Internal communications teams should play a key role in broadcasting their organisations commitment to privacy of their customers, the public and their employees. GDPR is an ambitious replacement for the data protection act and places a substantial set of requirements on businesses to achieve and sustain compliance.
The General Data Protection Regulation (GDPR) has been live since April 2016 with 2 years grace before compliance is mandatory; a grace period that runs out in May 2018. The regulation replaces the Data Protection Act and is a major upgrade with fines for non-compliance reaching 20m euros or 4% of annual revenue for serious breaches.
As technology becomes increasingly personal – think about Alexa and co taking up residence in our personal spaces, our wifi enabled white goods and other devices connected to our online profiles – ambitious regulations are needed to avoid malicious and unwanted use of our ever more sensitive personal data.
GDPR removes ambiguity about who is responsible for privacy (hint: it’s organisations not individuals) and places a number of requirements on organisations across 6 key principles.
- Transparency, fairness and lawfulness in the handling and use of personal data.
- Limiting the processing of personal data to specified, explicit and legitimate purposes.
- Minimising the collection and storage of personal data.
- Ensuring accuracy of personal data and enabling it to be erased or rectified.
- Limiting the storage of personal data.
- Ensuring security, integrity and confidentiality of personal data.
GDPR applies to all organisations processing of personal data if that person resides in the EU or if the processing of the data is performed by an organisation established in the EU. The definition of personal data in this instances is extremely and intentionally broad.
Organisations will be expected to be able to:
- Identify stores of personal data,
- Govern the creation, management and access of personal data
- Establish controls to protect personal data and prevent breaches
- Maintain required documentation, manage requests and notify of breaches
GDPR will require all organisations to not only plan for compliance but also ensure that business processes are modified in order to sustain compliance.
Clearly there is a major systems and IT focus on the legislation for discovery, management, security and reporting but ensuring a sustainable approach will require your employees to understand their role in keeping the business compliant. More so for organisations where core business relates to storage and/or processing of personal data.
It is in this people element where Internal communications has an important role to play.
- Communicating the organisations commitment to maintaining the privacy of its employees, customers and / or partners.
- Communicating the role that your employees play in achieving and sustaining compliance with important legislation.
- Ensuring that internal teams (e.g. IT, HR, Legal) are talking to each other to ensure that compliance is achieved and maintained.
- Identifying processes or stores where personal data collection is taking place, from consent tick boxes on websites to analytics platforms.
Adjustments will be needed across all organisations from the way that personal data is collected from your public facing websites (e.g. opt-ins) to a person responsible for data protection to classifying formal and informal content containing personal identifiable data allowing subsequent discovery, audit and removal.