There’s less than a month to go until the new General Data Protection Regulation comes into force.
Over the past year I’ve been publishing information and advice to help you understand what it is, how it works and what you need to do.
Today I’m delighted to share the next article in my brand new #ICVoices series, which is packed full of GDPR advice from professional communicators. #ICVoices exists to amplify the voices of professional communicators from around the globe via the All Things IC blog to help everyone learn.
Countries represented include Australia, Canada, Germany, Nigeria, Switzerland, the UK, US and many more. I asked questions on nine different topics and practitioners could choose the ones they wanted to answer. Yesterday we examined communicating office moves, today it’s GDPR’s turn. Thank you to the 46 practitioners who’ve shared their top GDPR tip in this article.
Jargon buster: GDPR is the General Data Protection Regulation, a piece of EU legislation that will supersede the Data Protection Act. On 25 May 2018, most processing of personal data by organisations will have to comply with the regulation.
The question I asked was:
Before I share their answers with you, I want to make you aware of a place to get legal advice.
GDPR aims to give people the power to say how their personal information is used, it also aims to keep data safer.
I’ve published various articles to date on the All Things IC blog about GDPR including: How the Royal College of Nursing is preparing for GDPR, How a charity is preparing for GDPR, How Bristol Water is preparing for GDPR and Are you ready for GDPR and Shadow Comms?
Where to get legal advice: free GDPR checklist
I am not a legal expert, however, I recommend contacting Suzanne Dibble, who is. I’ve bought the resources mentioned below to help me create my privacy policies, and recommend them.
There’s two options: a free checklist and a paid-for compliance pack.
Suzanne is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR.
The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner-up in this prestigious award.
She has published a free GDPR Checklist which guides you through what you need to know.
You can access it here: https://jz993.isrefer.com/go/gdprcl/RachelMiller.
Where to get legal advice: purchase a GDPR compliance pack
Suzanne has also created a GDPR Compliance Pack, which costs £197. She says: “My pack contains 20 legal document templates and checklists that you will need post GDPR, regardless of the size of your business.”
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
- MODULE TWO: Data processing inventory Legitimate Interests Assessment form, Data transfer checklist, Processor Agreement
- MODULE THREE: Marketing checklist Records retention policy, DPO checklist
- MODULE FOUR: Employer checklist Employee privacy statement
- MODULE FIVE: Employee subject access request form, Response to employee subject access request
- MODULE SEVEN: Data breach record, Data breach checklist, DPIA form, Data Retention Policy.
You can buy it here: https://jz993.isrefer.com/go/gdpr/RachelMiller.
Disclosure: This is an affiliate link. If you buy Suzanne’s pack as a result of visiting this link, I will receive a small commission for referring you to her services.
Let’s get back to advice from the IC community…
What’s your top tip for GDPR comms?
I’ve collated the answers into sections including:
- Make it relevant
- Keep it simple
- Make it fun
- Continuously audit
- Connect emotionally
- Create content and training
- View it positively
- Check for understanding.
How to communicate GDPR: Make it relevant
Make it relevant and easy to understand. We’re using puns to grab attention and make difficult/boring messages more engaging for staff – Caroline Ledger, Strategy & Change Communications Lead, @CJLedger
Make it relevant. It’s not good enough to say what it is – say what it means in practical terms – ‘If you work as an x then this means y so you should change z’ – Hayley James, Head of Internal Communications, @haylo_pr
Make the message relevant to the audience. Not everyone needs to know every single detail. Tailor to job family – Jenny Insley, Internal Communications Manager, @JennyIN5.
Give examples outside the workplace to show how it affects employees in all walks of life. E.g do they volunteer at a local org that needs to consider data protection – Julia Atwater, Head of Communications – Business & Platform Services, @juliaatwater.
Make them relevant and topical so that people/teams can see how they directly affect them – Karen Nijjar, Owner and Director, @karen_nijjar.
Tailor the message and include relevant examples to the different business units so everyone can grasp what the changes mean for them and how they are responsible for the data they handle. If you are unsure of an approach, look at the plentiful resources and best-practice being shared externally – Ciara O’Keeffe, VP product and customer delivery, @CommsOKeeffe.
How to communicate GDPR: Keep it simple
Keep it simple and make it easy to understand how GDPR impacts the shop floor worker – Dan Holden, Internal Comms & Engagement Manager @holddani.
Keep it simple, try not to over complicate it –Carrie-Ann Wade, Director of Comms @CrayonCW.
Keep them clear, simple and concise – Rowena Kivell, Director, Internal Communications.
Make it simple and easy to understand – Tereza Urbankova, Head of Global Communication, @TerezaUrb.
Jargon free and to the point communications – Jenny Hoolihan, Communications and Engagement Manager.
Only record what you’d be happy to share with someone face to face – James Harkness, Partner, @james_melford.
Keep it simple. It’s easy to get embedded in the jargon but don’t confuse people. Stick to the facts and try to present them in an engaging way, rather than reams of text – Advita Patel, Communications Specialist, @Advita_p.
Keep it simple! Don’t overcomplicate things. Be clear about what people need to do. Make links between the regulations and your organisation’s values so that employees can connect the dots with their own role and feel like there are logical and meaningful reasons behind what they’re being asked to do – Alan Oram, Alive with Ideas, @alanhasideas..
Keep it simple – be clear on the basics – don’t get lost in details that’s not needed – Lynda Thwaite, Head of Marketing and Communications, @LyndaTLive.
When it comes to using photos from events like conferences, have an easy opt-out process. This could be as simple as someone announcing at the start of the day that “We’re going to be taking photos during the event, so if you don’t want your images to be used in x, y, z, please come and talk to us. We’ll make sure you’re not included in those photos.” Alternatively, have consent go out with your delegate registration pack – Leah Bowden, Director @humanizecomms.
A simple one, but make sure your data is properly managed and up to date at all times! – Misty Oosthuizen, @MistyJoy73.
How to communicate GDPR: Make it fun!
Make it fun! GDPR week with lots of activities – quizzes, prizes. Blogs, articles, external perspective – Louise Johnston, Head of internal communications. @orchardberry.
Work closely with your data/information governance leads and keep up to date with what the ICO puts out by way of updates. Use the GDPR opportunity to communicate with your staff, clients & customers to tell them you’re implementing it early and will continue to update them. Keep it simple and you can also be creative. Cunard Cruises did a fab GDPR customer video, bespoke, sent to each one which went down really well. If you are on a low-budget, you can still be creative with your GDPR comms to lift – and promote buy-in – to what is a dry subject.- Kerry Sheehan, Associate Director Communications @PRKezza.
How to communicate GDPR: continuously audit and learn
Continuous audit the use of data safety technology – Aishat Onusi, Technical Adviser on New Media, @AishatOnusi.
Learn the business. That will help you be relevant, credible and effective rather than a reactive service provider – Bernie Charland, Director, Employee Engagement and Communications. @mountainmagic.
Meet the deadlines or else! – Nadine Powrie, Executive Coaching, @NadinePowrie.
Check where your gaps between previous and new legislation truly exist. They might not be as big as you think – Grant McDonald, Vice President Employee Communications, Barclays.
Become best friends with the right people in the business. Form a community or a project and tackle it together. It’s easy for comms teams to end up finding solutions for things that are really owned by other departments, but we always love to lend a hand – Ellie Buckingham, Freelance Comms Practitioner, @LilyRoseWrites.
Check with the experts! Encourage people not to be scared to ask the ‘stupid’ question – Sarah Bell, Communications Consultant, @sarahbell135
How to communicate GDPR: view it positively
Don’t make it a ‘compliance’ rod. Present the benefits and help people want to own their data – Kate Jones, head of communications and corporate affairs, @how_IC_it.
GDPR is a positive thing that enables our customers to feel more secure about their private data. I think it is the key mantra to use when kmplementing this at the process/operational level – Vija Valentukonyte-Urbanaviciene, Acting head of Communications, @vijaval.
Don’t scare your employees! Remind them that effective data management comes back down to ethics and good practice – Luke Murdoch, Internal Communications Consultant, @lukemurdoch
Avoid giving people a list of ‘things’ they have to do and show how to make it part of the every day – Charlotte Armstrong, Internal Communications Manager, @charlottedawna.
Highlight the benefits to get people on board – Debbie Aurelius, Communications Consultant, @DebbieAurelius
How to communicate GDPR: explain the importance and check for understanding
Be knowledgeable – GDPR is an opportunity to demonstrate our credibility and the value we can add so do your research and understand how GDPR affects your organisation as well as the practice of internal communication – Helen Deverell, Communications Consultant, @helendeverell..
As a Comms guy on the opposite side of the planet I admit I had to google what GDPR even was. While it doesn’t affect me directly, something similar likely will one day (plus I like a challenge). If I did have to produce GDPR Comms, I would produce general Comms explaining what it is and what the implications are for all staff. I would try not to be heavy-handed but be sure to explain the importance. I would also produce or coordinate briefings targeted at senior executive level, making them aware of the financial and reputational risks of non-compliance and recommend approaches for trickling messages down to their direct reports. Finally I’d work with ICT or whoever to identify which teams use data and produce Comms collateral (and probably dedicated workshops) for highlighting risks and offering solutions for keeping the team and the wider org safe and compliant – Craig Major, Senior Internal Communications Advisor, Auckland University of Technology. @craig_comms.
It’s OK to say ‘we don’t know exactly what this means for us yet’. The guidelines are quite complex and because there have been no cases in court, everything is unprecedented. We can do our best to communicate what we know, but it’s OK to say that you are still working through some of the implications and what it means for your business over the coming months – Pippa Van Praagh, Global Employee Communications Evangelist.
How to communicate GDPR: create content and training
Create an online tutorial in order to record receipt of the message but also to check understanding by including some scenario based questions. Any misunderstandings can then be clarified through further communications and line management support – Cathryn King, Strategic Communications Consultant, @CathrynKingIOC.
We’ve had an online module created by Jolly Deck for all Kingfisher staff to take. Comms has been via weekly email and Yammer – Becky Wren, Marketing Manager – Communications, @becky_wren.
Read the legislation carefully! Provide brief talking points – give confidence they know what they are ‘allowed’ to share – Justine Stevenson, head of group IC at London Stock Exchange Group. @jusstevenson.
Don’t panic! Find out what your Legal, Security, and HR teams are doing. For many people it is an irrelevance – but your customer-facing colleagues will need to know all about it. Ignore the many voices of doom and take the Information Commissioner’s website as your most authoritative source for everything – John Kay, Group Internal Communications Manager. @positively_.
Make data privacy real for the audience through stories of OMG moments that have happened as part of an Omni channel campaign giving clear simple call to actions. I loved the Royal College of Nursing’s The Big Delete! – Deb Ganderton, Director Service and Engagement @DebGanderton..
How to communicate GDPR: connect emotionally
Link the regulatory requirements to brand values (where possible) or to trust and collaboration with customers or stakeholders/partners. Also connect with how colleagues feel about the safety and security of their personal data – Adam Morris, communications and change consultant.
Consistently emphasis the benefits of an engaged workforce and the benefits to being and the being perceived as a caring, informed, communicative leader – Heather Neisworth, Internal Communications Strategist and Adjunct Professor at Georgetown University (Internal Communications and Employee Engagement), @heathgirl.
In my sector (social care) relating GDPR back to our purpose of delivering great care to people is a way of contextualising what GDPR means and what its aims are. Caring for a person well means keeping them and their data safe – we’ve found this to be effective at all levels of our organisation. It makes it a part of every person’s role, not just the ISO – Alli Cary, Internal Communications Lead, @allicary.
Compliance is everybody’s responsibility. Personal data should be truly valued – Caroline King, Group Head Brand and Communications, Torus @Caroline_Torus.
Remind your people that we’re all in this together. It’s not being done to them as staff, it’s being done for them as consumers – Keith Riley-Whittingham, Communications and Media Exec, @keithrileywhitt.
Find symbols and metaphors that bring the risks and responsibility to life for your specific audiences. Sometimes comms is hesitant to illustrate consequences, but for significant compliance initiatives such as GDPR, messages need to connect in a way that matters to the individual. Knowing your audience motivations and framing the ‘why this matters’ will beat general ‘awareness’ comms – Jonathan Champ, Chief Communicator, @meaningbusiness.
Good question…I’ll let you know when we figure it out! – Joanna Freeman, Communications Executive, @joanna_r_f.
Don’t ignore it! – Bob Lawrence, International Operations Communication and Engagement Lead, @BobLHOC.
Thank you to everyone who contributed their top tips for GDPR comms as part of my new #ICVoices series.
What’s worked for you? As ever, you’re welcome to comment below or Tweet me @AllthingsIC if you have a comment or story idea.
Further reading via my blog:
- How the Royal College of Nursing is preparing for GDPR,
- How a charity is preparing for GDPR
- How Bristol Water is preparing for GDPR
- Are you ready for GDPR and Shadow Comms?
Resources to help you find out more about GDPR:
- Preparing for GDPR – checklist from the ICO: Self assessment to help you get ready
- GDPR considerations for internal comms: checklist from CIPR Inside
- Data controllers and data processors, what’s the difference? Guidance from the ICO
- Calendar of events and webinars to learn about GDPR
- The impact of GDPR on the PR industry
- Transcript of #commschat on GDPR from March 2017
- Information Commissioner’s Office website
- See @ICOnews on Twitter
- GDPR article by The Global Alliance for Public Relation and Communication Management
- CIPR GDPR webinar
- Article: GDPR compliance, what does it mean for internal communicators?
- Beekeeper’s 31 point checklist
- What GDPR means for marketeers
- Email marketing is changing.
- Figshare: GDPR tool for handing Data-Subject rights and requests
- Article: The GDPR and all that
- Article: GDPR and the fish finger sandwich.
Thank you for stopping by,
Post author: Rachel Miller.
First published on the All Things IC blog 26 April 2018.
Come and learn about internal communication with me: