A Complete Guide to GDPR Compliance for Internal Communications

The General Data Protection Regulation (GDPR), enforced since May 25, 2018, is undoubtedly the most stringent privacy and security law in the world. Although it was developed by the European Union (EU), its reach extends far beyond Europe’s borders. It imposes strict data protection obligations on any organization that collects or processes data from individuals within the EU. The consequences of non-compliance can be severe, with penalties amounting to tens of millions of euros for those who fail to meet its rigorous standards.

As businesses increasingly rely on cloud services and face the daily threat of data breaches, the GDPR reflects Europe’s firm stance on safeguarding personal data. However, the regulation’s broad scope and somewhat ambiguous guidelines make compliance particularly challenging, especially for small and medium-sized enterprises (SMEs). 

The rise in remote employees has amplified these challenges, as internal communications have become more reliant on digital tools that handle vast amounts of personal data. For many U.S. organizations, this complexity is heightened by the growing trend of employing individuals from other countries. It includes those in the EU, bringing them directly under the scope of GDPR. As a result, ensuring GDPR compliance in internal communications has now become a critical priority for organizations of all sizes. It requires clear policies, secure processes, and constant vigilance to protect both customer and employee data.

If you have employees living in the EU, an international recruiting strategy, or staffers whose work takes them to the EU, this regulation and the multi-million dollar fines associated with non-compliance, apply to you.

We’re going to explore the key aspects of achieving GDPR compliance specifically within internal communications as well as problems of non-compliance. We’ll also provide practical insights and strategies to help your organization navigate this complex regulatory landscape.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a rigorous data privacy law enacted by the European Union. It is designed to protect the personal data of people in certain EU countries and the United Kingdom (UK). As such, it applies to any organization, regardless of location, that processes the personal data of individuals while they are in the EU.

According to GDPR Advisor, in 2024, it had been implemented in Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. Even though the UK left the EU in January 2021, the GDPR was enacted prior to this. So, it is still considered a valid UK law.  

The GDPR grants individuals rights over their data. This includes the right to access, correct, and delete their information. It also requires organizations to be transparent about how they collect, use, and protect that data. It also mandates strict security measures to prevent data breaches and imposes heavy penalties for non-compliance.

The regulation’s main goals are to: 

• strengthen data privacy rights for individuals
• increase accountability for organizations
• unify data protection laws across EU member states.

You may be wondering what data is covered by GDPR. According to the UK Information Commissioner’s Office (ICO), “The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

This data could be on computers, in the cloud, or even in a filing cabinet and includes:

• Names
• Email addresses
• Identification numbers
• Location data
• Personal data that has been key-coded or machine-scrambled

Who Does the GDPR Apply To?

GDPR aims to protect data subjects. But does that mean citizens, residents, travelers, or expats living abroad? According to an analysis by Cyber Counsel UK, a data subject is anyone within the borders of the EU at the time of processing of their personal data. That means residents, travelers, and expats can all be data subjects. However, if an EU citizen is traveling outside the EU, or becomes an expat, they are no longer a data subject, unless their data is still processed by an organization “established” in the EU.

The EU explains that it applies to:

1. Companies or entities that process personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. Companies established outside the EU that offer goods or services (paid or for free), or monitor the behavior of individuals in the EU.

If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you. For instance, you may not need to appoint a data protection officer (DPO). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities. 

So, if your organization is based in the U.S. and it processes personal employee data of those who reside and work in the EU, it must comply with GDPR. This is because the GDPR applies to organizations that handle the personal data of individuals located within the EU. The company’s physical location is irrelevant. 

Role of Data Protection Officers in Internal Communications

Data protection officers can be internal employees or contractors. Their job is to:

• help you monitor and demonstrate compliance
• inform you about your obligations
• prepare Data Protection Impact Assessments (DPIAs)
• act as a contact point for data subjects and the EU.

The GDPR dictates that your DPO is an independent expert in data protection, who is adequately resourced and is obliged to report to the highest management level.

However, the ICO states that you must appoint a DPO if:

• You are a public authority
• Your core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking)
• Your core activities consist of large-scale processing of special categories of data. This includes employee data or data relating to criminal convictions and offenses

Why is GDPR Compliance Needed for Internal Communications?

GDPR compliance is essential for internal communications because organizations handle the personal data of employees and stakeholders. Ensuring compliance helps protect sensitive information, prevent data breaches, and uphold employee privacy rights. 

Failing to meet GDPR standards can lead to severe fines and legal consequences. That’s why it is crucial to safeguard personal and employee data shared through internal channels. These include email, messaging systems, and cloud-based platforms. Compliance ensures transparency, security, and trust within the organization. Non-compliance creates enormous problems. 

Problems of Non-Compliance

A 2023 survey by the European Center for Digit Rights, a non-profit organization branded as noyb (none of your business), highlights “a culture of non-compliance” regarding the GDPR. Conducted online in November 2023, the survey aimed to get reliable insight into the practical implementation of the GDPR. Their target audience was data protection officers and professionals who were working in the GDPR compliance field. 

Key findings, including statistics, include:

• 74.4% of privacy and senior data professionals believe that “an average company” would likely be found to be in violation of the GDPR if regulators were to inspect them immediately. 
• DPOs seem to have a difficult time convincing decision-makers to make the changes needed to achieve GDPR compliance. This was especially true in sales and marketing, where 56% indicated it was a problem​.
• 63.5% stated that the fear of high fines was a deterrent. The risk of “reputational harm” was also a very influential factor for compliance. 
• The various guidelines provided by the European Data Protection Boards (EDPB) and data protection authorities (DPA) were found to be “surprisingly inefficient.”
• Ultimately, 70% of DPOs and other respondents agreed that more DPA action was needed. 

Of course, the answer is to practice compliance in the first place.

How to Practice GDPR Compliance for Internal Communications

It makes sense to start out by looking at the employee data you collect from those who work for your organization. Do you really need it? “Nice to have” data won’t work for those living and working in EU countries. ICO advises companies to identify the lawful basis for using information. 

Here are a few guidelines to get you started. 

Useful Guidelines 

• Consent: The individual has given clear consent for you to process their personal data for a specific purpose. It is vital to recognize why this is important, as well as how to obtain, record, and manage consent.
• Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: Processing is needed for you to comply with the law (not including contractual obligations). 
• Vital interests: You need to process data to protect someone’s life. 
• Legitimate interest: Processing certain data is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. You also need to know how you can use and apply legitimate interests. 
• Public task: Processing data is necessary for you to perform a task in the public interest or for your official functions. You also need to be sure that the task or function has a clear basis in law.

The reasoning behind your choice of lawful basis should be well-documented and easy to explain. Your chosen lawful basis can also affect the rights available to the data subjects (your employees who are protected by the GDPR). When dealing with employee data, many organizations are choosing legitimate interests as their legal basis.

No matter what you choose, if you could get the same results without saving data, you are not in compliance.

Audit Information

If you have staff in the EU, you’ll need to document the personal data you hold. This should include where it came from and who you share it with. If you discover you have incorrect data, correct it in your system. Also, let anyone else you are sharing it with know so they can fix it on their end as well. You aren’t just being nice, it’s the law.

Update Onboarding and Privacy Policy Language

GDPR regulations have no patience for legalese-filled privacy policies and onboarding docs. 

In addition to current EU rules that say you must let people know who you are and how you intend to use their information. For this reason, your employee onboarding documents and privacy policy will need to include certain information. This includes:

• The exact lawful basis you are using for collecting the data. If some of the information you’d like to have is optional and falls under a different legal basis, allow your staffers to consent separately.
• The length of time you will be storing the data
• Information on the data subject’s right to complain to the ICO if they think there is a problem with your data handling.

Check Procedures

Just because you have a lawful basis for data collection, doesn’t mean you are in the clear. Work with HR to bring data consent into established annual processes. Think HIPAA but for non-essential personnel data.

GDPR specifies that data subjects can consent to data collection. If not, communications need to be reworked to remove any automatic opt-ins.

A GDPR-approved opt-in is:

• Specific
• Informed
• Unambiguous
• Clear
• Prominent
• Properly documented

Allow Employees to Update Information

For data that doesn’t fall under the legitimate basis umbrella, work with your vendors to develop a privacy dashboard to give your associates the ability to update their information and control what data is collected.

A user dashboard is a great place to start.

Prepare to Delete Data if Need Be

GDPR dictates that you must make it easy for data subjects to withdraw their consent at any time. You also need to provide guidelines of how they can do it

Once an employee is no longer with your organization, set processes that ensure unnecessary or outdated data is deleted at regular intervals. Be aware that the GDPR even allows data subjects to request that their data is removed from an organization.

If there is no compelling reason for your organization to keep certain information, you have 30 days to complete the process. The same goes for any vendors with whom you have shared the data.

Check Contracts

Organizations governed under GDPR must update their contracts with vendors that handle data to include specific terms about how the data your organization provides will be handled.

How Can Cerkl Broadcast Ensure GDPR Compliance in Internal Communications

Cerkl Broadcast is a versatile platform that is fully compliant with the GDPR. There are several key features that help our customers ensure GDPR compliance, including: 

• Personalized communication with consent: Broadcast’s personalization features allow organizations to tailor messages to employees based on their preferences and roles. This ensures that only relevant and necessary data is used. GDPR requires explicit consent for processing personal data, and Cerkl Broadcast enables compliant, consent-based communication.
• Data security and access control: Broadcast provides robust security features. This ensures that personal data shared within internal communications is encrypted and accessible only to authorized users. This aligns with GDPR’s requirement to safeguard personal data from breaches or unauthorized access.
• Data minimization: The platform supports the segmentation of audiences, ensuring that only necessary information is shared with the right people. This reduces the amount of personal data processed, meeting GDPR’s data minimization requirement.
• Transparency and accountability: Cerkl Broadcast’s analytics and insights offer transparent reporting on communication activities. It can be particularly useful for maintaining records of data processing as required by GDPR. These insights provide a clear overview of how personal data is being used within internal communications.
• Right to access and erasure: Employees can request access to their personal data. They can also ask for it to be deleted under GDPR. Cerkl Broadcast’s data management capabilities ensure organizations can efficiently handle such requests, maintaining compliance with these GDPR rights.

By using these features, Cerkl Broadcast helps organizations protect employee data, comply with GDPR, and maintain trust in their internal communications.

What’s Next

If you employ people who live or work in the EU, and your organization isn’t GDPR-complaint, you need to take immediate steps to rectify the situation. We’ve provided useful guidelines to get you started. At the same time, it’s vital for you to prioritize using secure internal communications software with data privacy features. Even if you aren’t bound by the requirements of the GDPR, sound employee data management is critically important.

We have prepared a comprehensive guide, Choosing the Optimal Internal Communication Software, that is a mine of information in this regard. It will help you to identify your organization’s needs and evaluate vendor reputation and support. Of course, you also need to assess the features of the software you are considering. Security and employee data privacy are crucial, but there are other factors to consider too. 

We know this can be an enormous challenge, so invite you to download our guide now. It’s an essential read, and you can access it right now, free of charge.  employees? Schedule a demo today.

FAQ