How are you communicating the General Data Protection Regulation actions you need to take?
I’m thrilled to welcome Matthew Batten, Organisational Development Adviser at the Royal College of Nursing (RCN) to the All Things IC blog.
Jargon buster: GDPR is the General Data Protection Regulation, a piece of EU legislation that will supersede the Data Protection Act. On 25 May 2018, most processing of personal data by organisations will have to comply with the regulation.
GDPR aims to give people the power to say how their personal information is used, it also aims to keep data safer.
See the end of this article for a list of resources including article, toolkits, events and webinars to help you learn more about it. I’ve published various articles to date including: How a charity is preparing for GDPR, How Bristol Water is preparing for GDPR and Are you ready for GDPR and Shadow Comms?
RCN is the world’s largest union and professional body for nursing staff. Matt has worked at the RCN for 10 years and leads on employee engagement and the new starter onboard programme. You can follow him on Twitter @Matt_Batten1 or on Linkedin.
I’ll hand you over…
Finding the call to action with GDPR
To be honest, I’ve been involved in far sexier projects than GDPR in the 10 years I’ve worked at the Royal College of Nursing. How on earth do you make data protection sound interesting?
We all know GDPR is coming and we all know we need to do something about it. The challenge is finding that one thing that makes GDPR meaningful to our people.
Having assembled a project team to lead us towards GDPR nirvana, we set about running our GDPR engagement plan like a campaign.
And what do all successful campaigns need? One memorable and clear call to action.
Dear reader, allow me to introduce you to The Big Delete.
Would you let your house get as cluttered as your inbox?
That’s the question we asked our people when we launched The Big Delete – our first ever all-user digital clean up. Under the GDPR there needs to be a legitimate reason for storing data. Keeping something ‘just in case’ is not a good enough reason. And keeping copies of information in multiple places is also a no-no.
The Big Delete is about changing habits and creating an environment where personal information is stored in the most appropriate place and for no longer than is necessary.
So our ask was simple: put aside an hour of your time to detox your stale data.
One day. One hour. One big delete.
A strong call to action requires an equally strong image. We wanted something striking and with as few words as possible. It should be immediately obvious what The Big Delete is about. I had a lot of interest when I Tweeted the image so it seems to have done the trick. We’re very happy with how well our branding turned out.
Lead it. Delete it.
No internal campaign has ever been successful without ownership from the top which is why The Big Delete is being led by our senior management team. Lead it. Delete it. That’s the message to our senior managers.
We sent them a flyer for The Big Delete asking them to do two things: brief their teams about The Big Delete and make sure everyone puts an hour in the diary to take part (on 12 April 2018).
Love your data
Naturally, people feel nervous about the prospect of permanently deleting information. So leading up to The Big Delete we began producing a series of guides called Love your data, launched, predictably, on Valentine’s Day. These online guides give tips and actions to take in preparation for the GDPR.
They cover things like how to organise and delete your emails, guidance about personal and shared drives and most importantly, what information to keep and for how long, where it needs to be stored, what information we store centrally and what you can confidently get rid of.
The best thing about working with data is that it’s easy to measure. Our IT team can tell how much data we have stored on our systems right now and how much has been deleted after The Big Delete.
If I were a betting man I’d say the odds of us having a Big Delete totaliser were pretty high!
Trust us with your data
If there’s one message that we want our people to remember it’s this… keeping member, customer and employee personal data secure is not just a technical requirement – it has a direct impact on customer experience. They trust us with their data and we need to make sure we’re taking good care of their personal information.
It’s a simple enough reason backed up with a simple enough call to action. Who says you can’t make the GDPR interesting?
Post author: Matthew Batten.
Thank you Matt. Do please let us know how it goes on 12 April and I’ll update this article with your results.
How are you preparing for GDPR? If you’re looking for resources to help you, here’s what I’ve published to date:
Further reading on the All Things IC blog:
- How a charity is preparing for GDPR
- How Bristol Water is preparing for GDPR
- Are you ready for GDPR and Shadow Comms?
Resources to help you find out more about GDPR:
- Preparing for GDPR – checklist from the ICO: Self assessment to help you get ready
- GDPR considerations for internal comms: checklist from CIPR Inside
- Data controllers and data processors, what’s the difference? Guidance from the ICO
- Calendar of events and webinars to learn about GDPR
- The impact of GDPR on the PR industry
- Transcript of #commschat on GDPR from March 2017
- Information Commissioner’s Office website
- See @ICOnews on Twitter
- GDPR article by The Global Alliance for Public Relation and Communication Management
- CIPR GDPR webinar
- Article: GDPR compliance, what does it mean for internal communicators?
- Beekeeper’s 31 point checklist
- What GDPR means for marketeers
- Email marketing is changing.
- Figshare: GDPR tool for handing Data-Subject rights and requests
- Article: The GDPR and all that
- Article: GDPR and the fish finger sandwich.
Where to get legal advice: free GDPR checklist
I am not a legal expert, however, I recommend contact Suzanne Dibble, who is. I’ve bought the resources mentioned below and recommend them. There’s two options: a free checklist and a paid-for compliance pack.
Suzanne is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR.
The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award.
She has published a free GDPR Checklist which guides you through what you need to know.
You can access it here: https://jz993.isrefer.com/go/gdprcl/RachelMiller.
Where to get legal advice: purchase a GDPR compliance pack
Suzanne has also created a GDPR Compliance Pack, which costs £197. She says: “My pack contains 20 legal document templates and checklists that you will need post GDPR, regardless of the size of your business.”
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
- MODULE TWO: Data processing inventory Legitimate Interests Assessment form, Data transfer checklist, Processor Agreement
- MODULE THREE: Marketing checklist Records retention policy, DPO checklist
- MODULE FOUR: Employer checklist Employee privacy statement
- MODULE FIVE: Employee subject access request form, Response to employee subject access request
- MODULE SEVEN: Data breach record, Data breach checklist, DPIA form, Data Retention Policy.
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
Disclosure: This is an affiliate link. If you buy Suzanne’s pack as a result of visiting this link, I will receive a small commission for referring you to her services.
Want to learn about internal communication?
You’re welcome to join me at my upcoming All Things IC Masterclasses in London. See my website to discover what’s on and save your place.
First published on the All Things IC blog 27 March 2018.