Recently a KoffeeKlatch customer asked in one of our groups: –
Is its GDPR compliant that our accountant has referred us to an IFA?
The IFA contacted us and knew all the details of our business and our finance but we had no idea when we handed over our books to a new accountant at the year end they were going to share our financial information in this way?
Old habits (or maybe new enthusiasms) die hard and it seems the accountant had a referral agreement with an IFA and something had triggered this.
The underlying idea behind GPDR is transparency. In theory, the people you share information with should only be sharing that information with 3rd parties if you have given express permission or if you could reasonably expect it as it was necessary. That expectation would be framed by their data privacy policy.
For example, you would expect your accountant to submit your information to HMRC at the appropriate time. You would expect to see what was being submitted beforehand, but you would not necessarily expect to give permission each and every time. Your ‘sign off’ is about accuracy not about consent to submit to HMRC
How do you refer a client in a GDPR compliant way?
- No surprises. Make sure your client knows or has consented to you passing on their details to a 3rd party BEFORE you do so.
- Don’t rely on your data privacy small print. Work on the basis that clarity and transparency is all.
- Explain the purpose and extent of what you want to share. Rather than simply say we may share your details with a 3rd party, explain the purpose of the sharing and the extent of the data you want to share.
- No assumptions. Don’t assume it is all OK. Ask if it is OK to connect and give contact details AND if it is OK to share relevant information to help the 3rd party be useful. Be prepared for a no.
- The default is no. Remember it is your client who owns the data you want to share. So the default is No. Don’t assume you can unless told otherwise.
Referral marketing can be GDPR compliant
You can refer to external collaborators (3rd parties) in a GDPR compliant way, but you have to do it with transparency. If you are going to make a commission on this referral you should disclose this AND seek consent for the sharing with 3rd parties OR remind the client of your data privacy policy and the provision for sharing with a named 3rd party before you do so.
GDPR does not mark the end of referral marketing, but it does mark the end of the random of sharing of confidential information with 3rd parties when the client has not consented and could not reasonably expect it.
If your referral can genuinely help your client you will find little resistance if you let them know in advance why you want to do this and what you want to share.
But a breach of confidentiality and sharing without transparency or consent can have only one result if you are a professional business advisor – you will find you have lost your client. Clients have a much higher expectation of integrity and confidentiality than they ever had before.
Find out more about our referral agreements and how they cover you and your business.
This Post Has One Comment
My business ha been built on personal introductions, giving them and receiving them (you have to give before you get!) It may be stating the obvious but I never refer someone without asking permission. I then ask what information I can share. It’s then up to the two parties, once they’ve met, to enter into their own data agreement. I always remind clients how we met., and that introductions are much appreciated. People often ask me to provide introductions however I only do so when I am as certain as I can be that the service being offered is the best possible option. I won’t provide introductions just because I’m at a networking event. A good way to underpin an introduction is to provide the parties’ LinkedIn profiles. That way you’re only revealing as much detail as each party is comfortable with