Skip to main content

Beyond Legal #32: The internal comms manager who made compliance something people actually read

·6 mins
Beyond Legal Internal Communications Transparency Employee Data GDPR Article 12 Article 13 Data Protection by Design GDPR at 10

Beyond Legal #32: The internal comms manager who made compliance something people actually read

Kieran helped me translate controller obligations into something employees actually read. — Marta S., Data Protection Leader

There is so much data protection training I have seen that is obviously written by lawyers for lawyers, then handed to employees and called ’employee engagement.’ The legal content is accurate. The language is precise. Nobody reads it after the first slide. And because nobody reads it, nobody understands their obligations, nobody understands the company’s obligations to them as data subjects, and the training completion rate becomes the only metric anyone tracks — because it is the only metric that is easy to measure.

Kieran’s story #

Kieran is an internal comms manager at a European retailer with around eight thousand employees across five member states. His job is to make information land and stick — to understand what employees actually read, what they ignore, what language resonates, and what format reaches people who are not sitting at a desk. He writes for people, not for auditors.

He had never been asked to contribute to the data protection programme. He had been asked, once, to distribute an all-staff email about a policy update. He had done so. He had noted privately that the email was unlikely to be read by anyone.

The Data Protection Leader — let’s call her Marta — came to him with a specific problem. She had a legal obligation to ensure that employees understood their rights as data subjects and the company’s purposes for processing their personal data. She had a training module that met the legal standard for content. She had a completion rate of sixty-three percent and no evidence that any of the completed sessions had produced behavioural change. She needed help.

Kieran asked her three questions she had not been asked before. Who are the employees you are most worried about not reaching? What would you need them to be able to do differently after the training? And what does an employee’s actual working day look like — when do they have two minutes to read something, and when do they not?

Those three questions reframed the project entirely.

What the collaboration produced #

Instead of a single annual training module, Kieran and Marta built a rolling communication programme: short, role-specific content delivered in formats that matched how different employee populations actually consumed information. Warehouse staff received visual posters at work stations covering the specific processing activities that affected them and their rights under Articles 15 to 22 of the GDPR. Retail employees received brief scenario-based content via their existing team communication app. Head office staff received more detailed quarterly updates aligned to changes in processing activities.

The transparency notices — the Article 13 information that employees are entitled to receive about how their personal data is processed — were rewritten in plain language, tested with a focus group of employees drawn from each population, and redesigned as a two-page visual document rather than a twelve-page legal annex.

Completion and engagement rates improved substantially. More meaningfully, the number of employee data subject access requests — a reliable indicator that employees understand they have rights and feel confident exercising them — increased, which Marta took as evidence that the communication was reaching people.

Kieran was promoted. Marta cited the collaboration as a significant programme improvement in her board report.

What does the GDPR require from employee transparency communications? #

Under Articles 12 and 13 of the GDPR, controllers must provide data subjects — including employees — with clear and plain language information about the purposes and lawful basis for processing their personal data, the categories of data involved, retention periods, their rights, and details of any transfers. Article 12 requires that this information be provided in a concise, transparent, intelligible, and easily accessible form. A legal annex that employees are not reading is not meeting the Article 12 standard — accessibility is not only about physical availability, it is about whether the communication is genuinely intelligible to the people it is addressed to.

Two enforcement decisions illustrate what happens when companies fail this standard at scale. In September 2021, the Irish Data Protection Commission fined WhatsApp Ireland €225 million — at the time the second-largest GDPR fine ever — for transparency failures rooted in privacy notices that did not clearly explain what personal data was being processed, for what purposes, or on what lawful basis. The DPC found that the notices failed to provide the required information in a sufficiently clear and plain manner. In October 2020, the Hamburg Data Protection Authority fined H&M €35.3 million for systematically collecting sensitive personal data about employees — health information, religious beliefs, family situations — through return-to-work interviews and informal conversations, and using it to profile employees and inform employment decisions. The primary violations were of lawfulness and data minimisation: the collection lacked a valid legal basis under Article 6 and, for special category data, under Article 9. Employees had no knowledge that these records existed, no ability to exercise their rights over them, and no meaningful transparency about processing that should never have occurred at all. It is a different kind of failure from a poorly written privacy notice — but it illustrates the same underlying problem at its most serious: when employees are not treated as data subjects with rights, the consequences extend well beyond a compliance gap.

Why does internal communications expertise matter to a data protection programme? #

The GDPR’s transparency obligations are substantive, not formal. A privacy notice that exists is not the same as a privacy notice that communicates. An all-staff email that is sent is not the same as information that is understood. Internal comms professionals understand the difference between distributing information and achieving comprehension — and it is comprehension that the GDPR’s transparency framework requires. A Data Protection Leader without access to that expertise is producing legal documents, not communication. A Data Protection Leader who builds it into the programme is producing the kind of evidence of compliance that Article 5(2) actually demands.

The challenge for today: Take your employee-facing Article 13 notice and read it through the eyes of someone on the shop floor, in the warehouse, or in your customer service team. Ask yourself whether it is written in language they would use, whether it is in a format they would encounter in their working day, and whether someone who had never heard the word “controller” would understand what it was telling them. If the answer to any of those questions is no, you have found the gap.

For more on how non-legal expertise strengthens the programme’s foundations, see Beyond Legal #26 on plain language consent mechanisms, and Beyond Legal #28 on making compliance visible across the organisation.

Article references: Article 5(1)(a) (lawfulness, fairness, transparency), Article 5(2) (accountability), Article 12 (transparent information), Article 13 (information to be provided at point of collection), Articles 15–22 (data subject rights), Article 83(5) (fines for transparency violations).

Series: This is post 12 in the Beyond Legal series — 20 roles, 20 days, real consequences. The story about Marta and Kieran is fictitious, the Irish and German cases are real.

Purpose and Means works with companies on data protection strategy, governance, and compliance — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your company, book a call or explore our services.

Author
Tim Clements

Browse by Topic

accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 28 article 30 article 32 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness campaigns behaviour change beyond legal board reporting case law cloud infrastructure compliance monitoring consent cross-border transfers dark patterns data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection day data protection leader data quality data residency data retention data sovereignty datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture public sector quantum computing records of processing regulatory guidance risk management risk reduction ropa software development special category data standard contractual clauses strategic planning sub-processors sustainability third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts