20 September 2017

What does GDPR mean for Internal Comms?

GDPR regulations mean that misuse of data can mean huge financial penalties. And with data leaks most likely to come from employees, HR and Internal Comms pros need to know how to navigate this challange..

What is GDPR?

General Data Protection Regulation (GDPR) applies to all businesses operating within the European Union. In a nutshell, it regulates and standardises how companies handle and use personal data. If your company does handle personal data, you’re going to need to prove that consent was given to hold it, be able to show what the data is being used for, and how it’s being protected*. 

How does GDPR affect my business?

The fines for not complying can be pretty big, either 4% of annual global turnover or €20 million – whichever is higher – GULP! To give that a bit of context, according to The Register, Pharmacy2U’s £130,000 fine for selling customer data without consent would look like £4.4 million from next year, and TalkTalk’s 2016 cybersecurity breach fine of £400,000 would rocket to £59 million. Businesses aren’t falling over themselves to get up to speed either, RSA found that 28% of companies are unaware, 29% aren’t doing anything and only 43% are preparing for the forthcoming GDPR. Oh, and GDPR still applies in the UK, even after Brexit. 

GDPR, internal emails and the digital workplace

Three out of five companies say their biggest risk comes from employees handling, sharing and processing data incorrectly. And if you’ve read our highlights from our engaging remote workers ‘hackathon’, we know that employees are more than happy to go around official apps, platforms and processes if it means being more effective at work.

Group messenger app Yapster recently found that almost two-thirds (64%) of 18-34 year olds use personal messaging services for work, 29% use personal email in the workplace and 11% even admitted to sharing sensitive business information like trading data, internal documents, or contact details on private message apps. It’s hard to blame them, it’s much easier to send a message to a colleague with the details of say, a customer address for an appointment on WhatsApp, than having to scroll through endless emails.

It’s a risky business. For example, did you know GDPR applies to any internal email where personal data is sent, whether attached or in the email copy itself? Combine this level of scrutiny versus the massive surge in digital communications during the pandemic, and you’ve got a recipe for disaster. It’s always a good time to refresh and take stock of your GDPR internal comms policy, practices and plans. 

What can HR and Internal Comms do to comply with GDPR?

HR and Internal Comms teams need to work closely with IT to ensure businesses are complying with GDPR. Here’s out top tips for what you can do.

1. Find out where your data flows  Connect with your IT team to get an audit of your current company data processes. Where does the data flow within the business and where does it come into contact with your employees? This’ll give you a good starting point.  

2. Talk to your team  It sounds an obvious one, but it’s really important to talk to your people and find out how they’re using tools like Zoom, WhatsApp and Facebook Messenger. Are they sharing sensitive information about customers or colleagues with others?  

3. Inform and educate  Let your team know about the regulations, outline what it means to them and their role. If you’re bringing in new guidance and processes as a result, you’ll want to equip managers with the necessary information to cascade it down to their teams. 

4. Re-inform and re-educate  Set up a regular deadline for your people to retake GDPR learning courses and refresh their memories. Use interactivity, like quizzes, to measure employees’ understanding and identify where more concentrated support and GDPR training may be needed.

5. Onboard new comms tools  There’s a chance you’ll be updating your communications tools, or placing more of a focus on their use internally, so providing training to your teams across the business will definitely help long term and help avoid any confusion!

6. Make it easy to check the rules  Ensure you share the contact details for your GDPR experts – and encourage employees to check and be safe, rather than sorry. There’s no such thing as a stupid question when it comes to regulations like this!


*We’re not data security experts, or legal eagles, so go to a professional for advice on those things!

Further reading: Information Commissioners Office GDPR overview: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ Beekeeper’s 31 point GDPR assessment programme: https://www.beekeeper.io/gdpr-compliance  

Similar Articles

17 March 2021

Who’s on your cyber security A-Team?

When Covid hit in 2020, millions of us started working from home. Now, 9 out…


10 January 2020

The 10 best internal communications and employee engagement case studies of 2019

Here are our 10 favourite stories from the past year... Just Eat consolidates comms and celebrates…


9 May 2019

5 ways to train your staff in cyber security

We’re all good at updating the software and security systems on our phones and computers…


3 May 2019

The cyber security stats you need to be aware of

If you ask IBM’s president and CEO, ‘cybercrime is the greatest threat to every company…