GDPR has launched, but what can internal communicators do next?

You've done a great job helping your business communicate both internally and externally about the launch of the EU General Data Protection Regulations (GDPR) on 25 May 2018. But what next? Is that it?

Here are my four top tips on how communicators can continue to help your business talk about and create a culture that is more data aware, conscious and acts with a privacy and protection first mindset.

1. Training - if you didn't run an online training module to help educate people in your business, nows a good time to do this, while it's still fresh. It will help to reinforce the basics of GDPR, the topics of privacy and protection, what it means to the employee, the business, its customers, and also the behaviours, processes and internal contacts. This then forms part of the employee lifecycle: from new starter to leaver. It's not mandatory to keep doing annual training on this subject, but why not make it an annual 'good thing to do' - to help reinforce the right behaviours, attitude and culture. Communication professionals can play an important role in shaping this.
2. Data Protection Impact Assessments (DPIA) - hopefully, your business has implemented this process following the GDPR launch. A DPIA helps to identify and minimise data protection risks of a project. Use the UK's Information Commissioner's Office (ICO) screening checklists to help you decide when to do a DPIA. It is also good practice to do a DPIA for any major project which requires the processing of personal data. Your DPIA must: (1) describe the nature, scope, context and purposes of the processing; (2) assess necessity, proportionality and compliance measures; (3) identify and assess risks to individuals; and (4) identify any additional measures to mitigate those risks. As communicators, we should be helping to communicate this process to relevant stakeholders. This should be part of their processes and something people ask at the start of a project rather than as a tick in a box at the end.
3. Developing culture: privacy and protection themes - The GDPR puts a spotlight on what best practice and being a responsible business should be doing to create a culture where its people put data privacy and protection front of mind. What has previously been considered a boring subject is now a fantastic opportunity for communicators, with legislative permission now, to make this relevant to your audience with people stories that reinforce the culture you want to create. It doesn't have to be boring any more.
4. Bi-monthly or quarterly data privacy and protection internal campaigns - look to build planned campaigns that curate the stories you're gathering from different teams and people about what they are doing to be more data conscious. As well as what it means to your customer/client. How can you be creative across your internal channels (eg. quizzes, posters, screensavers, live debates, etc)? What about re-purposing these people stories across your external channels? This will help reinforce the narrative of being a responsible business with personal data to your employees, customers and clients - building on your brand and reputation.

In our current world, where data is sometimes hacked, leaked and sold, comms people have a duty to help develop an internal culture where the people of your business take responsibility and care about the data it uses and manages for its clients, customers and each other as something that is incredibly valuable to your brand and reputation.

Our role as communicators/storytellers is an exciting one. We should always be on the lookout for opportunities to translate and craft dry subjects into interesting ones that resonate. Make this part of your communication strategy, plans and approach. Good luck folks.