How does the new GDPR regulation impact research firms in terms of their operations (project delivery) and business development? If research firms are mining data or using data from EU region and it contains their Personally identifiable information then it certainly fall under GDPR scope. Or simply if you have an EU office then also it applies to you.
What would it take to provide comfort to our existing/ prospective clients? To come up with a Privacy Notice – with assurance and awareness on your data handling ( privacy) practices. Including training to your staff on GDPR ask. Transparency and Accountability on Privacy.
What steps does a research firm need to take to ensure compliance? Map your data flow , clarify the legitimate processing grounds, anonymiseorpseudo–anonymize the data that you use for your research. And have a data protection impact assessment done on high risk data elements (with direct PI intervention).
Is it possible for relatively smaller business with budgetary constraints, to implement the compliance steps internally without external/ third party support? You can, but its advisable that you seek SME guidance or hire a resource.
What is the timeline for compliance? You should be GDPR ready by 25th May 2018.