On May 25, major changes to data privacy legislation in the EU, known as GDPR, will come into effect. However, many business have never heard of GDPR, and most don’t realize that the changes may affect them, even if they’re not based in the European Union - and the penalties for non-compliance are heavy.
GDPR stands for General Data Protection Regulation. If you market goods and services to customers in the European Union, you will be bound by the new regulations. This applies to not-for-profits and other non-corporate entities, too.
Some of the big changes include:
- Giving customers the right to access all data a company holds about them, free of charge;
- Requiring businesses to inform customers before they gather data about them, and requiring customers to opt in to data gathering;
- Requiring businesses to delete data when customers cease their relationship with the business or request to be forgotten.
For an excellent, plain-English summary on the new rules and what they might mean for your business, we suggest checking out the Super Office blog. They also provide a helpful 5-step guide to the steps you will need to take to prepare for the changes.
One thing they haven’t touched on though, is the all-important communication planning you will need to do alongside this preparation. If your employees are not clear about their new obligations, they could inadvertently put you in breach of the regulations.
So here is our quick-start guide to developing a comms plan for GDPR.
1. Who needs to know?
Privacy is not just something that begins and ends with IT. While your IT department will no doubt play a significant role in managing the necessary data management changes, other staff will almost certainly require a solid understanding of how customer data needs to be managed and protected. Sales and marketing teams will no doubt maintain customer and lead databases, and account managers or call centre staff may field questions from clients about their data, for example.
You will also want to inform your customers, board and other stakeholders about the changes you’re making to protect consumer information.
Creating a map of all people inside and outside your organization who may be affected by GDPR will help ensure no one misses out on critical information. The more comprehensive the better - it’s always better to over-communicate than under, when it comes to matters that can affect your corporate reputation.
2. What do they need to know?
Each of the stakeholder groups you identified in Step 1 will have different information needs. Your clients may be content with a single email, reassuring them that you’ve taken steps to comply with GDPR and reinforcing that their privacy is important to you. On the other hand, your sales and marketing teams should probably be involved in shaping the process by which data will be managed, and receive regular, ongoing communication and training with regard to their obligations to EU clients. Likewise, customer-facing staff should be well briefed on the changes so they can confidently respond to queries and represent your brand where it matters most.
3. When do they need to know?
The regulations come into effect on May 25, 2018 - a short two weeks away. If your planning process is only just beginning, you may not be in a position to communicate comprehensively by the deadline, but conducting your stakeholder mapping exercise and determining communication priorities will help ensure you have placeholder communications ready for your most important groups.
Customers may not need to be informed of the changes you’re implementing until the deadline or shortly after, but getting internal teams on board now will be critical.
4. How will you tell them?
How you communicate changes will depend very much on the type of business you run and the sorts of data that you collect. Some business-to-business organizations may find there is increased scrutiny from clients who are themselves well versed in the GDPR requirements, for example, and will need to communicate detailed information, perhaps more than once. Where customers are less engaged with the issues, an article in a regular newsletter may do the job.
Internal communication should be based around informational needs and the impact of the communication not being received. For example, if your sales teams will be heavily affected by the regulations, sending a single email won’t help them to understand their responsibilities and change behaviours - an integrated communication and training program would be an advisable approach. On the other hand, the rest of your organization may have limited exposure to GDPR, and a straightforward intranet article with a link to further information could be enough to keep them in the loop without overloading them with unnecessary detail.
The changes are significant and for many businesses, will require some concerted effort to respond to. However, instead of viewing the regulations as an imposition, consider them an opportunity to reinforce your relationships, internally and externally. Customers will appreciate businesses who proactively seek to protect their personal information, and employees will be pleased to see their organization acting with integrity and treating customers with respect.
Change journeys are not always easy but they can provide an unprecedented opportunity to connect with your most important stakeholders.
Ursa Communications is a specialist internal communications consultancy. If you would like to talk about how to ensure your people can respond effectively to GDPR, please get in touch.