GDPR Compliance for Internal Communications

Ali Rodriguez


GDPR regulations are a big deal for your business. They shape how you run your operations and can spell out trouble if not properly addressed. By communicating GDPR compliance to employees in a clear and timely manner, you can avoid penalties and keep business running smoothly.

For many, GDPR compliance can be a significant source of stress. Internal communicators may find themselves contemplating questions like ‘Do I need to limit email volume?’ and ‘Is it necessary to add an unsubscribe button to my internal communications?’

But things are more simple than they seem.  

GDPR legislation is all about giving more power to the individual, making sure that his or her personal data is collected, stored, and used ethically and transparently — all principles that form part of who we’ve been as a company since the beginning.

For that reason, our practices haven’t changed much since GDPR has been the talk of the town. 

ContactMonkey’s clients rely on our leadership and guidance when it comes to data privacy and security. In this guide, we’ll break down how ContactMonkey ensures GDPR compliance for our customers and what GDPR compliance means for internal communicators more broadly.

Whip up emails your employees want to open

What Is GDPR?

The General Data Protection Regulation (GDPR) is a piece of EU legislation that came into effect in May 2018. GDPR lays down certain rules related to the protection of personal data and applies to the processing of personal data by organizations who are established in the EU, as well as any organizations based outside of the EU who process the personal data of individuals in the EU for the purposes of providing goods or services to them or monitoring their behaviour. 

This means that if you are a company based in Canada for example, and you deal with customers or employees based in an EU country such as France, then you are likely to be subject to the rules under GDPR. 

“Personal data” means any information relating to a living person who is either identified or identifiable. Personal data includes things like name, address, telephone numbers, credit card details. The rules under GDPR are pretty extensive and aim to give such individuals (known as “data subjects”) much more power and control over how their data is used. 

For example, one of the core principles under GDPR is the principle of transparency, under which organizations must provide individuals with very specific information about how and why their data are processed. On top of this, data subjects have a range of rights under GDPR that they can exercise.

See how your employee emails can drive more engagement

Send magnetic employee emails on Outlook and Gmail with ContactMonkey.

What Aspects of GDPR Apply to ContactMonkey and Its Customers?

GDPR is wide in scope and it usually applies to ContactMonkey whenever we process personal data belonging to individuals who are based in the EU (and the same rule of thumb applies for our customers). The exact nature of the obligations that may apply under GDPR depend on whether we are handling personal data as a “controller” or a “processor” of personal data. Under GDPR:

  • a “controller” is someone (a person, company or other body) who decides how and why a data subject’s personal data are processed; and
  • a “processor” processes personal data on behalf of a controller and in line with the controller’s instructions. 

Generally speaking, ContactMonkey processes personal data as a processor on behalf of our customers, who act as the controller. That said, there are also certain circumstances where we act as controller of personal data, for example when we process personal data for our own service monitoring and product improvement purposes. 

When handling personal data, we always need to be mindful of the core data protection principles set out under GDPR. These are: 

  • Lawfulness, fairness, and transparency. All processing of personal data should be lawful and fair and data subjects need to be able to understand the circumstances around the processing of their personal data and be able to exercise their rights. 
  • Purpose Limitation. Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 
  • Data Minimization. Processing must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. 
  • Accuracy. Personal data should be accurate and kept up to date. 
  • Storage Limitation. Only keep personal data for as long as is necessary for the purposes for which the data are processed. 
  • Integrity and Confidentiality. Personal data should be processed in a way that ensures appropriate security of the personal data. 
  • Accountability. Controllers are responsible for and must be able to show that they have complied with all of the data protection principles. For example, we do this by taking steps to ensure that our privacy policy and personal data handling practices are up to date.

In terms of GDPR compliance, here are some concrete steps we’ve taken

  • Familiarize ourselves and understanding the requirements of GDPR and related regulatory guidance.
  • Updating our Privacy Policy in order to provide greater transparency to ContactMonkey users about how we collect and use information. 
  • Implementing product feature changes to enable our customers to comply with GDPR when sending emails via ContactMonkey.
  • Ensure personal data of ContactMonkey users and email lists subscribers are protected, including for example, through the implementation of security measures to protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of data. 
  • Providing a Data Processing Addendum to ContactMonkey customers, which sets out the conditions under which we process personal data on behalf of our customers.
  • Having a dedicated point of contact for data protection-related queries.
  • Responding promptly to requests from individuals seeking to exercise their rights under GDPR where we act as controller of personal data.
  • We only keep personal data for as long as it is needed, in line with our data retention and deletion policies.
  • Educate our users and subscribers about GDPR in relation to email outreach, email tracking, and develop internal communications best practices.

Best way to build engaging employee emails

How to Practice GDPR Compliance for Internal Communications

Although above we went over general guidelines to comply with GDPR, sometimes it can be tricky to identify what applies to you as an internal communicator. Although sales and marketing are the most affected by GDPR regulation, there are a few ways internal communications play a role.

Here are some tips to make sure your Internal Communications team is GDPR compliant.

  1. Transparency: whether it’s part of your contracts, job offers, or training materials when interacting with employees they need to be aware of what data you are storing and what you are using it for. Many companies have a dedicated employee privacy policy explaining the data they collect from staff and how they use it. Like Sales and Marketing teams, Internal Communicators rely on personal data to personalize communications to boost employee engagement and participation. With ContactMonkey, for example, you can personalize your subject lines and body copy to increase email open rates and engagement. You need to be thorough when communicating what exact data you’re collecting, why you’re collecting it, and who employees can get in touch with if they have concerns about their personal data. Remember, transparency is one of the core principles under GDPR.
  2. Legal basis for Data Collection and Processing: another important thing to keep in mind is that you need to be able to show that you have a legal basis for collecting data from your employees and processing such data. For example, when it comes to Internal Communications, you might say that by tracking internal communications emails you are able to measure and improve employee engagement, which has been proven to have a direct impact on the bottom line.
  3. Train your Employees to Be Mindful of GDPR: whether it’s sales and marketing, or HR and IC, you need to make sure old and new employees know exactly how to be GDPR compliant. Just because you, as a company, have taken every step to adhere to regulations doesn’t mean that one careless employee can’t get you in hot waters. We suggest you begin by sharing this guide with them so they know how to go about handling data and reaching out to external people.
  4. Ensure All of your Third-Party Tools are GDPR Compliant: as we covered above, ContactMonkey has taken steps to be GDPR compliant. However, as you add more tools to your repertoire of communications weapons, you need to keep updating your employees regarding what data, if any, you’ll start to collect.

Although the language in your contracts may give you someone to sue if something goes wrong, this alone is not enough and for transparency’s sake, you should be updating your workforce any time you implement a tool that collects data. Communication is key.

Start your 14-day free trial of ContactMonkey

No credit card is necessary.

What steps can ContactMonkey customers take to ensure compliance with GDPR?

In terms of what you can do to make sure you’re being compliant, here are some of the best practices we’ve also implemented at ContactMonkey that you should follow.

Anonymous individual email tracking

GDPR can impact how you track email metrics from your employees. This can result in organizations being unable to gather email analytics to improve their internal communications. Using ContactMonkey’s anonymous email tracking, you can gather email metrics from your employees while maintaining their privacy and anonymity.

 Data Minimization

As we mentioned earlier, another key tenet of GDPR is that you should only process the data that is adequate, relevant, and necessary in relation to the purposes for which they are processed. For example, it’s normal that your sales team collects data such as first name, last name, email, and phone numbers but anything beyond that could be seen as a violation unless it’s necessary within your sales process.

 Be Mindful of Frequency and Cadence 

Even when you obtain someone’s email through a legitimate form, abusively frequent emailing can be seen as an intrusion on the rights of the individual. We know, this does sound like a grey area but use common sense when it comes to emailing prospects and don’t abuse the trust they’ve put in you. Remember that personal data should not be processed in a way that is incompatible with the purposes for which the data was collected in the first place. So you should only use it for the purpose you said you would when you collected it. 

 Always include Opt-Outs

Although this is fairly common practice, as a writer who subscribes to hundreds of newsletters and blogs I always find a couple that don’t really give me an option to opt-out or unsubscribe from their emailing list. Always make sure to add opt-out and privacy notice information in all of your correspondence. When it comes to GDPR compliance, the rule of thumb is to err on the side of safety, so make those opt-out buttons super prominent.

Whip up emails your employees want to open

Communicating GDPR to Employees: Key Takeaways

While navigating GDPR compliance can often feel like a confusing process, it will ultimately improve your internal communications and help your team build relationships based on mutual trust and transparency. By taking the time to help employees understand the importance of GDPR compliance and how to follow associated best practices, you can strengthen business integrity, and avoid legal repercussions. 

With a communications solution like ContactMonkey, which helps support GDPR compliance, managing GDPR becomes a little easier. If you have any questions or concerns regarding GDPR compliance, you can review our Privacy Policy here.

Signup to our newsletter, The Ape Vine

Innovative internal comms content delivered weekly