Skip to content

GDPR and the Communications Challenge of Non-Compliance

Alex Jafarzadeh

Alex Jafarzadeh

Sound the alarm: We’re now just one month out from the enforcement date for the EU’s General Data Protection Regulation (GDPR). Six years in the making, GDPR is widely considered to be one of the most comprehensive regulatory data protection developments the world has seen, with some rating it as more challenging to comply with than HIPAA.

Now that we’re a month away from GDPR becoming a reality, communications teams should revisit the topic and consider how best to share their story of compliance. It’s an excellent way to demonstrate their prowess, and you can read more about our perspectives on the communications opportunity for compliant or soon-to-be compliant businesses.

On the other side of the coin, it’s not far-fetched to assume that next month’s deadline may still be too close for comfort for some companies. And, with fines for non-compliance reaching beyond seven-figure sums, the mere prospect of missing the deadline is sure to be causing some serious headaches for those businesses.

So, how should companies facing non-compliance approach the difficult task of communicating bad news to their stakeholders?

Honesty is the best policy – and the sooner, the better

Businesses struggling to comply with GDPR have enough challenges to worry about. Being accused of concealing bad news over regulatory compliance shouldn’t be one of them. If compliance is looking difficult, or impossible, ahead of May 25th, stakeholders are likely to find out about it whether the business wants them to or not.

Taking the first step and informing those stakeholders of an impending setback not only helps control the message, it also prevents against accusations that the company wasn’t upfront with those stakeholders on an issue of serious importance.

Then there’s the issue of timing. With just one month to go, companies should prepare to communicate this news sooner rather than later. If stakeholders have their own preparations to make, such as informing their own customers or putting a product deployment on hold, they will need to know as soon as possible. And, if the company does achieve compliance before May 25th, it will be seen as being prepared and open in its communications – a reputation-enhancer if there ever was one.

Communicating the solution

It’s not enough to just hold your hands up and admit that compliance by May 25th won’t happen. Stakeholders will be asking the question: If not now, when? And, like any problem, the anxiety it causes will only be worsened by the absence of a clear, structured solution.

When communicating to stakeholders about the potentially missed deadline, companies should also include some details around how and when they will reach compliance. Stakeholders don’t need every last detail, of course, but a high-level view of the remedy will go a long way in reinforcing their confidence that the business has a handle on the challenge and can be trusted to meet it.

Choose the right medium and make your message clear

When informing stakeholders of this difficult news, companies need to balance the need to reach as many of them as possible while not over-amplifying a negative story beyond the required audience.

A press release, then, is not the way to go – and neither is a jargon-filled paragraph buried in an unread ‘News’ page on the company website. Consider a succinct, informative blog or LinkedIn post, amplified to those key stakeholders via your most active social channels and supplemented by a dedicated email. Make the message crystal clear, and leave no room for ambiguity or doubt around it.

GDPR is undoubtedly one of the biggest data protection hurdles facing businesses in years, but communications teams can help ease the fallout of non-compliance. Honesty and clarity, as well as a clear path to compliance, will be key for businesses as they prepare to inform their stakeholders that May 25th may simply be too soon for them.