How Does GDPR Affect PR?
In the last few months as I’ve slowly become aware of GDPR and its ramifications, I have realized that my colleagues and clients here in the US are equally ignorant about how this may or may not affect PR. I started by trying to gather information and guidance from both Cision and Meltwater since I figured they would be in the know given that they are the primary sources in the US of data on journalists. But, I found that, at least with our contacts in the US, they really were not aware of the regulations or what might change for them or their clients. They have started sending out some GDPR emails since I first asked, but it’s clear they are still in the early stages of understanding, as are we all.
Over the last few months, I have also asked several clients, and while they may be developing policies internally, they have not yet developed any guidance or protocols for PR specifically. Many have little to no knowledge of GDPR at all.
So, essentially, for the time being at least, PR firms seem to be on their own.
The first thing is, I’d bet that many US PR people think GDPR doesn’t apply to them because they don’t do European outreach. But, from what I have learned, GDPR applies to protecting the private information of any EU citizen no matter where they live, and to any resident of the EU even if they are not an EU citizen. It applies to any company using the data of EU citizens or residents regardless of where the company is located. I hope all of this grabs your attention as it did mine because I know that I have journalists on every one of my lists that fit those criteria. And, I certainly don’t know each and every journalist on my list well enough to be certain if they fit those criteria or not. By the way – the UK appears to be saying they will comply with GDPR too even as Brexit proceeds.
So, let’s just assume GDPR applies to all of us.
Now, if you’ve read about GDPR you will see that one of the prime tenants is that you have to get explicit consent to use that private information (name, email, phone, etc.). I’ve read some guidance that there is a lesser-known caveat being referred to as “legitimate interests.” This appears to give PR a bit of an out but does not absolve us of all responsibilities. What this appears to mean is that someone has recognized that PR people HAVE a legitimate need to contact journalists and that it is not reasonable or probable that we will be able to get explicit consent from every single journalist we contact for every single client. Legitimate interests especially seem to apply if you contact journalists “occasionally.” If you are blasting out generic emails on a pretty frequent basis, you may want to look more carefully to ensure that your idea of PR is not a clear violator of GDPR.
All that said, even if we do feel we have a legitimate interest in reaching out to journalists, we do have to make it clear that journalists can opt out of our list at any time, and then take immediate steps to ensure that we eliminate their data from our systems if they do opt out. They can also ask to see what data we have on them at any time. If we do not respond to such requests quickly, we, and I believe our clients, could be held liable and fined up to €20 million or 4 percent of annual turnover (whichever is greater)! How would you like to explain that to your client?
I am not getting into websites and cookies, but if your firm goes beyond media relations and into areas like paid social and digital campaigns – there are a number of things you need to think about for those channels as well.
- Sit down with your team and put together a checklist of the basics. There are some out there that you can use as a guide, and I list a few below. Check your process with your legal counsel. If regulators come calling you want to be able to show good faith. This applies to every company, no matter how small, so don’t think you are exempt.
- Once you map out your process, communicate it to every client so they know you are thinking about it. Put the onus back on clients to provide additional requirements/processes for you to follow. Put this in all contracts as well. See if you can vet your process with their legal team too.
- Add an explicit opt-in form on your website for journalists who don’t want to miss your news or your client’s news. Add a note about opt-in/opt-out to the bottom of your press releases and to your email signature. Be transparent about what data you hold on journalists and what you do with it. Suggest clients do the same.
- GDPR requires that you respond to a request to “be forgotten” in no more than one month and that you alert people if their data has been breached or potentially breached in a similar timeframe. It does not appear that you have to fix the problem or take them off every list in that timeframe, as I read it, but you do apparently have to alert them quickly. Put someone in charge of this and build a process. Have someone else responsible to check frequently to ensure it’s being done.
- Stop sharing personal information on a journalist that you obtain – i.e. cell phone. Media databases encourage you to add these to notes that others in your organization can access. Erring on the side of caution should probably be the new best practice and just keep that info to yourself. Label that information in your database or spreadsheet as private so that if others on your team do have access to it, they don’t think it is public information. You may also add a section to your database to mark if a journalist has opted-in explicitly or opted-out.
- Be cautious about using outside lists from tradeshows or other sources whose data collection policies you do not know.
- Try to identify journalists on your lists that are EU citizens or residents (or potentially are) and consider whether you want to err on the side of caution and ask them for explicit agreement.
- Make sure your freelancers are compliant with your processes and ask them to return all lists to you when they stop working on your accounts.
- Part of GDPR is also taking appropriate measures to protect this personal data from being accessed. As a PR person, you likely don’t have a lot to do with data security measures but someone on your team has to take on this responsibility. Someone must work with IT or your outside partner to identify and fix any security gaps that might make your databases or email vulnerable. You must be able to communicate your security measures to clients if their team asks for proof of compliance. You must vet outside vendors, partners and freelancers to ensure their policies, processes and security protocols meet your minimum requirements. As the data processors or owners, PR people are liable for complying.
- Finally, use this as an opportunity to open a conversation with your clients about their policies and internal processes. Show them that you care about compliance and want to make sure they are protected. You may suggest that they run their process by corporate legal and define the role of corporate communications in complying with GDPR themselves. A crisis communications plan should be developed in case of a breach.
Remember, we are all learning here, and privacy regulations will likely grow across all countries in which we do business. GDPR is just the beginning, and PR professionals need to be good actors in this. Get your team going on a process and take steps to get your firm and your team in compliance with this sweeping, and game-changing, regulation. Bottom line, we cannot stick our head in the sand and claim ignorance. The stakes for our firms and our clients are too high.