On May 25, some big changes are coming to data privacy laws in the European Union that in essence put consumers in charge of their own personal data. The General Data Protection Regulation (GDPR) mandate (which the UK is also implementing) impacts data collection and usage for any company that does business in the EU.
The mandate is sweeping, but the basic premise of GDPR is that it treats personal data as a basic human right and covers any personal data that can be traced back to a specific individual that resides in the EU. It doesn’t matter where the company that has the data is located; if a person in a company’s database lives in the EU or UK, their data is covered by GDPR.
Many companies worldwide have probably started making adjustments to their systems and processes to ensure compliance, but many are likely missing a critical component: Communicating to their internal and external audiences.
What does that actually mean? If part of GDPR is actually clamping down on improper communication, do you really want to be doing MORE? Actually, yes. More communications with your B2B audiences that have a legitimate reason to hear from you, that is. GDPR puts strong emphasis on companies being able to show how they comply to the new mandate. Making that more public, peeling back the layers to show customers how and where you use their data—and how you keep it safe—is critical.
Here are four key things you should be thinking about today as part of your GDPR communications efforts:
1. Conduct a data audit.It’s difficult to comply with the GDPR mandate if you don’t know what personal data you collect, what happens to it, where it is stored, and so on. Know your data by conducting a data audit, both for data collected via internal systems as well as through your CMS. Ask yourself what you really need to know about the people from whom you are gathering data vs. what is merely nice to have. If there are EU and UK users in your database that may not have opted in, flag them for appropriate action.
2. Update your privacy notice.Transparency about what data you collect and process, and what specifically you do with it is critical. Updating your privacy notice to include what specific data you hold, and what you do with that data (including who you share it with) is imperative.Your privacy notice should explain clearly how requests to change or remove data—known as subject access requests—are handled and explain how your company keeps user data secure.
3. Determine how you will communicate your compliance.Although it may seem like updating your privacy notice is enough, why not be upfront with your audience and tell them you care about their privacy and are looking closely at your policies and procedures to determine how you can best keep their data safe. You might consider:
4. Develop a Crisis Communications Plan.Nobody wants to plan for things go wrong, but data breaches that leak sensitive information such as credit card numbers, healthcare data and other sensitive user data happen every day. Under the new GDPR mandates, if things do go wrong, the time period for companies to inform regulators is within 72 hours of any data breach that will “result in risk to individuals’ rights and freedoms.” The time period to inform customers impacted is that same 72 hours.
The absolute worst time to figure out what you should say to each of these audiences is while you’re fighting fires. A good Crisis Communications Plan should include all of the relevant documents you’ll need if something does go wrong, including press releases, CEO statements, messaging documents, media Q&A, spokespeople, possible scenarios (and how to address each one) as well as other items you’ll need to communicate the news. Preparing now means a lot less headache if something does occur.
GDPR preparation is not a one-time thing—it requires consistent diligence from the top of the company to the bottom to foster an environment that ensures compliance. Communicating regularly to your audience about your efforts is more than a best practice, it’s a new imperative.Tags: Facebook, marketing, public relations
© 2018 Calysto Communications