GDPR Compliance: What does it mean for Internal Communications?
— November 16th, 2017
If you’ve already heard of GDPR, you might know what’s coming down the tracks. And, if you haven’t, get ready to hear a lot more about it in the months ahead. Because, while the EU’s new data privacy regulation, which comes into effect next May, isn’t specifically focused on Internal Communications and HR, it will impact how we work.
GDPR & You: Why it matters for IC professionals
GDPR: What is it and what will it do?
The General Data Protection Regulation (GDPR) replaces the EU’s existing data protection guidelines and will change some of the standards expected of those who hold information on European data subjects. These ‘data subjects’ are the people whose personal data we hold and includes the employees on whom Internal Communications holds email addresses, names or other identifiable information. The new regulation will require communicators to pay attention to ‘transparency’ (for example, do employees know what personal information the Internal Comms function holds on them? If not, should we do a better job of advising employees in our communications?). And perhaps more attention to ‘necessity’ (for example, do we hold personal data attributes, like age or gender, that we are not using? If we’re not using it, should we delete it?).
GDPR Checklist: Where to start?
While communicators should start thinking more broadly about what GDPR means for the Internal Comms function, it might be first worth considering your organization’s position on:
By extension to the above, if there is no business purpose for storing certain data types, it may be worth removing certain data fields. For example, if you are not currently using employee last name data (for personalization), or employee country data (for language or content localization), it might be worthwhile removing these types of fields.
- Basis and consent
While contracts of employment typically contain clauses establishing the basis for which employee data can be used, if that basis relies upon consent, GDPR expects consent to be specific to an indicated purpose. For example, you may be relying on ‘fulfillment of employment contract’ as the basis for communications and processing which is critical to an employee’s job. But maybe relying on ‘consent’ as the basis for communications which are less critical. Like updates on your Corporate Social Responsibility program. Communicators should, therefore, consider using sign-up forms for certain types of communications (like optional topics or communications that are not job-critical), or for certain audiences (like contractors or franchisees). Separately, if communicating with external stakeholders (like contractors or external partners), communicators should consider enabling double opt-in methods on profile-management forms. This will validate the email address before sending communications - to ensure that someone else cannot “consent on my behalf”.
GDPR exempts some types of anonymized or pseudonymized data from the more stringent controls expected under the regulation. It is therefore worth considering abstracting certain data types (like using a code or abbreviation instead of an actual value in certain data fields). Or anonymizing certain survey types. Or enabling the reporting anonymization restriction within your Poppulo account.
GDPR: An ongoing consideration
As there are other areas of consideration also (including breach notification, access requests, profiling, and accountability), communicators should speak to the data privacy stakeholders within their own organizations. This might include for example a conversation with your data protection officer - to understand what other GDPR-readiness initiatives are underway. And how the communications team’s plans will overlap with those of other company initiatives. (Or even how the communications team can help your data protection team with their GDPR-awareness goals).
As your internal discussions progress, your Poppulo Customer Success Manager will be able to confirm whether and how to accommodate the readiness-activities your data protection officer might expect. As of late 2017, the main readiness-activities to consider are relatively straight-forward:
By reading this post, you’re already on a path, but it’s worth expanding your knowledge of your organization’s GDPR-readiness plans. And where the communications team will fit into those plans; A first step here will be to simply talk to your data protection team. Or at the very least find out who they are!
- Information audit
While “audit” might sound daunting, the initial step here will simply involve identifying what personal data is held by the communications team, and what it’s being used for. And the legal basis* your organization is relying upon for its use.
As transparency is a key part of the new regulation, you should start thinking about what messages to include in your employee communications. Including informing employees about the data that is held, and why. Your HR partners will likely already have their own plans in this area (as they will be holding much more employee data than the communications team). So consider talking to your HR colleagues about their plans (for verifying the basis for holding data and communicating purpose).
- Access requests
While it’s unlikely to be an issue initially, you should start thinking about the process you might follow if you received a data access request from a data subject. In particular, if that subject were a contractor or an ex-employee. Again, your data protection or HR colleagues may have already thought about this and might have some plans in place (or at least some ideas).
GDPR: Don’t panic
The main takeaway - for now - is to avoid undue panic. While May 2018 will be upon us sooner than we expect, we can avoid last-minute stress - by starting to think and talk about readiness now.
If you have additional questions about how GDPR will affect your employee communications, you can sign-up to our blog (to read any future posts in our GDPR and data privacy series), subscribe to our ‘IC Matters’ internal communications newsletter, or contact us at firstname.lastname@example.org.
* A legal basis could be: contractual necessity ("I can process your data because it is required to fulfill my contract with you - like an employment contract"), consent ("I can process your data because you told me I could"), compliance with legal obligations ("I can process your data because I am obliged to by law - for example for tax purposes"), vital interests ("I can process your information in a life & death situation - like the information processed in a call to emergency services"), public interests or legitimate interests (these latter two are less likely to be applicable in an Internal Communications context - not least if the interests of the data controller are not balanced against the interests of the data subject).