The internal comms guide to GDPR

internal comms guide to gdpr blog
Picture of Firstup

Companies across the globe are preparing for the General Data Protection Regulation (GDPR) compliance that’s set to go into effect on May 25, 2018. This is the new European Union (EU) privacy law that will affect all companies processing data from EU citizens, which replaces the old Data Protection Directive from 1995.

Regardless of the organization’s location, GDPR applies to all companies who offer goods, services or hold the personal data of people who live in the EU. The goal of the new GDPR regulations is to protect all EU citizens from data and privacy breaches.

Our customers have made GDPR compliance a priority, and we have too. SocialChorus is committed to making sure that our platform is compliant and to assist our customers in the process.

Though GDPR sounds like an issue for IT or the marketing department, HR and internal communicators need to prepare if they have workers in the EU because employee data is subject to the GDPR privacy rules as is how internal communicators use that information.

Here are the top 10 issues internal communicators need to understand and educate workers about GDPR:

1. Increased territorial scope (Extraterritorial applicability)

One of the biggest changes is that GDPR now applies to non-EU businesses who process data from EU citizens, regardless if the processing takes place in the EU. For internal communicators, this regulation applies if you have workers based in the EU but store their employment and personal data in the US for HR purposes. Also, if your employees have customers that are based in the EU, you’ll need to communicate all relevant compliance messaging to them.

2. Higher penalties

Organizations who violate GDPR compliance rules could be fined up to 4% of their annual global revenue or €20 million (whichever is greater). The EU is also using a tiered system for smaller breaches, such as a 2% fine for not having your records in order.

3. Easy-to-read consent

Businesses will no longer be allowed to use long terms and conditions that are difficult to understand. Consent must be in clear, plain language, and it must be easy to withdraw consent. (We’ve complied with this rule, too. Here’s our updated privacy policy and terms of service)

4. Rights over personal data

GDPR provides data subject rights, such as:

  • The right to receive personal data concerning them
  • Privacy by design, where data protection is included as part of the technical and organizational system

For internal communicators, this rule also applies to employees, who have the right to have access to their stored personal data.

5. Transparency and data portability

GDPR gives more privacy rights to consumers and employees, which means companies need to be more transparent about the data they collect. They need permission to collect the data, agree to give subjects’ access to their personal data free of charge, and/or delete it upon request. Comms leaders should be able to communicate what the process is company-wide for both employee and customer data.

6. Data Processing Officer (DPO)

An internal auditor or DPO is required for companies whose core activities are processing personal data, who will also train other staff on GDPR compliance. The DPO could be an internal staff member or external service provider and will be the point of contact for the authorities.

7. Data breach

Companies who have a data breach must notify all customers, employees, partners, etc. within 72 hours.

8. Engagement measurement under GDPR

Comms leaders who use workforce communication platforms, like SocialChorus, with analytics tools to measure the impact of their communications, will need to make sure these platforms are GDPR-compliant.

SocialChorus has invested in its security infrastructure and procedures to meet GDPR requirements and industry best practices. Our security controls include data encryption, threat detection, data backup, and more. We’ve implemented a thorough incident response process and will continue to offer contractual guarantees for security incident notification.

9. Right to be forgotten

EU employees and consumers can request the timely removal of their personal data, and communicators using workforce communications platforms, such as SocialChorus, will be able to remove a user’s data directly through the software.

10. Communicating with your employees

Internal communicators need to do what they do best, and that is to make sure all your employees understand the new GDPR regulations and how it affects your organization. This may include informing employees of any new procedures, regulations, and making sure your communications reach all relevant workers. It might also mean thinking through a crisis communication plan or notification procedures in a worst-case scenario.

Our commitment to data protection

We’re committed to ensuring your company and employee data is secure, and we’ve implemented technical and contractual mechanisms to support compliance.

With these changes, you’ll have:

  • More control over your users’ information
  • Simpler messaging around how your data is used
  • Terms of Service and Privacy Policy streamlined with your company’s existing policies

If you haven’t already, speak with your Engagement Manager if you are unsure about compliance requirements. Additionally, reach out to us at with any questions or concerns about changing functionality, new features, and data.

Sign up for our Newsletter

Enjoy our blog? Get the latest news delivered straight to your inbox.

Sign up for our Newsletter

Enjoy our blog? Get the latest news delivered straight to your inbox.


The Rise of the Intelligent Communication Platform

June 26, 2024