Blog 1: GDPR webinar recap – The role of communications
Granicus recently hosted a webinar in collaboration with Holly Bremner and Imogen Heywood from the Centre of Excellence for Information Sharing to give people working in public sector communications an overview of the General Data Protection Regulation (GDPR).
GDPR is a new EU regulation coming into force on 25 May 2018 that will affect the way organisations process and control personal data. It will supersede the Data Protection Act (DPA) and applies to activities that take place in the EU as well as processes taking place anywhere in the world that involve the data of people who live in the EU. The UK’s decision to leave the European Union does not affect our need to comply. If you haven’t started already, now is the time to prepare for it and get some help if your organisation needs it. Over the next few blogs, we’ll share some of the learning from the webinar which you can watch on-demand here (you can view the slides separately here).
THE CURRENT STATE OF PLAY
Before the webinar, many of you were kind enough to spare a few minutes to complete a survey gauging your current understanding of the GDPR. Thank you very much, this really helped us plan the webinar, and will also help us share the right level of info at the free GDPR seminar on 26 September 2017 at #UKComm17. We hope you can make this event for a deeper look at what the GDPR means for public sector comms. (Please register in advance)
Comms teams actively preparing for the GDPR:
While 89% of you said you had heard of “the GDPR”, the majority of respondents said their communications team had not yet started preparing for the new regulation, or, if they had, they didn’t know what work was going on. So if you’re feeling worried about your lack of knowledge or engagement with GDPR, don’t be alarmed. You’re not alone, there’s still time to get ready, and there are people to help you – stick with this blog series for starters.
THE ROLE OF COMMUNICATIONS IN PREPARING FOR THE GDPR
Given that the GDPR is likely to enforce some (big or small) changes for your organisation – from a practical day-to-day data handling perspective – staff are going to need to know what they need to do to prepare for the transition and how to avoid breaking the law come May next year. Sounds like a call to action for the Communications team, right? Yup. And on three fronts:
- The Communications team will need to support the transition work and play an important role on the organisation’s GDPR “tiger team”, to help ensure all staff have the guidance and support they need to comply (cue some drip-messaging campaigns starting…now).
- The Communications team must undertake their own necessary prep work within the function: data audits, cleanses, seeking data usage permissions where there is ambiguity, and other work to ensure that the comms team and its practices (internal and external comms) are ready to be compliant. It’s important you start this engagement (or re-engagement) work now among your various subscriber bases and contact databases, since you may not contact someone to seek or check their consent from 25 May 2018.
- It is now really important that Communications teams (and the organisations they work for) recognise the need to engage the public in discussions about the GDPR and data more generally. Namely, work is required to help raise awareness of the new information rights for individuals that the GDPR will bring and how the organisation is responding to them. You should also convey to people how sharing their personal data with the organisation gives them an important route to keep aware of and influence service reform. Don’t forget to engage with your clients / the public on this issue, not just staff. Tools like the GovDelivery Communications Cloud can help you streamline, automate and manage your campaigns effectively.
As a first step toward being compliant, communications teams are being encouraged (along with the rest of their organisation) to assess what personal data is held by teams, where it came from, and what the lawful basis is for its use. Where the lawful basis for processing is consent, you will then need to look at the nature of that consent in more detail (to check it will comply with the higher standards for consent under the GDPR).
Check you have proof that each contact consented to the communications they’re registered to receive or services they’re currently subscribed to. This “opt-in” proof (for example to a public topic-based email subscription service) is a crucial element of the GDPR, however, if you’ve been complying with the DPA and following mailing list management best practices, you shouldn’t feel concerned and won’t find it difficult to get ready for the new regulations.
The pressure is therefore on for communicators to build their reach now and check that they have subscribers’ consent to send the service- or topic-specific messages they’re already sending. Organisations using citizen engagement solutions like the GovDelivery Communications Cloud to manage multiple subscription lists are already able to identify exactly how and when someone came to subscribe to digital updates (email or SMS) thanks to the timestamp and source log in the system. If you don’t have access to proof like this using other comms tools, you’ll need to find another way to track and record this info.
Organisations should see this period as an exciting opportunity to check subscribers’ opt-in status to certain comms (if there is any uncertainty), reinvigorate sleepy subscribers, and cross-promote both other opportunities currently available as well as topic-specific comms that an organisation will provide in the near future which are likely to be of interest to current audiences. In the run-up to May next year, be proactive about offering other (relevant) subscriptions for people to subscribe to and explicit about what they’re signing up for.
Organisation information audit in the last six months:
Comms teams involved in the information audit:
Our pre-webinar survey showed that only 20% of respondents knew an information audit had taken place at their organisation in the last six months, and of those people, 56% said that their communications function had been audited as part of that process. Given that the communications team often handles significant amounts of personal data across a range of channels and platforms, and from different sources, it’s vital teams take action now to fully understand their data and seek new usage permissions if the person’s consent is ambiguous or unknown. You need a “paper trail” for every comms contact.
What is meant by “personal data”? It’s worth noting that the GDPR definition of “personal data” is more detailed than under the DPA. It goes beyond just names and addresses to include personal identifiers such as ID numbers (e.g. national insurance number, NHS number etc). It also applies to genetic, physical, social and economic factors which on their own, or in combination, could be used to identify an individual.
Please note, this is the first of several blogs to help you prepare for the GDPR. We’re working through your questions from the webinar and will publish the list with answers on our blog over the next week. Thanks for your patience. More info and guidance to come, but for now, here are some handy resources:
- 12 steps to help you prepare (ICO checklist)
- GDPR messages for the boardroom (5 minute video featuring the Information Commissioner)
- Information Commissioner’s Office guidance for direct marketers
Want more information?
If you’d like to find out more about how Granicus can help your organisation get ready for the GDPR and better communicate with internal and external audiences in the run-up to the regulation and after, please contact us today for a chat.