The General Data Protection Regulation (GDPR) comes into effect in May. If you’re scratching your head trying to work out what it is, how it works and what you need to know, this article will help.
Today I’m delighted to welcome Eleanor Tweddell to my blog. She’s the interim Head of Communications and Customer Engagement at Bristol Water here in the UK and has shared what they’ve been doing to prepare.
Jargon buster: GDPR is the General Data Protection Regulation, a piece of EU legislation that will supersede the Data Protection Act. On 25 May 2018, most processing of personal data by organisations will have to comply with the regulation.
See the end of this 
article for a list of resources including article, toolkits, events and webinars to help you learn more about it.
GDPR aims to give people the power to say how their personal information is used, it also aims to keep data safer.
There’s an excellent myth buster blog series on the Information Commissioner’s website which is worth reading, but the facts remain if you breach GDPR, there are some large fines involved.
I’ve started to see GDPR creeping into internal communication activities, for example:
Wasn’t easy to make #GDPR part of a light-hearted Christmas internal comms campaign but we gave it a shot. 2,000 postcards delivered to desks this morning. Now: coffee. pic.twitter.com/MeNYBVSi3P
— Adrian Stirrup (@adrianstirrup) December 13, 2017
We’ve made some posters to drive awareness of the upcoming #GDPR at @CoopDigital. It’s not about regulation, it’s about people’s rights ✊ pic.twitter.com/GhwgKAxtQw
— Jack Fletcher (@jckfltchr) November 7, 2017
I’ll hand you over to Eleanor…
How Bristol Water is preparing for GDPR
This time last year we all said ‘ GDPR what?’, now it’s everywhere! The project teams have been assembled, the consultants have been ‘experted’ and now we are in full share and embed mode.
It’s been an interesting assignment getting to understand the regulatory world and its business planning cycles at Bristol Water.
It’s been an eye opener to how much influence the regulator has and this has been especially refreshing as the focus is around customer experience and delivering what customers want.
In amongst business planning, customer engagement and communications business and usual (BAU), along comes GDPR into the inbox. I have to admit I like these kind of requests. On first read of the brief it sounded dry, directive, bureaucratic – but it needed to be understood and taken seriously by all employees.
Challenge accepted.
What have we been doing?
After the first meeting with the project team the comms team were tasked to come up with a support programme, and true to Bristol Water style it couldn’t be dull.
They wanted clever, engaging, creative ways to get messages across. They showed me previous campaigns for market changes, metering options, water saving and they were all delivered with energy, thoroughness and humour, but still with a tone that respects the subject.
After a few idea meetings with our creative agency, Group of 7, which generated everything from ghosts, monsters, policing, we came up with Pacman. Some of us were of that age that we had happy memories of Pacman, even though he (she?) went around eating everything in sight.
We loved the idea that Pacman was in fact here to help, not hinder our cause and he was actually eating things up for our own good.
One thing we felt was important to get across was that GDPR is nothing to be frightened of. It has protection in its name and protection should be seen as a good thing. We launched on Halloween with our GDPR Pacman (fondly named GReedy PieRre).
Instead of scary ghouls and spiders, we went with the message ‘Don’t be spooked, GDPR is here to keep your data safe”.
And not just about ‘keeping your data safe’, I recently attended a conference where the message was around using GDPR as a chance to strengthen customer experience. One of the speakers said “if you respect your customers, and do the right thing, GDPR is nothing to worry about.”
I like the idea of it being a mindset, and a culture shift (or reinforcement) of company values, an opportunity to reassess customer and employee experience.
What’s happening now?
The programme is very much in ‘share’ phase, with us engaging key influencers around the business, breaking down tasks into manageable actions with realistic timescales. GDPR can feel overwhelming and its comms role, along with the project team to make it feel achievable along aside BAU busy jobs.
We want to keep our comms accessible in tone, while appreciating it’s a serious subject. So we’ll mix requests for action, which are clear, concise and achievable with attention grabbing, humorous ‘moments’ which remind all employees of the importance.
Moments such as the day we left lots of (fake) customer and employee details around the building and challenged people to report any breaches they saw; we were pleased to be overwhelmed with reports!
Future ‘Moments’ include a ‘Spring clean’ where we will be challenging people to clear their desks and workspace as part of a tidy desk policy, a Pacman challenge competition and Pacman office decal. We’ll continue to develop these moments as part of our overall plan as we move into ‘embed’ phase of the plan.
I think GDPR is a great example of where comms people from across all sectors can come together and share ideas.
We are all going to have to do it, so why not make it creative and a positive experience where we challenge ourselves about our values.
Post author: Eleanor Tweddell.
Thank you Eleanor, I love this approach!
Learn more about GDPR
Thank you to CIPR Inside for publishing this information in December 2017: “Businesses and other organisations will be required by law to prove their employees have received communication about the GDPR and that they understand what it means for them and the organisation they work for. So, internal communication practitioners have a vital role to play.
As a function, we also need to be aware of the information we hold on our employees and ensure that we are complying with the new legislation too.
Here are some key things to consider when preparing for the GDPR:
- Find out who is overseeing the GDPR programme/process in your organisation and ask to join the project team, if you’re not already part of it. It’s important internal communication help to guide the strategy from the outset as cutting through the noise and ensuring all employees are aware of the changes will be a legal requirement.
- Start communicating regularly with your employees now to help them understand what the legislation means and what they are required to do around recognising and protecting information. Remember to keep communication clear, simple and jargon free. It’s also important to know that the legislation is different for different industries. Your employees need to know about the legislation as it applies to you and be aware that their friends and relatives might hear different things.
- The GDPR may affect how you manage internal communication. Recording, storing or using employees’ contact information (which includes employees’ work or corporate email addresses and social media accounts) means you are processing their data. Consider conducting an audit of what information you currently hold and how you use it. Remember, this information might be stored locally in paper, GDPR is not only about digital records.
- Spend time now understanding the legislation and what it means for the whole organisation, not just your team. For example, risk registers will need reviewing, and processes and databases may need updating. Internal communication need to understand the impact those changes might have on employees and share appropriate, targeted communication about policy changes, training on the new legislation etc.
- Review your crisis response communication plan – does it include data loss, failures in data security or other issues resulting in people’s information being exposed? Ensure it reflects the increased reputational and financial risks associated with the GDPR. Also ensure the data you hold for your crisis response plan (such as mobile phone numbers) is now held in line with GDPR.
- Customers, suppliers or other external stakeholders could have questions about your organisation’s progress around the GDPR. Creating some short guidance and an overview of the actions you are taking can help employees who are responsible for stakeholder relationships.
- Consider unofficial channels your employees may be using such as WhatsApp or even personal email addresses. Now is the time to understand how they are being used and ensure employees understand how these channels are impacted by the GDPR and what their responsibility is to keep information secure.
Resources to help you
See this new guide from the Chartered Institute of Public Relations
Here are some resources to help you:
An excellent source of information is the Information Commissioner’s Office (ICO). This is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Their ICO website is packed with advice and guidance to help you understand what GDPR is, what you need to know and various checklists.
Preparing for GDPR: 12 steps to take now
- Preparing for GDPR – checklist from the ICO: Self assessment to help you get ready
- Data controllers and data processors, what’s the difference? Guidance from the ICO
- Calendar of events and webinars to learn about GDPR
- The impact of GDPR on the PR industry
- Transcript of #commschat on GDPR from March 2017
- Information Commissioner’s Office website
- See @ICOnews on Twitter
- GDPR article by The Global Alliance for Public Relation and Communication Management
- CIPR GDPR webinar
- Article: GDPR compliance, what does it mean for internal communicators?
- Beekeeper’s 31 point checklist
- What GDPR means for marketeers
- Email marketing is changing.
- Event: IoIC Ireland, 20 February
- Event: Public Sector Engagement Day, Bristol, 22 March 2018
- Figshare: GDPR tool for handing Data-Subject rights and requests
- Article: The GDPR and all that
- Article: GDPR and the fish finger sandwich
How are you preparing for the General Data Protection Regulation?
Please refer to legal advisors and the ICO website for advice and guidance to make the right decisions for your organisation regarding GDPR compliance. These resources are intended to help you start those conversations as I’m not a legal expert.
Where to get legal advice: free GDPR checklist
I am not a legal expert, however, I recommend contact Suzanne Dibble, who is. I’ve bought the resources mentioned below and recommend them. There’s two options: a free checklist and a paid-for compliance pack.
Suzanne is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR.
The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award.
She has published a free GDPR Checklist which guides you through what you need to know.
You can access it here: https://jz993.isrefer.com/go/gdprcl/RachelMiller.
Where to get legal advice: purchase a GDPR compliance pack
Suzanne has also created a GDPR Compliance Pack, which costs £197. She says: “My pack contains 20 legal document templates and checklists that you will need post GDPR, regardless of the size of your business.”
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
It includes:
- MODULE ONE: Email for refreshing consent GDPR compliant privacy policy, GDPR checklist inc processing checklist
- MODULE TWO: Data processing inventory Legitimate Interests Assessment form, Data transfer checklist, Processor Agreement
- MODULE THREE: Marketing checklist Records retention policy, DPO checklist
- MODULE FOUR: Employer checklist Employee privacy statement
- MODULE FIVE: Employee subject access request form, Response to employee subject access request
- MODULE SIX: Cookie policy Subject access record
- MODULE SEVEN: Data breach record, Data breach checklist, DPIA form, Data Retention Policy.
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
Disclosure: This is an affiliate link. If you buy Suzanne’s pack as a result of visiting this link, I will receive a small commission for referring you to her services.
Got a story to share regarding how you’re preparing for GDPR? I’d love to feature you, do please get in touch.
Rachel.
Post author: Rachel Miller
First published on the All Things IC blog 7 February 2018. Updated April 2018.
Learn more about internal communication via an All Things IC Masterclass
