make them more granular, dynamic and compliant. We’ll also be updating privacy policies and working with our counterparts in IT and marketing to establish a wholesale lie-of-the-land and roadmap the leap from current practices to the higher standards required under GDPR. As Andy says, businesses will have to look at how they collect, store and manage data internally, and audit this against GDPR requirements.

Until now, the approach has often been that it’s enough to have a privacy policy and cookie policy up on the website. GDPR raises the bar. It’s designed to put data protection at the top of the agenda in the minds of business owners and their management teams and encourage them to take a more holistic approach.

Pete: This question of compliance should be at the top of everyone’s marketing agenda. Today, if I have or buy a mailing list with 25,000 people on it and I want to email them, I can. I have to allow them to opt out, but until they do so I can go on mailing them.

As of May 2018, GDPR implies I might not even be allowed to email them unless they’ve explicitly consented to be mailed.

TMC: Implies?

Pete: Yeah. Well, there is a lot of misinformation floating around on this. GDPR doesn’t explicitly mention email marketing, and it certainly doesn’t prevent it. HOWEVER, there is a separate piece of legislation – Privacy in Electronic Communications (PECR) – which has been around since 2003 and is revised periodically.

The latest revisions are still in draft, but it is PECR and not GDPR which is creating concern about the future of B2B email marketing without positive opt-in consent. If the current draft of PECR goes through, it will put B2B email marketing on the same footing as B2C marketing and will mean you need a positive opt-in to send mailshots. Which way it goes remains to be seen but there could be a significant impact from a marketing perspective.

The combination of GDPR and PECR means marketing process needs to be tightened, and a positive opt in needs to be encouraged.

The question businesses need to ask is, why would their customers opt in? They need to work hard now to develop an inbound marketing strategy that offers more than simply bludgeoning the recipients round the head with sales messages. It becomes a human game rather than simply a numbers game.

If you’re procuring or building lists, work hard to get everyone to opt in. The same goes for your existing data. You’ll need records of how everyone opted in, and where, and when.

TMC: The question then is, how do you collect data?

Trupti: There’s a lot more to consent under GDPR than under the DPA: GDPR requires consent to be granular, clear and affirmative. If you want consent for a specific purpose, the request for consent needs to be directly relevant to the purpose for which you’re going to use it. In real terms, this means you can’t run a competition that says “tick this box and give us access to your data” if you’re going to use the data for another purpose altogether.

The whole business of implied consent and pre-ticked boxes will have to go. The withholding of information behind consent – including websites that say “we need your data for you to go further” – may have to go, too.

If we flip it and look at it from the perspective of the individual – it’s not unreasonable to want to know what the information you’re sharing is going to be used for. As businesses embrace this, it’s only going to build up trust in the minds of their customers and enhance their reputation. Yes, this may be disruptive in the short term but there’s also an opportunity here to win confidence.

TMC: Trupti, how worried should businesses be about non-compliance?

Trupti: Under GDPR the financial sanctions for non-compliance could mean fines of up to 4% of annual turnover or €20 million; authorities will also have investigative and corrective powers under which they could audit a business, issue warnings and even ban you (temporarily or permanently) from processing data. Individuals could also bring cases against a company if they’ve suffered loss as a result of their data being mishandled. There are additional sanctions under PECR which might also apply. Here the financial penalties are lower, but there’s scope for criminal prosecution.

In the UK, the ICO does already take enforcement action against companies not complying with the existing data protection legislation but GDPR raises the stakes giving supervising authorities stronger powers to uphold the higher standards it prescribes.

TMC: How many of the businesses each of you deals with have a plan in place for GDPR?

Andy: Very few. Many of the people I’m talking with aren’t cognisant of what’s going on. There are even people who say, “we’re leaving the EU so it doesn’t matter to us or apply to our business”. It does, and it will. It applies to anyone who conducts any transactions with the EU, with EU businesses and EU citizens.

Pete: It seems that most of the UK has its head in the sand on GDPR. Directors are vaguely aware of it, know they need to do something and are talking to their legal team about the details and the fines. I’m recommending that people go back to the principles – what would be the right thing to do, and how far off that are they, and how much can they close that gap in the next twelve months?

There’ll be vast swathes of the marketing industry that won’t be close to 100% compliant next May, but if you have a plan and you’re well on the way, you can show supervisory bodies that you’re trying to do the right thing.

TMC: What does ‘trying to do the right thing’ look like?

Pete: Firstly look at cookie and privacy statements – are they open and transparent about what you’re using to capture insight and what you’re doing with it? Are you collecting data through an opt-out process? How do you move to an opt-in process? Ask people to opt in now. If your clients, customers, contacts and so on haven’t opted in, contact them. Send them an email that’s clear about why you’re asking them to confirm, and how they can manage their preferences and so on. Start implementing that now.

TMC: How do businesses make sure they comply with the new rulings both in terms of process and internal structure?

Pete: Aside from the opt-in and compliance elements, one thing we haven’t talked about is the process for data breaches and internal reporting. Whoever becomes aware of a breach, or a suspected breach, needs to have a single point of contact they can report it to. Someone needs to assess the breach quickly, understand what caused it and where it is in the data handling process, and how many and which data subjects it impacts.

Then it needs reporting, within 72 hours, to the supervisory authority. If someone has failed to do what they should have done, there will be a fine; if the business has done everything correctly and there’s been a breach despite that, there’s unlikely to be a fine.

That single point to which the reports go is the data protection officer; someone as senior as possible to take overall responsibility for data. Many see this as a job for IT. But so much of GDPR isn’t about IT. It covers CCTV recordings, voicemail and hard copy data on paper as well as electronic data. If a notepad with someone’s details on it is stolen, this constitutes a data breach.

The reality is that IT, marketing and legal will all have a role to play, so the person nominated should be able to take a coordinated approach across all those departments. For the average SME I expect it’ll be the Financial Officer or Director.

Trupti: There needs to be an education process within the whole company. Business owners won’t want to educate their managers and then find that others within the organisation have inadvertently let a ball drop. It’s a question of managing risks: Being joined up and making sure everyone in the business understands the standards prescribed by GDPR and what that means to them in the context of that individual’s role.

Currently under GDPR, only public bodies and businesses that undertake large scale or systematic processing of data have to appoint a data protection officer (DPO). Smaller businesses are not required to appoint a DPO, but even if you don’t have to, I agree with Andy, it makes good business sense to designate someone as a data protection champion to monitor performance and report to the board.

Most businesses we work with appoint our lawyers as data protection champions to interpret GDPR and pull everyone together. That won’t be right for everyone, though, especially if they don’t have access to the kind of flexible inhouse solution we offer.

Education will carry a cost. Every business will have to make that investment, and the smart ones will probably do it sooner rather than later. Whether it’s a question of assigning employee time to those activities or bringing an expert in will vary, but every business will need to allocate a budget for education and training their teams, appointing a champion and performing that audit to establish how they’re treating data and then bridging any gap.

We also have think about the partners and suppliers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards and you’ll want to work with businesses who are GDPR-compliant.

Some of those arrangements with mailing list providers will have to be revisited to ensure the partners have explicit consent to – for example – selling email addresses to third parties. It’s not just about prospects – it’s about all the people you’re doing business with.

TMC: Anything else?

Pete: One thing; storage practice will have to change too. If an organisation gets a subject access request, IT teams sometimes struggle to identify all the data relating to an individual, because it’s locked up in different systems. Large organisations will have to look at how they tie their systems together. Most will have to consider modifying their website to include explicit consent for data collection, having procedures and controls so that if there’s a breach people know what to do.

Many organisations don’t comply with their own data retention policies at the moment – they should be deleting data after so many years and they hang on to it forever. Even if they’ve deleted a file, it’s stored in systems or databases or on a server as a big block, and that block’s backed up for security or recovery purposes, and that backup is kept forever. If the business ever does need to restore, they’ll take that backup and they’ll get the data back. That won’t be possible as an approach under GDPR.

In all honesty, most data breaches are down to human error. People talk about being hacked, but the actual cause is someone leaving a laptop on a train, or hitting ‘Reply To All’ on an email. It’s that easy.

The best thing businesses of all sizes can do is run an employee awareness program, so staff understand why data needs to be kept safe and what the basic vulnerabilities are. Can people just wander into the office and see what’s on their screens? Are documents being left on top of photocopiers or in the out trays of printers? Do we leave things on the reception desk that we shouldn’t?

These are basic, brass tacks security controls that have nothing to do with IT systems. They simply require a bit of a cultural change which, as we all know, can be hard to achieve.

TMC: Sounds like there’s a lot of work to do!

Pete: There absolutely is, but certainly from a marketing perspective, I think we should take a positive stance on GDPR. It’s forcing us to treat clients in the way that we would like to be treated. If we’re trying to be respectful, honest, open and authentic with our clients – all those values we’ve been talking about since before digital technology – it’s a no-brainer.

If we look at the countries like Canada or Germany, which have much tighter privacy regulations than the UK has had, we see email volumes go down but email engagement go up by comparison. We’ll go the same way and see less spam. Why is that a bad thing?

Andy: Quite right. If we embrace it and are pragmatic about it, we’re in a good place. Nobody wants those headlines about a huge data breach. If we get the job done and have the right security controls around it – which many businesses don’t have, and which do cost time and money – then we’re avoiding those headlines. It’s introducing an overhead on all businesses, but it means we’re seen to protect our data properly, which makes us more trustworthy.

Key takeaways:

  1. Make someone responsible for managing GDPR and data strategy
  2. Add opt-ins to all your digital marketing and make sure you get a double opt in
  3. Carefully review what data you have, why and if it can be used post-GDPR
  4. Build an inbound marketing strategy and get it running well before the end of 2017
  5. Don’t wait for “them” to solve the problem for you; they won’t

Thanks to Pete, Trupti and Andy for their thoughts. One thing’s crystal clear from all the experts we’ve consulted – businesses need to pay attention, and plan now, to be ready when GDPR comes into force next May. If you’re not sure what your business needs to do, get in touch:

IT related query’s contact us at Freeman Clarke – 0203 020 1864 or via the contact us form

Legal related query’s contact My InHouse Lawyer on 020 7939 3959.

Marketing related query’s contact The Marketing Centre on 020 8166 3106

Original blog post from The Marketing Centre:

We recently circulated a CEO’s Action Plan document to help businesses kick start their planning so they can become GDPR compliant by the May 2018 deadline. Click the button to download this document.


If you would like to discuss how GDPR could affect your business and a practical approach to making sure you’re compliant, contact us for a no-strings conversation.

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

Graeme Freeman
Co-Founder and Director

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.