If your company operates within the European Union (EU) your internal communications may be affected by a sweeping range of privacy requirements that came into effect in May 2018.
The General Data Protection Regulation (GDPR) was introduced in order to keep people’s data more safe and to also give people more control over the ways that their personal information is used.
Under the new rules, you will need to be able to prove that you have been given consent to hold any personal data, be able to show the ways in which the data was used and to demonstrate what actions you have taken to protect the data.
And if your business isn’t complying with this, the fines are huge. You could be penalized with either 4 percent of your global turnover, or €20 million – whichever amount is higher.
While a lot of focus of GDPR has been on external communications, it has implications for internal communications as well, particularly for multi-nationals who haven’t considered this aspect of it when they have employees living and working in EU countries.
What do I need to do to ensure internal communications are complying with GDPR?
Now that the GDPR has been in effect for more than a year, it’s a good time to take stock to determine if your organization is complying with the rules when it comes to internal communications. To help make it easy, we’ve prepared a checklist which you can also download in an Excel file.
- Establish a GDPR project team and ensure the communications team has a place within that. This way you can ensure internal communications is embedded in any decisions that are made, so it isn’t forgotten about.
- Understand who your employees are, where they live and where they work. Even if your headquarters are located outside of the EU, the GDPR will still apply if you are storing data about these employees on computers outside the EU.
- Understand who your customers are. If they are based in the EU you will also need to ensure that GDPR measures are followed when it comes to their personal information.
- Be clear about where the data flows in your organization. You will need to link in different teams to do an audit of this, HR, IT, finance, sales, communications and so on. Who keeps the data? Who are they keeping data about? How did they get the data? What is the data used for? How is it stored? Who can access the data?
- Develop a policy for your organization that sets out how you will incorporate the GDPR requirements in your operations for both internal and external parties.
- Circulate that policy and any other information that is relevant about your business and the GDPR widely with your employees outlining both what you are doing to keep their data safe, and what they need to do to ensure they keep customer data safe.
- Keep good records of all this communication.
- Be transparent. Ensure information about GDPR is always easy to find for all your employees, such as a clear link on your company intranet site.
- Create a range of support materials. Fact sheets, FAQs and so on should be written and easy to access so employees know how the GDPR affects them.
- You will need to get permission from EU employees to collect and store any data. If you do not have this permission, you need to rectify this immediately.
- One aspect of the GDPR is that terms and conditions must now be easy to understand so people know exactly what they are giving consent to. If your terms and conditions, particularly for employees, have been developed in a non-EU country they might not be compliant. However, a one-size-fits-all solution may not be applicable for global corporations and you may need legal advice to develop appropriate terms and conditions that will be appropriate in different jurisdictions.
- Employees will have the right to access any personal data you have stored about them – consider how you are able to grant this access and communicate it.
- EU employees also have the right to know who you have shared data with. You will need good record-keeping and also good mechanisms to support communicating this information when it is requested.
- Employees can also request data be deleted on request. You will need a mechanism to support this.
- Data breaches must be reported within 72 hours. This includes communicating the breach with all employees, clients and other stakeholders. To do this effectively you will need to ensure you have a GDPR data breach communications plan in place with easy to follow steps outlining who you will tell and what channels you will use to communicate with them.
- Ensure GDPR breeches are covered in your company crisis communications plans.
- Review how the internal communications team stores employee information. Often internal communicators will keep information about employees such as their name, email address, role, title and so on. You will need to ensure that EU employees understand that you have this information and follow all the relevant rules about GDPR when handling it.
- Don’t forget about photographs. If you include photographs of staff in any internal or external communications campaigns you may need to revisit the images. You might want to do a stocktake of your image library and ensure you have the appropriate permission from anyone featured.
- Ensure your communications channels are GDPR compliant. When you use third-party software and platforms to engage your employees and deliver internal communications, they may incorporate data gathering analytics tools to measure reach. Check to see if these products meet the GDPR requirements and if not, seek suitable replacements.
- Determine if any unofficial channels are being used. Some work teams could be using apps and social media platforms to communicate with one another that do not comply with GDPR.
- Ensure you have solid key messages around GDPR. You can’t just communicate these requirements once, it should be built into any ongoing global communications with your employees so they are reminded of the requirements and how you are complying with it.
- Ensure your communications are simple and free from jargon, and easy to understand.
- Create GDPR awareness campaigns. Communicate widely with staff no matter where they are located. Use special internal communications solution, like DeskAlerts. This will guarantee that your messages will be read. It tracks statistics so you can always prove that your employee saw your messages.
- Train staff in GDPR. It won’t be enough to have a policy person or a legal officer who knows the GDPR requirements inside-out. Anyone who holds data on employees, for example, the human resources team, should be given training so they know what their obligations are and what the consequences are for the company if GDPR is not followed.
- Offer refresher training in GDPR! Don’t assume that everyone will remember. Keep it front-of-mind by requiring relevant employees to undergo ongoing training in this issue.