Tuesday 24 Oct 2017

How to tame the GDPR Beast - a Guide for Comms Teams

How to tame the GDPR Beast - a Guide for Comms Teams: Taming the GDPR beast

So GDPR is looming like a big, badly understood beast. Feeling helpless? Don't. We have some simple steps for your team to follow to cast away doubt, increase general understanding and turn that beast into a baby who's actually very friendly if you treat it right...

Why Bother?

Communication departments are all about building relationships with people and as part of that relationship building, teams tend to store and use data about them. These could be names, email, phone numbers, notes, the organisations they work for, the details of meetings & events, the details of complaints and issues, social media profiles etc. As this information is stored and used, the communications team becomes a custodian of this data (or Data Controller). And as a data controller, your team therefore has certain responsibilities to that data under the Data Protection Act.

What GDPR came along and did was say not only do you have these obligations, you also have to SHOW how you are meeting your obligations. If you don’t show this – that’s where the beast's big teeth make an appearance in the guise of a massive, business-busting fine...

What Can I do? 

One of the biggest things you can do as a team is to think. Think about what data you store, why you store it, how you use it, how safe you keep it and what potential harm may arise to the actual people you store data about if the data was in any way compromised.

After this, you then need to document your thoughts. Because you may be fantastic when it comes to data protection but if this is not documented, you're pretty screwed when it comes to GDPR. 

The Information Commissioners Office has a handy little tool to help you document this process. It is called a Privacy Impact Assessment. It is normally done at the beginning of a project in order to show that you are 'designing for privacy' rather than just tacking this on as an afterthought. It is however a fantastically worthwhile exercise as it increases team understanding of the issues and is often called upon by the ICO as the most effective way to demonstrate how your team complies. Here's my little guide to building one.

So How Do I Start? 

Ask your team 8 questions and document your answers. This will form the basis of your privacy impact assessment and will help you think about your data in GDPR kinda way (and I warn you this will probably be a big change from how you see things at the moment).

Question 1. What Data Do We Store and Where do We Store It? 

If you are in a communication team, you probably store data on journalists, stakeholders, community leaders, politicians etc.  You may keep these in spreadsheets, shared drives, google docs etc. As a first step: 

  • List all the types of people you communicate with
  • List the data you typically hold on each type of person (name, email, phone, organisation, interest etc) 
  • List all the systems you use to store this data and communicate with these types of people (Outlook, Mailchimp, Googledocs, shared drives, spreadsheets, contact databases)

Question 2. How do people expect us to treat their data? 

A key part of this exercise is to identify any ‘risks of harm’ which may occur from the way you store and use the data you hold. So for example if you sent your contact spreadsheet to someone outside of the organisation by accident or you left your laptop on a train or you managed to invite the wrong people to share a Googledoc, what harm could arise from this action? And here is is best to note that the definition of ‘risk of harm’ within the act is pretty broad. It ranges from:

  • Actual harm (loss of a job, income, liberty)
  • Perceived harm (fear that your data may have been compromised)
  • Perceived societal harm (that your use of data may contribute to a loss of personal autonomy or dignity or exacerbate fears of excessive surveillance

Now the above may sound loopy, but actually if you pause for a moment and stop seeing data as something anonymous and start imagining that this was information about you or your family - then you start to get the picture. I don't like the fact that my broadband provider's systems got hacked even if my identity was not subsequently stolen or my passwords guessed at. No actual harm arose from this, but that does not let the broadband provider off the hook. I expect my information to be securely protected and not shared with anyone else as a condition of my giving my data to this company. It forms part of my consent process.

EXAMPLE: a journalist contacting me for a statement gives me their mobile number. The journalist might reasonably expect me to keep their contact details and the details of the request in a system so that I can fulfil their request. They would not expect me to pass on their mobile number to people outside of the PR team which could result in pester calls.   

EXAMPLE: a member of the public might reasonably expect you to store their details and the details of their complaint so that appropriate action can be taken. They would even reasonably expect that this information would be shared internally with the correct departments. They would not reasonably expect for you to share this information with departments which had nothing to do with the complaint or others in the industry. This may then risk the person being known as a ‘troublemaker’ and could have real and lasting consequences.

So as a next step we need to consider how each group would expect you to treat and use their data and come up with a statement which covers this for each group of people you communicate with. If your use of that data or your security around that data does not match what the person's reasonable expectations are, we may have identified a real privacy risk.  

For example you might come up with the following statement for Journalists: "Journalists would reasonably expect to have their contact information stored safely so that content in which they are interested can be communicated to them in a timely fashion" and a member of the public might "reasonably expect contact details and details of their enquiry to be stored safely by the organisation in so far as it helped to resolve the specific issue they contacted the organisation for". 

Put yourself in their shoes and write down what you would reasonably expect if you were that journalist, MP, civil servant community leader or member of the public. Once this is documented, it can really help people to understand how to answer the next questions. 

Coming Up Next 

The next post covers the following questions which you need to ask your team about the data you store on each of these groups.  

  1. Can you show where you got your data from and how you use it on an ongoing basis? 
  2. Can you show you had a valid reason for collecting this data? 
  3. Can you show what data you store on a person? 
  4. Can you show how you are keeping your data up to date? 
  5. Can you show that you're not keeping data for longer than is necessary 
  6. Can you how how safely you are keeping your data? 

Want to Chat? 

We have been been asked to facilitate some webinars on GDPR and the impact on communication teams. If you'd like to be invited to one of these, please email me and I'll be happy to provide further information. Otherwise watch out next week for our next Taming the GDPR Beast post. 

Downloads

Taming the GDPR beast
Taming the GDPR beast