What are the impacts of GDPR on Investor Relations communications?

BY Mike Riches

In the server room and the board room, it’s time to get GDPR prepared.

General Data Protection Regulation (GDPR) will soon be here. Replacing the Data Protection Directive, its primary purpose is to strengthen and unify data protection for all individuals within the European Union. It will apply whatever kind of Brexit we have – hard, soft or positively runny.

From 25th May 2018, organisations holding personal information (pretty much anyone with a database) will be more accountable and responsible for ensuring that they have a lawful basis for processing it. ‘Personal information’ is described as anything from a name, photo, bank details, contact details or even biometric information (e.g. fingerprints and retina scans). ‘Lawful basis for processing’ basically means the consent of the data’s subject.

The first step for any company is to make sure that any current systems for gathering and processing personal data are fully compliant.

This involves:

  • Checking that consent is the most appropriate lawful basis for processing
  • Asking people to positively opt in
  • Not using pre-ticked boxes, or any other type of consent by default
  • Using clear, plain language that is easy to understand
  • Specifying why you want the data and what you’re going to do with it
  • Naming your organisation and any third party controllers who will be relying on the consent
  • Making it clear they can withdraw their consent
  • Ensuring that the individual can refuse consent without detriment
  • Keeping a record of when and how consent was given and what they were told at the time

The biggest task facing organisations looking to become GDPR compliant is the retrospective delve into their databases. This will determine whether they have consent for the data they control or not, and if so, where it came from. This is what you will need to know and show:

  • Name and contact details of Controller
  • Purpose of processing
  • Description of categories of data subjects and data
  • Recipients to whom data will be disclosed including third parties
  • Transfers of personal data to another country
  • Time limits for retention of data
  • Security around how data is held

Investor communicators must be careful to separate investor communications from marketing communications.

This is not new and corporate communications managers are hopefully well aware of the consequences of straying into marketing areas such as soliciting other investment or further investment. In August 2016 Flybe sent an email with the title ‘Are your details correct?’ advising recipients to amend any out of date preferences with a view to becoming more compliant with data regulations. However, Flybe also said that, by updating their preferences, users may be entered into a prize draw. Because of this, rather ironically, Flybe were fined £70,000 for breaking the Privacy and Electronic Communication Regulations.

It’s clear that regulators are starting to catch up with anything that looks like direct marketing and the consequences for stepping out of line will become costly.

So, yes compliance with GDPR is an IT issue. But it also one for the boardroom.

For more information contact Mike Riches: mike@gather.london