Generic filters
Exact matches only

Transparency and Stakeholders in the General Data Protection Regulation (GDPR)

Much of the discussion around the General Data Protection Regulation (GDPR) focuses on the compliance requirements, however it seems some of the softer areas which make a difference to individuals on a daily basis are overlooked.

One of these areas is transparency, where the GDPR requires plain language explanations of how data will be used and how it is protected. Ironically this is also an area in which most commentary on GDPR falls down, not helped by the use of the term data subject when in communications terms ‘stakeholder’ is more appropriate. Stakeholders have a stake in your organisation’s success and are not simply the subject of data processing.

Throughout the regulation there are many references to transparency – from requiring information around consent to be “intelligible, easily accessible […] using plain and clear language” to mentions of standard iconography to allow users to identify types of data processing. GPDR also requires more detail of data use, retention and security to be communicated in this way.

Communications on privacy and security need to now be centred on those receiving them: stakeholders need to know what it means for them, in language that speaks to their needs and concerns. This can easily be achieved through market research; simply asking stakeholders how they wish to be communicated with.

Consent to share data is now an explicit value exchange and what a stakeholder will get in return for giving up their data should be made clear. The adage of ‘if you can’t figure out what the product is, you’re the product’ may still hold true but it should now be much easier to ascertain.

In practical terms this means the days of having a complex, legally drafted privacy policy hidden on a website are over. Addressing this part of the regulation requires much more input from marketing and communications disciplines, which are traditionally outside of those normally required for compliance requirements.

One recommended strategy is to break this communication down into bite size pieces, and only at the point of requesting data, communicating in a succinct manner its privacy implications.

Finally the requirement to notify your stakeholders if a high-risk breach of their personal data occurs presents often presents a crisis point of communications. When handled correctly this notification does not have to be a headline grabbing event.

After most breaches your stakeholders worry about two things: one, will I suffer a financial loss? And, two, what will you do to protect me? If you are able to communicate the consequences of a breach in these terms the impact of a notification can be managed.

In the future standardized ‘intelligible’ wording will appear as more organisations become GDPR compliant. However, this easy fix could represent a missed opportunity to build a closer relationship with those stakeholders that matter to your organisation.

Privacy transparency an area ripe for innovation, making privacy communications more novel and exciting, actually communicating the value of consenting to data sharing rather than sharing the burden of a checkbox compliance exercise.