In episode 4 of the Government to Business podcast, Gavin analyses how governments effectively communicate regulatory change to businesses by highlighting the example of the EU's General Data Protection Regulation (GDPR).

He shows what works and what doesn't. And how you can apply this to your jurisdiction and government when significant regulatory change is going to impact business locally.

Listen to the show here using our podcast player or Youtube:


Or download and subscribe to future episodes using iTunes or Stitcher for Android.

How are governments communicating regulatory change in business?

Transcript:

Gavin: Welcome to another episode of Government to business. this week we're going to be looking at a very topical issue in the news and that is the changes that are occurring in the European Union. And before anyone who's outside of the European Union starts switching off, this is equally applicable to any government who's involved in implementing regulations and how to actually communicate that regulation to their businesses.

This week the EU actually puts into place the General Data Protection Regulation. Now that's the usual wonderful government speak for the changes that are occurring basically across all businesses when it comes to the way that they manage personal data, privacy, all those type of really, really good things. We've obviously seen a lot of things in recent months with Cambridge Analytica, with the way that Facebook and other businesses actually manage their personal information and personal data about citizens.

And this is interesting because this regulation actually was put into place by the EU two years ago,but it only comes into effect as of the 25th of May 2018. Now you'd be amazed with the fact that it's been two plus years since the European Union Parliament actually signed off on these regulations and it's now coming into effect and the fact that nobody is actually, well not actually nobody, that's probably a bit of a long straw to draw there. Many, many businesses aren't aware of actually what they need to do. They are increasingly becoming aware of this regulation because it is just everywhere within mainstream media and also within the Twitter universe and all those other wonderful places as well. And that's got a lot to do with the fact that many businesses don't know how to comply.

Now if you're putting yourself in the shoes of an actual business owner and you know or you've heard there's a new regulation that's coming into place that you know it's going to impact on your business. Where is the logical place you're going to be going to find that information to help you implement and meet those regulatory requirements?

Now you've got one of two choices really as far as many businesses would be concerned. The first one and the most logical one would be you'd go to Google. And because that's the way that we all work nowadays. So by going to Google you'll likely to be searching for what's the words you've heard. Now within the most of the English speaking European nations within the EU, and that's not many, it's obviously the United Kingdom, there's Ireland.

Basically the General Data Protection Regulation is known by its acronym and that's been what's been referred to within the media: GDPR. Within many of the other European languages it's basically referred to by alternate acronyms I guess and that's based on you know, what the actual language is that people are speaking but in most cases it's something a little bit closer to and probably the most common one we kind of see relates I guess to France, relates to Germany, relates to Spain and that's instead of GDPR it's kind of referred to as RGPD. A wonderful thing there, another series of acronyms all mixed up. I can't remember exactly what that word is when you kind of mix up the same letters but it still means the same thing. But you know what I mean.

So chances are you're going to be going to Google and you're going to be searching for those terms. Now I did, I wrote an article around this probably about a couple of months ago and the main reason for that was a lot of the papers within the UK were reporting that businesses didn't know about this change and we're really, really grappling with the problem.

And that particular article looked at how the UK was dealing with GDPR but also how its main partners - or competitors depending on which way you look at it in this new Brexit world - France, Germany, Italy and Spain were actually managing this.

And due to the wonders of the internet of using VPN's and so forth, I was able to go in and pretend that I was effectively a business using the local version of Google within the UK, within France, within Spain and so on. And searching for those particular keywords that businesses were going to be searching for.

Now when I put that, and wrote that article two months ago which is called "Sleepwalking into a European Government to Business disaster", what I found was that generally speaking the experience as far as the customer, the business customer was concerned was you know, frankly atrocious. When someone went to Google and they would search for these terms the actual chances of them finding what they were after was pretty low when it came to getting an authoritative source. And that authoritative source being government.

Government should be there providing this information in a trustworthy manner, providing it in a way that's easy to consume, easy to understand how a business owner should be able to pick up those regulatory changes when it comes to data protection and managing privacy and implement it within their business.

One of the key challenges I guess involved in all that is the fact that when many businesses look to government they tend to look towards, you know, an actual domain name which identifies that level of trust and that obviously involves in many jurisdictions having a .GOV domain. Whether that's you know, you have a obviously a country, a top-level domain country addition to that, such as you know .uk, .fr whatever happens to be the case. You tend to look for that.

Now different jurisdictions do things in different ways. So whilst some some areas for around the world, Australia for myself as an example we would tend to have, you know, top-level domains being something like a .gov.au. Much the same way we would have a .com.au. Same thing in UK for businesses do you'd be having something along lines of co.uk and for government, .gov.uk.

Some governments do things differently and they just don't have that at all. It's just straight .fr for France as an example and within Spain it's just a straight .es which does make things a little bit more challenging. Anyway I digress a little bit.

The main reason here in the main thing I want to focus on is the fact that when I wrote that original article there was a lot of issues there with the fact that governments weren't being found in Google. Some of that's got to do with a lot with the way that government has structured itself and presented this information.

The usually, the responsible agency within each of these jurisdictions tends to be like an Information Commissioner or the office of an Information Commissioner. And in a lot of these jurisdictions they simply don't run off a .GOV domain. In the UK is an example, they run off a .org.uk domain which is for ICO, which is the Information Commission's Office.

Now unless you actually happen to know if you're in, you know, if you're a business owner that this actually is an authoritative source, it's an independent source that's being kind of set up as a quasi-government organization in the sense it's meant to be at arm's length from government, but it still ultimately reports through to government. Your government may have different words for this; statutory authority, whatever happens to be the case.

What we tend to find is that businesses are looking for that .GOV domain. Trying to find, who is an authoritative source I can get this information from? And if they don't find it, they just you know, will move onto something that does look like it.

And one of the main problems I found when I was originally looking at this was a number of businesses, and one business in particular was very, very astute in the way it presented itself to business owners within the European Union and elsewhere when it comes to this regulation. And that's the fact that they set themselves up on the domain name eugdpr.org.

Now I mentioned before around the fact that you know people look towards a gov as an authoratative source, an independent source. .edu similar boat. .org is probably in the same type of ilk. You tend not to expect you know, a commercial operation to generally be on a .org. You expect it on a .com or one of the many other different variations of domain names.

Having a .org though, it makes it kind of sounds like it's almost like semi-official. It could actually be official.

And that doesn't kind of, you know, it lends itself to that when you consider that many, you know, quasi-government organizations or supra-national government organizations like the EU, they tend to go around on.org domains. So it would not be unexpected at all for a business to see something like eugdpr.org and expect it to be a government or an European Union government website. And it simply not. It's run by a private company.

They've actually done a wonderful job of presenting themselves almost as being government but without crossing that line and actually, you know, saying "We are government." So they've done things the right way in the sense that everything is totally legal. I'm not disparaging them whatsoever in questioning the legality of the information they provide and the way that they present themselves. It personally, as I said in the article, it's not the way that I'd like to do business. I'd rather be up front and be quite transparent about things but it's the way that they've chosen to market themselves and in doing so they've done exceptionally well.

The fact that they're well and truly at the top of the search engine results placements for many, many searches. It doesn't matter which jurisdiction you happen to be in you're generally finding this particular website. And one of the problems I guess with all that is not only is, you know, businesses likely to be using that particular service which means that they're likely to be to kind of outreach, and you know, try to hook up with this particular company for advice which no doubt, you know, they'll pay for. But it kind of masks the fact that, you know, governments tend to want to present themselves in a certain way. An independent way. Businesses expect that as well. And they're looking for that. And if they can't find that, they're going to go to wherever they expect next.

The other way of course that businesses are likely to be trying to find that authoritative independent information from government it's actually to go straight to the government websites themselves and to search for that. And when I did this particular review two months ago a lot of governments did this very, very poorly.

It didn't matter whether you were looking at the UK, France, Germany, Italy, nobody was basically putting up front here are these regulations that are coming into place that are going to have a monumental impact on your business. And they do have a monumental impact, you know, the actual financial results can be up to four percent of a other company's earnings and it goes into the millions of dollars that they can be fined for not complying.

And I should actually say this law actually doesn't just apply to a business operating within the European Union, it applies globally.

So that if you're an American business and you happen to be doing business in the EU, you're selling your services into the EU, or any other jurisdiction around the world who is selling to and keeping personal information about customers in the European Union, you actually need to meet this regulation.

I mean if you don't you could have the potential to be up for, you know, quite severe fines. The issue I guess as I said before, was the fact that many governments don't present this information very, very well.

Now I found when I first wrote this that Spain was doing a half decent job so well done to them. But everyone else was generally doing a very, very poor effort.

Since reviewing government responses to GDPR and business, what has changed?

Now two months down the track I would have thought that governments would be going, "We really need to be doing something about this. How do we kind of get this up on the radar of our government portals, now whether that's a citizen portal or more particularly a business portal. And the problem is that's pretty far and few in between.

There's not many governments that actually have that collective view of creating a seamless experience for the business owner, the business customer. It's still way too fragmented into agency silos which is just an absolute, you know, tragedy as far as businesses are concerned. It's actually a tragedy for government because they're missing out on this opportunity to create and make it easy for businesses in their area to start and grow and in doing so employ which is what governments want.

They want to kind of see growth, they want to see the economy growing,they want to see people being employed. So it's crazy that they're not actually doing this in many, many different areas.

So to that end I expected two months down the track for people to be doing things differently.

So quite frankly they're not doing a very good job at all. The one area that I found that had changed a little bit to a certain extent was within France. So in France nowadays as opposed to two months ago, when you do a search for the term RGPD the number one result within google.fr if you happen to kind of run off a French IP address is the cnil.fr pages. Which is the commission, sorry I'm not going to do a very good French accent accent here so please, please don't email me about it, but the Commission nationale de l'informatique [et des libertés], basically the Information Commission, Freedom of Information Commission within France.

So they're doing a good job in the sense that now they can be found within Google. But if you go to any of the French government websites for business there's still no mention whatsoever this regulation up front within features, within alerts, within the overarching information architecture.

So the UK really isn't much better when it comes to this. The Business is Great website, which is kind of like a, I suppose a splinter web site off .gov.uk, still has absolutely no mention whatsoever of this regulatory change. The actual official .gov.uk website, which is meant to be the portal for all citizens and businesses: nothing. No mention whatsoever within the features, very little information at all even when you kind of drill down into the data protection area for businesses. It's a real hodgepodge. It's an absolute mess. I kind of shake my head every single time I kind of start using this website because it is just so badly architected and so badly designed for businesses in particular.

And when you use the search all you can pretty much find if you're looking for GDPR is, you know, attempts I suppose of where government has attempted to contract out to businesses and therefore what it's going to do when it comes to data protection to meet obligations with GDPR. It's really, really, really bad.

The situation within Italy no change whatsoever, still a very, very poor experience.

Within Spain again they haven't actually made any changes to the the Information Commissioner's websites within Spain. Which is okay because it was actually quite a quite a good experience in the sense that there were many many features and many things being pushed towards businesses around the changes.

But when it comes to using Google to say, within Google.es searching, it's kind of the official government pages are coming behind Wikipedia.

They're coming behind businesses such as EUGDPR.org who are, you know providing that how can a business help your business comply with these regulations. Although usually doing it in such a way that it's not often entirely clear who the actual owner of the website is.

So that's how things sit when it comes to a number of those governments. Germany wasn't much different at all.

So I started going, okay because, I started thinking about well the fact that these regulations do impact on many businesses around the world how do they apply and how is it being dealt with within say for example United States?

So to that end I've kind of had a bit of a look around if I was using Google: very, very bad experience again. I couldn't find any government websites at all within the United States talking about this on the ten results from Google. Let's be honest that's all that anybody actually really looks at nowadays.

So I went to usa.gov/business. Nothing. I went to the Small Business Administration website. Nothing. I had a look around export.gov. Now there's nothing on the homepage but with a little bit of navigating eventually I found some information which was around the guidance that could be available for American businesses on GDPR. However it was really, really high-level and towards the end of the big long page you had a link off to the European Union's page around GDPR. And bizarrely, and I don't know why this particular government website does this, but it actually printed out within the actual article the URL in full but didn't turn it into a hyperlink. So if you actually wanted to go to that page you had to kind of copy it, paste it, put it into your browser window. Not a very good experience whatsoever.

So I did have a look at a couple of other sites because obviously last time around I looked at the bigger sites like the UK, France and so forth and I thought, well I'll look at Ireland. I mean Ireland is generally speaking, you know, they have English as a main language. And I had a look at gov.ie which is kind of like, I suppose the equivalent of gov.uk,

And had just a bad experience to be perfectly frank. You know it was like just the way like gov.uk presents things: this big long laundry list, all in alphabetical order. When it came to say the business resources and after a long, long, long, long amount of scrolling I found nothing there to help me when it came to complying with this particular regulation. I thought okay well I'll go to an agency page maybe that might help.

So I entered the Department of Business, Enterprise and Innovation. Now there was nothing ontheir homepage, there was actually no logical path within their navigation to find anything so I went and used their search result; used their search engine. And surprisingly the actual number one result term brought up was around GDPR which had a really good overview.

So I guess if you were an Irish business and you're trying to comply with this regulation, if you're kind of lucky enough to strike it that way, you're going to find what you need. But you know, good luck on Google.ie. There's nothing there about the Irish Government. The official EU website comes in at number 8 much the same way as in America it comes in at number 8 on google.com and Ireland on Google.ie comes in 8th and again behind Wikipedia, behind news and blog pages and these company sites that are putting themselves forward to assist businesses and doing so in such a way that it's really not sometimes clear who they are.

I have had a look at a couple of other sites.

What extra countries are communicating regulatory change to business well?

The Netherlands does a remarkably excellent job in some ways, but in others doesn't quite meet the mark. So the reason I say that is if you go to Google.nl and you happen to mask yourself within your VPN to be coming from the Netherlands and searching for GDPR are searching for our RGPD there's not a lot when it comes to the government space. Again Wikipedia, GDPREU.org are doing very, very well in the results listings there. The official EU sites coming at fourth and fifth and this I guess presents a broader issue for the Netherlands government when it comes to domain strategy and linking strategy.

That's probably a story for another day but I'll kind of say look they probably could do better in that particular space. That said they have done a remarkable effort and one I truly actually want to congratulate the Netherlands government for when it came to the experience on their whole of government business portal which is business.gov.nl.

Now on their home page there was a very, very prominent link through to the changes with GDPR. When you follow that link they had some very, very good useful advice and also a really handy diagnostic tool which was similar I think to the the UK's Information Commission's GDPR tool where it actually walked you through, you kind of answer questions about the way that your business uses personal data and presented, you know, a bit of an assessment with how you're tracking against meeting and complying with the regulation.

So great experience as far as a Netherlands business would be concerned with a Dutch business, trying to find this information within the actual website and being able to have their questions answered and on top of all that actually having at last a wonderful experience as far as bringing together business information across all of government into a single location. So [clapping sound], that's a poor effort of me kind of clapping. I really want to kind of tip my hat off to the Netherlands. Great job there in that space.

The last one I wanted to refer to is actually Switzerland and this is interesting because Switzerland whilst it's surrounded by countries who are all members of the EU, isn't a member of the EU itself due to various, various reasons. Which I won't get into again.

And if you hop on Google.ch which is the Swiss version of Google and search for the right same type of search terms as I was mentioning before, what they've done and what they've done well here is coming at number one and number two in the search engine results in Google.ch were the actual government pages around the regulatory changes.

Now these were presented in French and for those of you who aren't aware within Switzerland it's very much a bilingual nation where various depending on which canton you happen to be living in, some parts of Switzerland speak French, some speak German, some speak Italian and of course there's a fair amount of smattering also of other languages. There is English obviously as an international language of business so to have number one and number two in Google linking straight through to that authoritative government source within the admin.ch website speaks volumes as far as I'm concerned.

And looking at the back end with the domain strategy you can clearly see that Swiss government has been very, very smart indeed when it comes to the way that they're presenting information and the way that creating these backlinking strategies to ensure that Google is placing them very much at the top of their search results. Now when you go into those pages the ones that are coming through at number one and number two.

Number one gives a high-level overview and then links through to a PDF document which is an 11 page document around guidance about compliance with GDPR. The number two on the list actually is the document itself. Now I can't really give you any clear analysis as far as I'm concerned about the veracity of the information and to what extent it's useful and easy to, you know, implement within a business mainly because I don't speak French and I can't read French. So from that perspective my apologies on that but my guess and it might be totally wrong so please let me know if you can speak French and you go to those documents and you read them and you find they're not very useful, I would expect that the approach that's been adopted by Switzerland, is generally very, very professional in this particular space and I would be incredibly surprised if the information provided to Swiss businesses weren't accurate and also easy to use.

So wrapping things up what I just want to kind of refer to and it doesn't get it doesn't matter what regulatory, what country you're in, what jurisdiction you're in, when it comes to providing changes, significant changes to regulatory information it's imperative that you got that information out there, that you're communicating to businesses.

Now I've obviously been using Google as the key way of doing so because that's the way that 90% of all businesses when they're generally speaking looking for information and need their answers, their questions answered, that's where they go to. But obviously you should be looking at a broader communication strategy around offline media as well as that online media space, and part of that offline media if you have, you know, the actual access to the registration, the business registration, the information would be to actually have that direct mail marketing occurring as well to raise awareness amongst businesses in that, your jurisdiction around these changes if they are significant changes.

One thing though, it's absolutely imperative to do is to have the right strategy in place to present that information where it's a significant change to business in a clear concise format and making sure that it's easily accessible not just from your actual agency website or where it happens to be, where that information is stored, but it's linked together, it's all part of a seamless experience so that any business when they're going to, you know, an actual relevant business website run for, by government within your jurisdiction will find that information, will discover that information and in doing so that's also going to help Google find that information so that it is being discovered and when business is looking on Google to try to find that as well.

That's it for today. I look forward to hearing from you if you've got any advice or suggestions on topics in the future please let me know at gavin@governmenttobusiness.com. If you found this interesting. Of course make sure you write and recommend on iTunes or Stitcher and don't forget of course to subscribe.