General Data Protection Regulation or GDPR – never, I think, has an EU regulation gotten so much interest. But why?

First of all, what is it? GDPR is a harmonised approach to data protection in the EU. It means that any organisation with business in the EU or indeed has data about EU citizens, even with a HQ outside the EU, need to comply with GDPR. Companies that fail to comply can be hit with a fine of up to EUR 20 million or 4% of annual turnover, whichever the highest. GDPR has been in place for the past 2 years and by May 25 2018, companies need to comply.

As with all EU legislation – GDPR is the lowest common denominator, so if a company has business in a jurisdiction with stronger privacy protection, that is what it should comply with. It also means that individual EU Member States can have stronger regulations.

The fundaments of GDPR

GDPR rests on these seven principles:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation and proportionality
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Or in other words – companies can only collect the data they need, while clearly explaining why. They can only collect data when they need it, ensure that the data is kept safe and once it’s no longer needed – that it is deleted.

You may also have heard about RTBF - “the right to be forgotten” the GDPR poster boy; it means that we have the right to have our personal data erased when its no longer needed for its original purpose or if we withdraw our consent. The data holder must ensure our data are deleted and if the holder, in their turn, e.g. have sold our data to third parties that they too delete it.

I find the particularities in GDPR interesting, did you know that, outside the EU only 12 countries are considered providing adequate data protection? Rather intriguing when we think about how data cross borders.

Sending the right message

But we’re communicators and what does GDPR means for us? One practical outcome of GDPR is the heightened need to identify audiences and I can think of no other group of professionals than us communicators that is better in identifying and addressing different audiences.

Ours will be the responsibility to educate and train our colleagues about GDPR and what it means. These efforts will be on-going since GDPR compliance isn’t a one off, but ever changing and continuing since e.g. technologies change.

In case of a breach, GDPR requires notification, so a corporate response plan must set in place and a large part of that will be communications. In fact, a response plan is mandatory for compliance i.e. if a National Data Protection Authority audits a company and there is no GDPR crisis response plan in place, the company will be considered non-compliant with fines as a result. I advise that together with the Privacy officer you go through different breach scenarios and develop a set of standardised plans and messages depending on scenario.

Two of the most important documents in GDPR are the privacy policy and the privacy notice. The policy is internal and explain how employers handle our personal data. Privacy notices are external and typically posted on company websites. To ensure readability, they’re often layered, with a top, middle and lower layer. Top layer is the high-level principle statement. Middle layer explains the controls a company sets in place and the lower layer explain the operating procedures.

GDPR require these texts to be easy to understand, and whom other than a professional communicator have expertise in explaining difficult matters in clear and concise ways?

Currently living in Zurich, Switzerland, Sara Magdalena Goldberger is a founding member of the EACD and a corporate communicator with extensive international experience from the tech industries and cyber security. During her time at the European Parliament she was on the team that wrote the Network and Information Security Directive.