GDPR – the end of the beginning?
Updated: Dec 5, 2018
This guest post has been written for us by Ben Maynard, MD of Story and Strategy Ltd and a senior associate of The PR Network.
I recently met a compliance and risk lawyer at a networking event. He had just come to the end of what he called ‘the busiest year of my career’. What had made it so busy? GDPR. Companies large and small and across all industries had called upon his expertise to audit and assess their readiness to comply with the new EU GDPR Regulation which came into force on 25th May this year. Now, he finds himself at a bit of a loose end as the majority feel they have done enough to comply. However, he sees this as just the calm before the storm.
Compliance is not protection, nor a defence
The real work for lawyers, and communications leaders, comes as the ‘theory’ of GDPR compliance meets the reality of data security and day to day use of personal data. Being compliant is not a ‘gold standard’ or kitemark that protects you from action, it is a minimum threshold. It does not prevent individuals or groups arguing that their data has been mis-used, nor does it protect you from hacks or data losses. So, all those emails you got in April and May, asking for consent may just have been the first skirmish of a longer lasting battle over personal data in our digital society.
Three considerations for communications leaders
Our roles as communicators naturally bring us into areas where GDPR compliance is important, both to ensure that we are compliant, and to help our clients communicate defensively and proactively about their data management.
First, consider our own use of data. Many rushed to send emails seeking consent from those on marketing lists, email data bases etc to continue to use their information to send communications content. For the most part this may well have been unnecessary. Consent is only one of six different legal bases for processing data. The most flexible for our business is ‘Legitimate Interest’ which the Information Commissioners Office describes as “likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” Most agencies by now will have taken legal advice on this (I am not a lawyer), but you can also find good information on the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The most likely way communicator will get involved in GDPR going forward is through managing crisis communication for clients falling foul of the regulation. This could be as a result of a hack or data loss (a question of when, rather than if, it happens) or a failure to adequately respond to a subject data access request. GDPR adds another level of concern to these already high-stakes events. Concerns about significant fines (up to 4% of global turnover) will be added to those about customer safety, financial impact, disruption to operations and damage to reputation. Quickly but credibly communicating how you complied with GDPR, how you followed proscribed processes for informing affected parties and the ICO, needs to be at the heart of the crisis communications plan.
In some ways GDPR has helped communicators here as it brings legal and comms advice more into line – be transparent and let people know what happened and how you are working to find a solution as soon as possible (within 72 hours).
But perhaps the widest reaching impact of GDPR will be in creating a need to talk about data and privacy in more effective and proactive ways. The regulation will have a big impact on those business models that depended on harvesting and exploiting large amounts of personal data. It has established a new expectation and value on data among individuals and businesses. As communicators I believe we now must work with businesses to help them explain their use of data in ways that enhance trust and engagement with their customers. Individuals should be wary about parting with lots of personal data, but they will do so if they understand how and why it is being used, and, most importantly, if they trust the organisation they are giving it to.
Privacy may finally become a differentiator itself. I suspect that just as old business models are destroyed by GDPR so new ones will emerge. Organisations that make data minimisation an asset and create loyalty by not collecting data. Apple has already emphasised its privacy and non-collection credentials as differentiators, and I think we’ll see more established and start-up companies doing the same.
Either way, communicators have a key role to play in explaining often complex privacy and regulatory issues in layman’s terms to both stakeholders and customers. From a legal and technical tick-box, to a key ingredient in building trusted brands, and even new business models, GDPR has created many new opportunities for communicators, and we need to make sure we are equipped to successfully act on them.
Ben is the founder of Story and Strategy, an agency he set up in 2018 to fill a specific niche in creating effective communications for technology companies and those in other complex, scientific and technological markets. The common feature of these businesses is a need to explain complex issues to often sceptical audiences without dumbing them down. Finding the angles that both resonate and educate is key to building profile, reputation and ultimately growth.