For communications professionals, our databases or ‘little black books’, are our most valuable assets, which we protect as if they were the crown jewels. However, let's not forget that the deadline for GDPR looms closer!
It's safe to say that for many of us, pitching to the most cynical of editors seems like a walk in the park compared to understanding the new regulations and how they affect our work. While Google throws up hundreds of long-winded articles on GDPR and online PR forums go into overdrive the minute it’s mentioned, the UK’s Information Commissioner, Elizabeth Denham, assures us that the GDPR is an “evolution, not a revolution”.
So, can we take our fingers off the panic button?
What is the GDPR?
The General Data Protection Regulation (GDPR) is the biggest change to data protection rules for over 20 years, replacing previous legislation that has been in place since the 1990s. The new regulations are designed to give consumers much greater control over their data, while putting the onus on businesses to keep this information safe and respect the data privacy of their customers.
GDPR and the PR industry, are PR professionals affected?
Absolutely. All individuals and businesses that process or store personal or sensitive data must abide by the rules – that includes startups, small businesses, freelancers and the self-employed.
By personal data, the regulations mean any information that can be used to identify a person, such as their name, email address, IP address, and so on. Sensitive information could be details such as genetic data, sexual orientation, religion or political views.
Does GDPR mean the end of media relations?
No. ‘Consent’ is a hot topic for PR professionals when it comes to GDPR, with regulations stating that individuals must ‘opt in’ to allow their data to be held and processed. Yet, we should perhaps be looking more closely at one of the other conditions that allows for the processing of personal data - ‘legitimate interest’. Put simply, one can claim a ‘legitimate interest’ if the processing of personal data is fundamental to your day-to-day business.
The PR industry would quickly become inoperable if we had to send a consent request to every journalist we dealt with, and would hinder journalists in their ability to access information and report fairly. And while generic email pitches and press releases sent to old or untargeted press lists will undermine the regulations, targeted and professional communications sent to relevant media should be considered a ‘legitimate interest’ and should therefore be allowed.
What other changes do PRs need to be aware of?
While ‘legitimate interest’ should ensure we can continue to engage freely with media, there are many other areas of GDPR which must be complied with, including storing only relevant data, deleting data that is no longer needed and ensuring that requests from individuals to change and delete their information are responded to quickly.
What happens if I’m not compliant?
Fines for non-compliance will be going up, to a maximum of €20m or 4% of annual turnover. That said, The Information Commissioner’s Office (ICO) has said it will act lightly towards businesses who can show a clear and organised approach to how they secure their data and how they respond to potential issues, particularly within the first 72 hours of an issue being identified.
How can I make sure I am compliant?
While larger PR agencies will be able to dedicate resource in terms of time and money towards GDPR, that’s not a luxury that most freelancers have. So how do we conform?
The good news is that The ICO recognises our challenge. Elizabeth Denman has said: “There are 5.4 million businesses in the UK that employ fewer than 250 people. When it comes to data protection, surveys show they tend to be less well prepared. We know that most businesses want to get things right but often struggle to find the key steps to get started. They also have less time and money to invest in getting it right.”
The pit of information is bottomless when it comes to understanding the regulations. So what are the key points to bear in mind?
1) Respect data privacy
The personal contact information of a journalist doesn’t belong to you as the PR professional, it belongs to individual journalists. Remember to be proactive about keeping this data private, it is your responsibility.
2) Manage personal data
Whether its data from a media database or an internally built list, you must understand what data you hold, where it is held, how it is kept and when to delete it. Back it up and manage it.
3) Mass mail outs are a no-go
Don’t abuse personal data with mass mail outs. Apply a strategic and personalised approach to your media relations.
4) Corporate Responsibility: Name a champion for personal data
If you’re a freelancer, this will be you, if you are part of a team, appoint a competent person to champion data protection.
5) Secure your digital infrastructure and be transparent
Make sure your cyber security is up to date and be open about your processes. Media and your clients will appreciate your transparency, which will only serve to increase trust.
For further information, the ICO has a downloadable 12 steps to take now to prepare for GDPR graphic, which is a useful for understanding where you need to start. A dedicated advice line for small businesses has also been opened on 0303 123 1113. Select option 4 to be diverted to staff who can offer support.
And for further advice specific to the PR industry, the PRCA has a free to access FAQ which covers many of the questions relating to our industry.
*This blog post does not represent legal advice and is the opinion of The Work Crowd only.