GDPR and Communication
Corporate Communications and public relations have a new major challenge.
And this challenge has a precise date: 25 May, 2018, the day when the General Data Protection Regulation (GDPR) comes into force.
The regulation focuses on the clear and unequivocal protection of people and the dispersion and use of their personal data.
The name itself is telling: “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (…)”
With its 173 issues and 99 articles, the GDPR is changing to better protect people in the digital environment and globalized world we now live and work in. It’s relevant to all of us as it has direct application in 28 countries without needing to be adopted into national laws, and applies to any organization operating within the European Union or storing data from European citizens.
It’s also clear that as this regulation is about people then we have to communicate with them. The implications of GDPR need to be communicated internally and externally by companies and organizations transparently and effectively. Without this, the objectives of this regulation won’t be met. If there’s any miscommunication, the reputation of the organization can be seriously affected and incur damage far beyond the 20 million euros maximum fine.
GDPR impacts beyond how we communicate with internal and external audiences. Based on the premise of privacy – privacy by default and privacy by design – everything must be considered and drawn up in accordance with this premise. Organizations will have to respond - regardless of their technology and resourcing capabilities - to applications for oblivion ("erase" the personal data of databases), data footprint (state who, when and why an individual’s personal data was accessed) and data portability (availability of data).
The communication also has to be planned and delivered around making explicit and clear commitments to managing the different kinds of personal data held, including photographs (to events); the outsourcing to companies who may have access to such data; with the publication of the data held; and, for example, with the management of personal data of candidates and of former employees. All this applies to not only the data held in a digital format but also to data that’s stored on paper.
In an amazing coincidence, while I was writing this text, I got a call from a company to inform me about a marketing campaign. The person who called me, called me by name (and knew my phone number, name and what kind of service I had) nicely and politely. I asked how they obtained my contact and was told that my number had been drawn in a database. I insisted: "in what database?" There was silence. Then they replied that it could be a site that I had subscribed to. I had to insist: "what site and in what date?" The conversation continued politely, but they couldn’t confirm and I have not heard back.
This example illustrates the kinds of responses that companies must be prepared to give from 25 May: we have to have peoples’ express permission to use personal data and know exactly the source of that data.
This was an example of the use of personal data for commercial purposes, but it would be exactly the same if a request came as part of an internal communication campaign
GDPR offers us an excellent opportunity to improve the relationships with internal and external audiences in the spirit and context of integrated communication. But beware and be prepared: 25 May is tomorrow.
Vice-President of APCE – Portuguese Association for Corporate Communication
President of FEIEA – European Association for Internal Communication