GDPR for PR and corporate communication: a checklist
The GDPR, the new EU regulation for data protection and privacy, will have a double impact on corporate communication professionals when it goes "live" on May 25th:
- you will need to create information and policies that are required under GDPR for the entire organization
- you also need to make sure that the corporate communication department itself is GDPR compliant, especially in relation to storing and processing stakeholder information
To help you understand what needs to be done, we assembled this checklist, ranked from important and urgent to less urgent.
1. Important and urgent: update the crisis communication plan
By far the most important change that the GDPR brings is an obligation to report every "data breach", that is: every time someone unlawfully accesses, changes or steals data from you.
That's a huge change.
Until now there was no obligation for organizations to notify privacy regulators or affected people of breaches.
This meant that it was up to organizations to decide whether, how and when to communicate on data breaches. In practice, this meant that organizations often chose to remain silent about data breaches, even if they involved serious cases of hacking, embezzling or theft, stealing passwords, or doxing (dumping proprietary information on the Internet).
Many organizations chose not to report data breaches in the hope that the problem would blow over. (That didn't always go well, as we explain in this earlier blog post).
1a. Notification to the supervisory authority
As of May, in the case of a data breach, you have to notify the supervisory authority in your country. In some cases you also need to warn the people affected (the "data subjects" as GDPR calls them) of the fact that their data were breached.
The notification to the supervisory authority has to be made "without undue delay" (and in any case within 72 hours).
If you are not able to notify the regulator within that timeframe, you must explain what caused the delay in notification. There's only one exception to this rule: if there's "little risk" that rights and freedoms of the data subjects are in danger.
The call as to whether to notify the authorities of the breach will be made by your legal and regulatory team. Of course, you might be called upon to help communicate the breach to them.
Also, communicating to supervisory authorities always carries the risk of leaks, especially if you work for a well-known brand or an important institution (e.g. banking, hospitals,...). Corporate communication must be involved early on in the crisis to assess the risk for media leaks and to prepare reactive and holding statements for media requests.
1b: Notification to data subjects
If the breach creates a "high risk" for the people whose data you are storing and processing, then you're also required to inform these people (Article 34 GDPR):
“ When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay;
The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).”
The nature and definition of this "high risk" is something that you will - again - have to talk about with legal and regulatory. This can be done in advance when you do a risk analysis to prepare for your crisis communication plan.
For GDPR, "high risk" would definitely include:
- financial impact: money stolen
- privacy impact: e.g. health data, other private data like photos, records, personal and confidential information like HR related information
- security impact: passwords
As a minimum, you need to tell the data subjects about why and how you were storing these data (Art. 33):
“describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
Communicating about a data breach means that the chances become exponentially higher that media will get involved. Especially when your brand is well known, or the type of data you store in some way captures the imagination (money, photos, passwords, hospital or employment records,...).
In terms of your to-do list, this means you'll have your work cut out on checking and updating the crisis communication plans and escalation procedures. You need a risk assessment of the types of data you process and the types of data subjects about whom you are keeping records.
You might also want to look at your reputational reservoir in case of data breaches. In any crisis situation, it's good to be able to fall back on bolstering and supporting messages. Is it time to create some reputational messages on privacy and data protection? Or to create proof points of your responsible handling of data? It's never too late to work on a reputational cushion in case a crisis presents itself.
2. Privacy & data protection policies - existence and readability
You might have noticed the reference to "clear and plain" language in the part about data breaches.
The obligation to communicate in clear and plain language is not just a requirement in the case of a data breach. It is a constant in the GDPR. The EU wants consumers to understand what permissions they give and how companies will use their data.
That means that privacy policies and data protection policies can no longer be written in the legalese that we've become accustomed to.
As the corporate communication department, you will probably need to help your colleagues in other departments (like HR, regulatory and legal) to write clearly understandable privacy policies.
3. Potential reputational impact: right of access (Art. 15 GDPR)
An entirely different type of risk stems from the fact that data subjects can ask you to give them access to the information that you are keeping on them (Art. 15 GDPR).
First of all, you must answer their questions about whether or not you keep data on them.
If you are storing data, you must be able to explain why you are collecting and processing the data, what kind of data you are collecting, where you got the data (if you didn't collect it yourself) and how long you plan to keep that data.
You must also explain the fact that people can ask to rectify or erase their personal data and the fact that they have the right to make a complaint to the supervisory authority.
Lastly, if you are using artificial intelligence or automated logic to make decisions about them, you need to explain how the logic works. For instance, if you have an algorithm that decides whether or not people will receive a loan, you must be able to explain how the algorithm decides whether you're eligible for the loan.
Almost any of these requests for access can create reputational issues for your company.
First of all, the sheer volume of data that you store might be salient to the media (as in the case of the Austrian student Max Schrems, who took the fight to Facebook).
Then there are also all kinds of sensitive data - like gender, religion, ethnicity,... that make people wonder why you are storing all this information and challenge your right to store them.
There might be glaring errors in your records, which might reflect negatively on your brand. (If you can't get their name right, how good can the rest of your operations be?)
And finally you might be forced to turn over records that include questionable descriptions of people. Not all your colleagues are trained diplomats.
In other words, your organization will need your help to create a GDPR-proof data culture. People need to understand that privacy is a thing, and that anything they write down about stakeholders can be accessed and scrutinized.
So create clear policies for how the organization treats data. Train people who keep records to be professional and beyond reproach in the way they categorize and describe people.
4. Stakeholder management and GDPR
Once you've dealt with the most urgent requirements in terms of compliance, it's time to look at your own department.
Immediately, you will find yourself in a small but interesting part of the GDPR debate. The corporate communication best practices say that you should have a good overview of your stakeholders.
That means that, at a minimum, you need to have a list of stakeholders and their representatives - as well as some classification and information about their views. You can think of stakeholders like:
- Federations and associations
- Policy makers
But also groups that might have goals that are at odds with your organization, such as
- NGOs and pressure groups
- Organized labor
- Neighborhood committees
The question is whether you need to contact all of them and ask for their consent to store that information - or can you rely on "legitimate interest" to store that information.
The same goes for journalists: Can you keep a database of journalists to e-mail them your press releases? Can your PR agency keep a database? These are thorny questions and there's no good answer to them yet, as many edge cases will be decided by the judiciary.
There is a good case to be made that companies have a legitimate interest to manage a list of stakeholders. If you're a chemical plant, it makes sense to have a database of contacts in surrounding residential areas, such as local administrations (mayor, police, fire department,...) and neighborhood committees.
The same case can be actually made for journalists. You can argue that the impact of the media is so great, that it is necessary to monitor what the media are writing and which journalists in particular are following your industry. This is the case that Daryl Willcox of ResponseSource makes on Stephen Waddington's blog:
"I believe that a fair and reasonable interpretation of GDPR is that public relations agencies and in-house departments would be exercising a ‘legitimate interest’ in storing and processing journalist data, and contacting journalists to provide relevant information.
If public relations professionals across the UK have to get specific consent from every journalist forevery client and every campaign (granularity of consent built into GDPR), then this will be disastrous for public relations and I believe for journalism – and democracy – too.
Public relations would be suffocated by administration and no journalist has the time to respond to every consent request (they’d still be bombarded, with consent requests rather than irrelevant pitches). The end result would be a substantial barrier to access to the media, a terrible hindrance to the ability for journalists to report fairly and comprehensively on what is going on in society and hold those in power to account. Remember, access to the media should be a right not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes."
It's a good point - but be advised that it's not the official, final word on GDPR and stakeholder and media communication.
What is clear is that you need to be much more explicit about your data policies. And here, too, you will be forced to offer a "right of access" to stakeholders.
How are you preparing for GDPR?
Let us know how you're helping your organization prepare for GDPR.
Contact us if you want a corporate communication GDPR scan of your organization, in which we take a look at your crisis communication plans, perform a risk analysis on your data and data subjects, and audit your policies and data collection practices.