NEW online masterclasses - learn about internal communication with Rachel. Enrol today >

Are you ready for GDPR and shadow comms?

Do your employees use personal messaging apps such as WhatsApp at work to help them do their job?

I’ve written before about the rise of ‘shadow IT’ – decisions and technology being introduced without the knowledge of corporate IT departments. Now it appears shadow communications is on the rise.

Is it just the latest phrase, or something you need to be aware of?

Today I’ve got news of research into shadow communications, plus 12 steps to take to prepare for the GDPR.

With implementation of the General Data Protection Regulation (GDPR) less than a year away and the government considering a ban to the end-to-end encryption of messages, the financial and reputation cost of shadow communications could become even more significant.

In the future, there will be no hiding place when it comes to decisions taken to market information to your customers, when the rules come into effect in May 2018.

You cannot afford to miss reading about this topic. There are resources online to help you make the right decisions. 

Ignorance is not bliss. You need to be aware of how communication is happening in and outside of your organisation and the publics you’re reaching.

I’ve included resources to help you conduct your own research at the end of this article.

Want to learn more about internal communication?

Browse and book my upcoming Masterclasses in 2018. I don’t have a course for GDPR, would you like me to run one? Do let me know.

Do you have robust plans in place?

27 July 2017 update: The Chartered Institute of Public Relations (CIPR) has just released this free webinar to help you learn more about GDPR.

Let’s look at shadow comms…

The rise of messaging apps for internal communication

New research out today reveals over half of Brits use personal messaging for work tasks, as businesses grapple with the adoption of ‘shadow communications.’

According to Yapster, the mobile chat app for retail and hospitality teams, British companies are urged to reassess the way they communicate.

In May 2017 they surveyed over 500 working age adults in the UK about the use of personal communications in the workplace.

Their research revealed 55% use some type of personal electronic messaging for work purposes.


According to Yapster, the trend towards using shadow communications such as WhatsApp, Facebook messenger and personal email is being driven by the entry of increasing numbers of “digital natives” into employment. Almost two-thirds (64%) of 18-34 year olds admitted to using personal messaging services for work.

I wonder if it’s that or the lack of two-way channels?

Are your employees using messaging apps?

Mary Meeker’s internet trends report 2016 documented the rise of messaging communities:

Is this a problem? 

Why are employees using messaging apps? Well according to Yapster’s findings, convenience (34%), rather than urgency (19%) was the main driving factor for respondents, suggesting that many firms are not meeting the expectations of their workforces when it comes to how they should be communicating with their colleagues and contacts.

That’s not a surprise! I find this a lot when I audit companies, the focus from the organisation is often one-way, whereas employees need and want two-way communication.

If your channels matrix is full of push/broadcast comms, your employees can and will fill the void with their own methods.

Other key findings include:

  • More than one in five (22%) say they receive or send messages about work on personal platforms outside of core work hours multiple times a week
  • A similar proportion (23%) say they use them every day and 44% use them at least once a week
  • Personal email (29%), WhatsApp (24%) and Facebook Messenger (20%) were the three most popular channels.

Do you know what your employees are using? Do comment below or Tweet me @AllthingsIC with your views on this topic.

What should you do about it?

The research stated:

The risk to businesses if they fail to address this is made clear by the fact that more than one in ten staff surveyed (11%) said they have used a personal email or messaging service to share business-sensitive information such as trading data, internal documents, or contact details.

Jenni Field @mrsjennifield, Director of Redefining Communications and Chair of CIPR Inside, told me: “Internal communicators are always trying to find new technologies to enable conversations and, with the rise of ‘shadow IT’ and ‘shadow communications’, listening to the research and finding solutions to the challenge of communicating with front-line teams is so important. Working with our internal stakeholders to find the right solutions has to be the answer, rather than doing it in the shadows.”

“It’s not hard to imagine how shadow communications could cause headaches for large companies, but we also see it as a missed opportunity” said Rob Liddiard, CEO of Yapster. “If your employees are choosing to have conversations about work on their personal networks, you have no chance of joining that conversation. So organisations that embrace new ways of communicating and provide ‘safe spaces’ for this to take place can access a wealth of data and insight that can improve performance and encourage innovation.”

What is Yapster?

Rob told me: “Unlike WhatsApp and other free-to-use platforms, Yapster is under the full control of our customers and allows colleagues to interact in a secure, closed environment. With just a few swipes, anyone in your organisation can look people up in the mobile staff directory, start 1-1 and group chats, flag if they need to swap a shift, and track individual and team performance against sales targets.

“Some of the UK’s biggest retail and hospitality brands are already using Yapster to drive sales, improve job satisfaction and lower staff turnover.”

Watch this video to find out more:

What do I think?

I recommend extending your current social media policy to cover the use of social media for internal communication, including messaging apps.

You will not be able to control it. Instead, take the opportunity to identify where your channel gaps are and why employees are filling it with their own methods and channels.

This isn’t as bad as you think, get ahead by joining the conversation, don’t look to lock it down, but open up the channels of communications, in all senses.

Messaging apps are being increasingly used for internal communication. Mary Meeker’s annual Internet Trends report highlights their popularity.

In her recent report, she found cloud-enabled apps are rising rapidly in the enterprise as they are cheaper to build, easier to adopt but harder to secure.

The average number of cloud services was found to have “serious security and compliance implications – 94% of cloud apps are not enterprise-ready.”

So it’s important to do your research first and make sure conversations and decisions are not happening in the shadows.

Further reading via the All Things IC blog: 10 of the latest internet trends – Mary Meeker’s 2017 report.

What is GDPR?

With implementation of the General Data Protection Regulation (GDPR) less than a year away and the government considering a ban to the end-to-end encryption of messages, the financial and reputation cost of shadow communications could become even more significant.

GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

In other words, it’s the most important change in data privacy regulation in 20 years.

The Regulation mandates tough penalties: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.

A #commschat about GDPR was held on Twitter in March 2017 for professional communicators. It featured Robert Bownes, director of communications at Profusion, a data science and intelligence marketing company.

Further reading: I recommend reading the article Robert wrote about the impact of GDPR on the PR industry.

How to prepare for GDPR

Here are 12 steps to take now to prepare you for 28 May 2018:

Where to read about GDPR:

GDPR and internal communication

Thank you to CIPR Inside for publishing this information in December 2017: “Businesses and other organisations will be required by law to prove their employees have received communication about the GDPR and that they understand what it means for them and the organisation they work for. So, internal communication practitioners have a vital role to play.

As a function, we also need to be aware of the information we hold on our employees and ensure that we are complying with the new legislation too.

Here are some key things to consider when preparing for the GDPR:

  1. Find out who is overseeing the GDPR programme/process in your organisation and ask to join the project team, if you’re not already part of it. It’s important internal communication help to guide the strategy from the outset as cutting through the noise and ensuring all employees are aware of the changes will be a legal requirement.
  1. Start communicating regularly with your employees now to help them understand what the legislation means and what they are required to do around recognising and protecting information. Remember to keep communication clear, simple and jargon free. It’s also important to know that the legislation is different for different industries. Your employees need to know about the legislation as it applies to you and be aware that their friends and relatives might hear different things.
  1. The GDPR may affect how you manage internal communication. Recording, storing or using employees’ contact information (which includes employees’ work or corporate email addresses and social media accounts) means you are processing their data. Consider conducting an audit of what information you currently hold and how you use it. Remember, this information might be stored locally in paper, GDPR is not only about digital records.
  1. Spend time now understanding the legislation and what it means for the whole organisation, not just your team. For example, risk registers will need reviewing, and processes and databases may need updating. Internal communication need to understand the impact those changes might have on employees and share appropriate, targeted communication about policy changes, training on the new legislation etc.
  1. Review your crisis response communication plan – does it include data loss, failures in data security or other issues resulting in people’s information being exposed? Ensure it reflects the increased reputational and financial risks associated with the GDPR. Also ensure the data you hold for your crisis response plan (such as mobile phone numbers) is now held in line with GDPR.
  1. Customers, suppliers or other external stakeholders could have questions about your organisation’s progress around the GDPR. Creating some short guidance and an overview of the actions you are taking can help employees who are responsible for stakeholder relationships.
  1. Consider unofficial channels your employees may be using such as WhatsApp or even personal email addresses. Now is the time to understand how they are being used and ensure employees understand how these channels are impacted by the GDPR and what their responsibility is to keep information secure.

Want to read more?

See this new guide from the Chartered Institute of Public Relations

How are companies preparing for GDPR?

I Tweeted this morning to see if anyone is addressing it already. Thank you to the professional communicators who replied:

Do comment below or Tweet me @AllthingsIC if you have examples of how you are preparing for the regulation:

How are you using messaging apps inside your organisation? How are you preparing for the GDPR rules?

Please refer to legal advisors and the ICO website for advice and guidance to make the right decisions for your organisation regarding GDPR compliance.

As ever you’re welcome to comment below, contact me or find me on Twitter @AllthingsIC if you have a guest article or comment to share with All Things IC blog readers.

Please see my guidelines for submitting content.

Thank you


Learn more about internal communication

Sign up for an All Things IC Masterclass. These are one-day training courses in London.

Your investment is £499+VAT, with discounts available for CIPR and IoIC members, plus nonprofit organisations. CIPR and IoIC members can also earn CPD from attending one of my courses.

Choose from:


Find out more and save your place.

Post author: Rachel Miller
First published on the All Things IC blog 18 July 2017. Updated December 2017.

Sources I used for further info:


  1. […] not owned or moderated by the organisation. This reminded me of a recent blog about the rise of ‘shadow communications’ by Rachel Miller of allthingsIC and the potential implications of this with the General Data Protection Regulations (GDPR) being […]

  2. Rachel says:

    HI there

    I’m working for a company whose business involves a lot of customer data. In internal comms we are just about to set up a new digital community for staff using Facebook’s Workplace and I wonder how we are impacted by the new GDPR. If employees use group chat in Workplace and mention customer data are we in breach? They currently used the chat function in Salesforce I believe.

    I’m also wondering about how easy it is to search data on Workplace as I’m aware the GDPR means that we have to be able to provide customers with all instances of how their personal data is being used if they ask for it.

    Thanks for any advice – I really need a GDPR/Workplace expert!

Submit a comment

Your email address will not be published. Required fields are marked *

How can we help?

All Things IC helps practitioners around the globe increase their knowledge of internal communication.

There’s a variety of ways we can support you including trainingconsultancy and mentoring to boost your skills and confidence.

Or visit the shop to see everything we offer.

Who has hired All Things IC?

Clients say working with All Things IC leaves them feeling inspired, motivated, full of ideas and ready to turn plans into action.

We’re proud to have been invited to work with, and advise, some of the world’s leading brands.

Get in touch...

Would you like to work with All Things IC? Do get in touch below.