Crisis management: Internal communications and data privacy

Crisis management, a key ingredient in any good set of business continuity management arrangements presents a conundrum:

How do we communicate effectively with employees and other individuals whilst complying with relevant laws on data privacy and respecting individuals’ personal preferences?

There are around 6 billion mobile phone subscriptions in the world compared with a total population of 7 billion, but that doesn’t mean that 86% of people have one. Some will have 2 or more and children under the age of 8 are quite unlikely to have one also.

In most organisations today all employees have a personal mobile phone and some have a company-issued one as well. So can we rely on them in times of crisis to spread the word? The traditional communication cascade, or calling tree method relies on telephones and the rapidly developing mass notification systems, which offer multiple platforms (including SMS) also rely on mobiles.

However, there are possible scenarios in which mobile networks are switched off and so these channels would no longer be available. So should crisis communication data include home telephone numbers and even addresses? And what about next of kin details?

All of this data can be managed securely in an organisation’s own network, but to make it available in the event of major incidents, it often needs to be accessible via external systems as well, increasing the risk of violation of data privacy.

Some organisations include personal data in hard copy plans which are arguably much more vulnerable to compromise.

The point is that many aspects of BCM response cannot be 100% guaranteed to work and so the solution lies somewhere in a balance between:

  • Obtaining individuals’ consent for it to be held for this purpose
  • Minimising the amount of data held
  • Using the most secure (digital) platform possible
  • Including the risk of not being able to communicate with employees in the risk assessment process

For more information on Data Protection training, take our one-day DPA Foundation Course which gives new and experienced staff an oversight to the Data Protection Act (DPA) and what it means for their business. Alternatively, if you’re looking for a ‘DIY’ solution, use the Complete Data Protection Toolkit which includes all the tools you need to ensure your business is DPA compliant.