GDPR: four letters that have seen businesses running for help to protect themselves against the impending deadline – and in numbers arguably not seen for 20 years. Who remembers the stresses generated across the developed world by the fear of computer Armageddon from that three-letter acronym, Y2K?
The EU’s General Data Protection Regulation (GDPR) has approached many by stealth. Although to be fair to the EU, we’ve had five years’ notice of its impending arrival. Large companies, who stand to lose most from fines that can total 4% of global revenue, mostly got out of the starting traps a year ago. However, many found it was going to prove a bigger issue than expected, so it’s been a full-on race to the finish line. But they will get there – or thereabouts.
Will G-Day prove to be Data Armageddon Day?
That line is May 25th 2018. What will happen? The fear is that consumers will rise up in their millions on that day to access their personal information, revoke consents, complain to the Information Commissioners Office (ICO) and give birth to a new claims industry to rival that driven by PPI compensation. Armageddon indeed!
This won’t happen… probably. Any company worth its salt, large or small, will have made sufficient effort and progress (if not already completed its GDPR preparations) to satisfy the ICO that it does not warrant a punitive fine.
The essential point to remember is that May 25th 2018 is not the finishing line. It’s really the starting line, or perhaps second base in a relay. Once the paperwork and processes have been completed, companies then have to embark upon a journey to change behaviour across their workforce.
So, the GDPR challenge has really only just started for internal communicators. Its regulations and requirements affect everyone, but not in the same way. By now, staff that control, process and manage personal data should all be well aware what’s expected of them. As should IT and marketing leads too.
Our real challenge is to make lasting changes to behaviour.
GDPR and your employees
The focus now should be in reaching out to other staff on an ongoing basis. A company’s data protection preparedness is only as strong as its weakest link, and it could so easily be a member of staff at the end of the chain who, through being unaware or careless, leads to a very expensive breach of personal data security.
It’s essential that businesses communicate the required behaviour for employee GDPR compliance in a consistent, tailored and systematic way across channels in an engaging, easy to understand manner. A short burst of awareness activity will not be successful.
Ultimately, what’s required is a set of “Thou shalt” and “Thou Shalt Not” messages that have to become engrained in the muscle memory of all staff. This is going to be a marathon and not a sprint, so plan for long-term activity. Communicate, train, test and repeat.
Then, GDPR will just be four letters that represent Business As Usual. Customers will trust companies more, and relationships built on trust last longer and are more beneficial to all concerned. Win-win.