Tick tock, not long to go till the new EU data regulation comes into force.
Like many in the PR community, I am one with many unaswered questions. I have gone to our media database supplier and CRM provider, who merrily tell me all will be ready for the 25 May 2018 deadline.
Wanting to know more, I attended a joint CIPR/PRCA event called GDPR: making comms compliant, and this is what I learnt.
PR agencies need to be ready for GDPR, the general data protection regulation that comes into effect in May 2018, though legal firm Gateley, who was co-hosting the event, was still waiting for final ICO guidance, like we all are.
- To stay legal, the major consideration is to undertake ethical PR, where any data stored and used is for a legitimate business interest, so for example journalists would expect you to have their email address to send news about a topic they are interested in
- If you are using a media database only, they will have gathered all the consent you need, and they will be approached for any breach as you are just reusing their service for mailings - BUT make sure that they are compliant!
- If you decide to create your own lists, then this is where it gets tricky
- A journalist working for a national newspaper and with an @thetimes.co.uk or similar business email address, is not included under the GDPR guidance, as only personal email addresses are, so freelancers for example
- You need to be able to demonstrate compliance - so have a policy and data controller
- If you suffer a data breach (loss), you will need to report or to the ICO within 72 hours.
However, we're not all about journalists are we? We may hold personal data about prize winners, bloggers, influencers, event attendees etc. This is when the dreaded consent aspect of GDPR comes in. And not just from 25 May 2018, but this applies to historic data.
We basically need get consent to do things with the data. Consent must be opt in and clear and can’t be assumed by inaction. According to the Gateley team, you don’t need to have consent if what you are doing is covered by contract performance or by a legitimate business interest. If you do go out and get consent and it’s withdrawn, then you need to ensure that all your databases are updated, so don't be overenthusiastic about getting consent if you are covered by legitimate business interest.
Action points for PR agencies - I would say for us all for good practice, but especially the larger agencies:
1. Datamap - analyse all the things you do with data
2. Familiarise yourselves with the ICO guidelines, be ready to change the way data is collected and used
3. Know where all your data is and start to consolidate it. It can no longer sit on "Jenny", the PR assistant’s laptop as a download
4. Centralise data - once you know where the data is, consolidate it. I would put into a CRM system
5. If info sits on third party database, you rely on their compliance, but let's face it, we all have our own lists. I'd probably dump as many old ones as possible
6. Project manage work streams to ensure compliance
7. Rewrite data protection processing notices/policies to be transparent and cover all things in the data map. For example if a journalist gives you a card, should send them your data processing policy - cover that in your policy
8. Be ready for subject access requests - anyone can request all the info you have on them, and through the right to be forgotten, can ask it to be removed
9. Accept that everyone is accountable. Ensure that all your team is trained and understand GDPR
10. Test your approaches
11. Include a privacy notice on emails
12. Create a data promise outlining what you'd do with data. The BBC and Channel 4 have good examples
13. Use resources from the PRCA and CIPR. The latter has an introduction to GDPR (only for members), but it's very media relations focused, so needs some updating.
Some questions that were asked during the event that I thought were interesting:
Does GDPR mean that historic content such as prize winner news release need to be removed unless subject consents usage?
Just like photographs, the data is for legitimate business interest so not subject to consent.
How do corporate press offices handle data given to them by third parties, and use their name in press follow ups?
If contacted directly, you start processsing data and should send a processing notice to say what you will do with that data. But this might feel a bit wierd and not help the person feel better, so that's probably something you'll need to cover in your data policy. If given data via third party, you’d probably be relying on legitimate business interest. The best thing to do is to talk to the person and ask what s/he’d be happy with. If you can’t contact them, then make your own decision depending on your appetite for risk.
Do journalists have to consent to receive press releases?
This is covered by the new Privacy and Electronic Comms regulation, also coming in 25 May. If the regulation doesn’t change that much, then if a journalist is a self employed freelancer, you should gain consent, if you are marketing to the journalist - adding him onto a list of weekly sales deals for example. If not classed as marketing, you wouldn’t need consent as sending a release is a legitimate business interest. Again, if the journalist works as a staffer, then GDPR is not applicable, as you are not contacting as an individual but a staffer of paper.
If u spot a journo and add to list, do you need consent?
This would be classed as a legitimate business interest, so no consent needed.
Useful reading here via Daryl Wilcox from Responsesource regarding his view on GDPR and its effect on PR & media databases: https://wadds.co.uk/blog/2018/1/15/gdpr-for-public-relations