Table of Contents
- Rights for EU Citizens and their personal data
- Steep fines for those that don’t comply with GDPR
- A new job role: The DPO, or Data Processing Officer
- Communicating GDPR requirements to employees
- Responsibilities around the data Internal Comms stores about employees
- Measuring employee engagement under GDPR
What is GDPR?
GDPR, or the General Data Protection Regulation. Another four letter acronym for us to remember, right?
But consider for a moment that the last time the European Union made significant changes to the requirements for how organizations handle EU citizens’ personal data, it was October 1995 (when legislation called Directive 95/46/EC was put into place).
Later that same year, Clueless was released in theaters across North America.
Cher Horowitz probably wasn’t worried about her digital footprint back in ‘95.
A lot has changed in the last 23 years, from the rise of social media to the almost universal adoption of smartphones. And today, for a number of understandable (and some other) reasons, businesses store a lot of our personal data.
The new GDPR legislation attempts to protect citizens by giving them more control over their personal data, how it’s used, and requiring all organizations that handle EU citizens’ data to meet specific requirements.
GDPR legislation will bring data privacy requirements for all companies processing the personal data of EU citizens, regardless of whether the processing is taking place in the EU or not. This means that any company that collects data about EU citizens has new requirements to consider. It’s unlikely any large organization won’t be affected.
GDPR comes into effect on May 25th, 2018.
So what exactly is changing? And what does it mean for internal communicators?
A summary of what’s changing for organizations under GDPR
The new GDPR regulations replace the Data Protection Directive (the standing regulation from 1995), and attempt to do three specific things:
- to consolidate data privacy laws across Europe
- to protect EU citizens’ data privacy
- to regulate the way organizations that do business in the EU approach data privacy
To accomplish these objectives, a number of changes will need to be made by organizations that process personal data. And new rules about how data is handled internally will need to be implemented.
Organizations will now need to be more transparent about the data they collect (and why), have permission from the citizens they collect it from, and agree to provide a copy of the data or delete it on request.
GDPR puts consumers and employees first. Although this change may create more work for communicators, the conversation around data privacy and these changes are positive.
Rights for EU Citizens and their personal data
Under GDPR after May 25th, EU Citizens have the right to:
- Be notified of security breaches that relate to their data within 72 hours.
- At any time request whether or not their personal data is being processed by an organization, where and for what purpose, as well have as an electronic copy of their personal data provided.
- Have their personal data erased on request, also called the right to erasure (there are significant limitations to this that are relevant to employers and internal comms).
- Data portability, which means that EU citizens have the right to receive the data that has been collected on them and transfer this data to another entity.
- Data minimalism, which means having organizations process only the data absolutely necessary for the completion of its duties, as well as limiting the access to their personal data to only those involved with the actual processing.
Steep fines for those that don’t comply with GDPR
After May 25th, organizations processing EU citizens’ data in a way that is not compliant could be subject to fines. The maximum fines defined by the regulation are significant -- 4% of annual revenue or 20 Million Euros (whichever is greater).
A new job role: The DPO, or Data Processing Officer
If processing personal data is a core activity for an organization, the organization will need to perform an analysis to determine whether they need a Data Protection Officer (DPO), which is an internal auditor responsible for compliance training and a contact point for authorities.
What is the effect of GDPR on Internal Comms?
Fundamentally, GDPR aims to protect citizens of the EU from having their data misused. This may sound like something the Marketing or IT department should be primarily concerned about, but there are a number of ways it will affect HR and ultimately internal communicators.
Communicating GDPR requirements to employees
Organizations will be required to disseminate information to employees about GDPR and how it affects the organization (and keep a record that this was done). This will likely include communicating how the organization itself is planning to stay compliant, as well as what it means for employees.
Responsibilities around the data Internal Comms stores about employees
Much like the marketing department, internal communicators rely on some personal data to provide relevant information to their audiences. Often stored in an HR system, this type of data includes employee names, email addresses, roles, etc.
One important thing communicators need to consider under the new GDPR legislation is how they will inform employees about what data is stored (and why).
Organizations will need to communicate specific information like:
- What employee data points are stored (and why)
- Where the data is stored and how it is processed
- Who to contact if employees have questions or objections about how their personal data is used
Under GDPR, data about employees is classified as either personal data or sensitive personal data (read on for what these terms mean).
Measuring employee engagement under GDPR
Many internal communicators rely on data-focused platforms like Bananatag and Google Analytics to report on their communications and prove their impact. The data processed by these platforms can include data on interactions (like how many times an email was opened or which articles were most popular on the intranet), or individuals' personal data, which is often used to personalize messages.
Data-driven communicators will need to ensure their practices and the platforms they use are compliant with GDPR. The extent to which the use of these tools will be affected by GDPR depends on both how the specific vendor providing a tool or platform has handled compliance, and how organizations are using the tool. Even compliant tools can be misused in non-compliant ways.
Customers using Bananatag will be happy to know that our data is hosted on AWS servers and we already have a Data Processing Agreement that complies with GDPR. We also have a dedicated data security and data processing team who will continue to work to ensure all systems on our end are compliant.
Google Analytics has also provided information about their commitment to GDPR.
A helpful glossary for important GDPR terms
We’ve tried to avoid using too much jargon in this article but here are seven pieces of helpful terminology specific to GDPR to get your watercooler conversations compliant as well:
Data subject - a person whose personal data is processed by a controller or processor.
Personal data - any identifying information relating to an individual (i.e., name, id number, location data, email address, etc.)
Sensitive personal data - a special category of personal data relating to an individual that is subject to additional protections (i.e., genetic data, political opinion, religious beliefs and sexual orientation.)
Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Data controller - the entity that determines the purposes, conditions, and means of processing personal data.
Data processor - the entity that processes data on behalf of the data controller.
Profiling - any automated processing of personal data intended to evaluate, analyze, or predict data subject behavior.
Visit the EU GDPR website for a full glossary of terms relating to the regulations.
10 Step Checklist of GDPR Considerations for Internal Communicators
This list is not exhaustive and is intended to serve only as a starting point for internal communicators and organizations that are discussing or reviewing their approach to GDPR Compliance.
- Are employees well informed about what the organization is planning to do with their collected data?
- Has the organization’s data policy been clearly stated as part of an employer/employee agreement? And, if applicable, has the process of getting consent for information from employees been clearly communicated?
- Is personal data always stored and accessed securely, through an encrypted connection?
- Does the organization have a process in place to alert employees in the case of a data breach?
- Does the organization maintain a record of what employee personal data is processed (and why)?
- Are employees informed about the third-party data systems that their personal data may be passed on to?
- Does the organization avoid targeting employees based on what is considered Sensitive Personal Data under GDPR?
- Is the organization's approach to collecting and processing data built around the concept of data minimalism?
- Has the organization evaluated whether or not a Data Processing Officer is necessary to maintain compliance?
- Is there a policy in place to manage GDPR-related requests from employees, such as requested access, deletion and/or opt-outs, where applicable?
The GDPR legislation comes into effect on May 25th, 2018 and will affect every large organization.
Moving forward, EU citizens will have new rights relating to their personal data. Internal communicators are advised to review their practices to ensure they (and the tools they use) are compliant with GDPR.
GDPR represents a positive shift in attitudes and responsibilities towards data privacy, and (on an individual basis) benefits not only those in the EU, but consumers and employees everywhere.