[Webinar recap] How comms teams should prepare for the GDPR
Communications professionals from Granicus, LGcommunications and Perago-Wales recently ran a webinar to help public sector comms teams prepare for the GDPR.
[This is our GDPR webinar recap blog 1 of 3. Please note Granicus’ comments on the GDPR are for informational purposes only and do not constitute legal advice. Please consult your data protection advisor or a lawyer for guidance on your obligations.]
GDPR quick recap
First, let’s establish what ‘GDPR’ actually is. The General Data Protection Regulation is a mandatory new legislation that comes into effect on 25 May 2018. It replaces the current Data Protection Act directive across Europe and applies to any organisation worldwide communicating with European citizens (Brexit doesn’t affect UK organisations’ need to comply – we all must).
The new law applies to both data controllers and processors, and non-compliance carries the risk of heavy financial penalties and legal action. The GDPR is the first comprehensive overhaul of EU data protection legislation in 20 years and aims to bring the law into step with our ‘digital age’.
The legislation sets out a number of obligations under the GDPR:
- Broadened definition of ‘personal data’
- Set of core privacy principles
- Increased record keeping and accountability
- Stricter security and breach reporting
- Strengthened data subject rights
- Stricter contractual terms between controllers and processors
- Privacy must be ‘by design’
- Requires appointment of Data Protection Officer for certain organisations
- International transfer rules remain in effect as per previous regime (e.g. Privacy Shield and EU model clauses)
[Simon Jones, LGcommunications]
GDPR and the opportunity for public sector communications:
GDPR is something everyone in your organisation needs to understand and comply with, and preparation be left to your information governance team. All staff need training to understand any necessary changes in your business practices – especially the communications team since they collect and use a range of personal data for campaigns.
The personal information you hold and permissions you have to hold that information will have a direct impact on your ability to communicate with citizens, businesses and staff. Get your GDPR preparation wrong and you severely impinge your ability to inform, engage and move people to action through campaigns. Or, ensure your operations are GDPR- compliant and be able to enhance your ability to communicate with the citizens that you serve.
Simon Jones of LGcommunications emphasises that by auditing current processes and the information being held (and for what purposes), comms teams have a chance to tighten up their practices and get to know target audiences better, leading to a greater comms impact.
Simon’s tips for communicators:
- Show the value of information
- Keep it simple and engaging
- Make it real to the people you are engaging with
- It’s about community not (the) council
- Give people a choice – on info you hold
- Don’t apply pressure – they have the right to unsubscribe
- Segment your audience: “Yes”, “No” and “Don’t know”
- Deliver a sustained campaign – give plenty of info and chances to opt in/out
- Use it to find out more relevant information – where they live, what services they use, where they live etc (explain why this detail is needed as you collect it)
- Build GDPR into wider campaigns, be positive – it is about the rights of individuals.
[Victoria Ford, Perago-Wales]
Six steps to reach GDPR compliance:
Who needs to know about GDPR, how are you going to share this information with them? Make it relevant and engaging. All staff within your organisation must know what impact GDPR can have.
Know what information you hold and be able to give evidence of why you need to hold that information. These are key requirement of GDPR. Consider:
- What do you hold?
- Where is it held?
- Why do you hold it?
- Who has access to it?
- Who do you share it with?
- Lawful basis for processing
Processing personal data must be necessary – if you can reasonably achieve the same outcome without processing then you do not have a lawful basis. Article 6 of GDPR states at least one of these policies must apply whenever you process data:
- Legitimate interest
- Public task
- Vital interest
- Legal obligation
- Gap analysis
Look at where you are now and where you need to be. This will enable you assess all your practices and identify areas that risk non-compliance to help you to create an action plan.
- The ‘individual rights’ test
The GDPR has given individuals a lot more rights around the storage and use of their data. Are your teams ready to respond to individuals who send in requests, such as to delete all their data that you hold? Would you know where to find this data and how to comply with the request? Would you know when you have a right to reject their request and what to say?
- Third party data sharing
Who do you share data with? Are they GDPR compliant? You must check every step of your supply chain and have GDPR-compliance written into all contracts.
You can use these six steps to bring focus and control to how you approach the GDPR. But it is also key that you think about how you are going to communicate GDPR internally to reach a sustainable culture of compliance. Don’t underestimate the importance of in-person regular training. Tick-box exercises aren’t going to cut it.
Get help to prepare for the GDPR
If you’d like to get some help to ensure your digital communications delivered through govDelivery comply with the GDPR, drop us an email.