The General Data Protection Regulation (GDPR), which will pass into EU law in May 2018, heralds the most significant development in data protection rules ever seen in Europe. At its most basic level, the regulation requires companies to understand what information they hold, who has access to it and where the information resides.
All companies holding data on EU citizens, whether they reside in Europe or not, must comply, irrespective of size or sector.
The potential impact of getting this game-changing regulation wrong is immense. For certain offences, the maximum penalty can be €20million or 4 per cent of global turnover – whichever is greater. Additionally, failure to comply can significantly damage a company’s reputation, either through the consequences of a significant data breach, or a total loss in confidence from its customers.
The regulation also gives people greater control over how companies use their data. Under the regulation, customers can request a copy of their data, and also request that a company delete all traces of their personal information from their systems. This signals a dramatic shift towards data transparency and customer empowerment when it comes to their data.
Additionally, in the event of a data breach, it is now mandatory that a company notifies both the data protection authority and customers within 72 hours. The GDPR therefore extends beyond systems and IT security; it indicates a cultural shift for many organisations, one that everyone needs to get behind.
Empowering employees to take data handling seriously
The prevention of damaging fines and penalties is dependent on companies maintaining robust and mature data governance and enhancing their entire data process management approach in order to become compliant, thereby mitigating reputational and financial risk.
In the lead up to this significant milestone, companies are looking at how they can effectively communicate internally a regulation that is deemed complex, in its simplest form, to ensure that employees understand their roles when it comes to handling data and customer information, and the severity of getting it wrong.
The primary challenge businesses face when approaching the internal communication of this elaborate regulation is how to finely balance the ownership aspect of the regulation directly with employees, while at the same time ensuring that full compliance is practiced.
Information is key to ensuring that all employees know their roles when it comes to meeting the GDPR requirements. Developing compelling messaging and narrative on the GDPR and its importance to the business is crucial, as is directly engaging employee representative bodies and individual employees on the GDPR principles and rules. It’s also important to encourage employees to openly engage with management and each other on the GDPR, and also to highlight the urgency of reacting appropriately in the event of a potential breach.
A culture of compliance and advocacy
Embedding this culture of compliance involves a long-term strategic approach. You can help to generate buy-in, energy and enthusiasm for best practice across the business by identifying key milestones and celebrating successes.
Preparation and purpose is key to embedding behaviours. Be clear about your goal and the point of your campaign when communicating internally. Some steps to ensure employees buy in to this new culture include:
· Understanding what your audience expectations are, and adapt your message to their needs. You might want to tailor your messaging depending on the department you are speaking to i.e. sales versus IT.
· Building alignment and rapport. Ensure you are on the same wavelength as the people you are communicating with. Invest time in getting to know your audience, make them feel involved, organise interactive workshops.
· Building trust is also key. Employees will respond to someone they trust, and most importantly, someone who understands them. Look at how the GDPR fits into their agenda and how they operate. Then, find something which makes sense for them to agree to, or which they can feel personally engaged in and passionate about. This may be something which benefits the organisation or makes them look good personally.
As with any piece of legislation, it’s easy to view the law as another corporate chore, but when treated as an opportunity to empower employees and bolster your company’s reputation as a leader in data protection, the GDPR has the potential to become every communicator’s favourite four letters.
The clock is ticking.
If you would like to speak to us about how we can support you on your GDPR requirements, you can contact Paul here.