New EU rules will enforce protection of personal data
In response to the rapidly growing flow of data between countries, the EU will enforce the General Data Protection Regulation (GDPR) on May 25 this year. The legislation will standardise data protection across the EU’s 28 member states, affecting every organisation that collects, processes, stores and shares any personal information of citizens based in Europe. Essentially, the GDPR will set a new standard regarding the rights of personal data protection for consumers.
The GDPR will not only apply to organisations located within the EU, but also to those outside it that offer goods or services to, or monitor the behaviour of, EU data subjects or consumers. This means that businesses operating in Africa that engage in business with people in EU member states will fall within the ambit of the GDPR. Reputation damage as a result of ineffective communication with stakeholders regarding how you are ensuring GDPR compliance could far exceed the maximum fine.
Have a communications strategy and a plan in place for GDPR
One of the big differences between the GDPR and the Data Protection Act that it replaces is that there is a need to demonstrate compliance. This means the company is responsible for communicating how it is compliant and must communicate it effectively. Businesses today are more conscientious about their reputations, especially with the growth of social media and easier access to information. There has been a real shift towards protecting reputations through building strategic, long-term stakeholder-engagement plans such as for effective crisis management.
Businesses need to realise that they will receive the highest return on their communications and stakeholder engagement investment when they are all part of a carefully planned, holistic reputation management programme. When it comes to GDPR, the communications plan should focus on four key pillars:
The first pillar is internal communications that address the effect GDPR will have on the organisation and communicate the new procedures to all employees, empowering them to communicate to external stakeholders the enhanced businesses processes and procedures to protect the privacy of their customers, if it is required of their role. Employees need to know what they should be saying and to whom.
The big take-out
Accurate and transparent communication with all stakeholders is what will set compliant and non-compliant businesses apart as they gear up to deal with GDRP.
The second essential is to train employees so they understand the impact GDPR will have on their day-to-day work, how their business processes and procedures will change and how to manage data securely. Training should include guidelines, general checklists and approved communications checklists. Employees should be provided with a communication channel should they have to follow up questions or training as the process unfolds.
The third pillar is external communications. Organisations should use the GDPR as an opportunity to show due care and transparency by proactively informing their customers and other stakeholders about their commitment to safeguarding the privacy of their customers, the public and their employees, and showcase what they are doing to protect their data.
In 2017 the importance of ethical business conduct (or lack thereof) was highlighted, with many organisations coming under the spotlight. The introduction of the GDPR offers an opportunity to provide clarity about how you will deal with requests to delete personal information, how you are ensuring that only secure communication platforms are being used when sharing personal information once it has been collected, how you are storing data securely and how you are both safeguarding and tracking who has access to the data, and at what time.
The final pillar is preparing for crises. Incorporating new legislation into organisational processes will not be without issues or risks. It’s important to prepare for likely scenarios such as communicating a security breach and to ensure that the company’s position is clear, a response process is in place and messaging has been well thought through.
Businesses will need to focus on the increased scrutiny they will be under regarding their implementation of all things GDPR-related; and how effectively they communicate this – both internally and externally – will be key.
Robyn de Villiers is chair and CEO of Burson Cohn & Wolfe Africa.