Putting The PR in GDPR

With less than a month until the new European legislation, known as the General Data Protection Regulation (GDPR), comes into force in the UK we look at what this really means for the PR industry, whilst putting some of those rumours and myths to bed.

Find out the basics

You can’t prepare for what you don’t know. So, the first crucial step is to make yourself aware of the key facts surrounding the GDPR. If you haven’t received training at your organisation it is probably worthwhile embarking on some personal research on the dos and don’ts when it comes to data protection. Sites such as the ICO are really detailed and can help you answer some of those burning questions.

Our Legal and Finance Director, Marina Hall says “Don’t panic, GDPR is a good thing and allows you to organise your data and the information you store. The legislation is enforcing best practice and requiring all businesses to have the same standards when it comes to processing and storing personal information.”

What data is included?

The GDPR may sound as exciting as watching paint dry but it’s important to know the details, especially as it will affect every business in the UK. You will need to know what qualifies as ”personal data”as you’ll probably find that you process it a lot more than you realise. The main areas could be:

  • Name
  • Email address
  • Mobile number
  • Bank account details
  • Addresses
  • Driver/passport number

The legislation covers indirect identification of personal data, as well as direct. This means marketers will need to think about pseudonymisation, a data management procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers. When these elements are brought together, such as a postcode used with a surname, this could lead to someone being identified.

Do I have to get permission from every journalist?

No; if you are using aggregator sites such as Gorkana, Agility or Response Source you’re covered. These sites require the journalists or organisation to opt-in to have their details shared, meaning you have permission as a subscriber to the site to access that data. In addition, business emails that are published in the public domain such as John.Smith@parliament.co.uk are exempt from GDPR and you are able to make an approach.

Freelancers can be a murkier ground. There is a grey area within the new legislation around “legitimate interest”. If, for example, you were representing an environmental charity and you wanted to contact a freelance environmental journalist, you can argue legitimate interest as the journalist would more than likely want to hear about your story. However, if you included the same freelance journalist in a big promotional email about something totally irrelevant to them it would be deemed misuse of their data and could lead to other problems.

How does this affect my client work?

Our top tips for most PR professionals would be to focus on the following.

  1. Make sure you know where to find your new updated contracts and how to explain them if your client comes back with any questions.
  2. Ensure you are vetting any third-party suppliers you might be using, such as photographers, copywriters or website developers. It might be worthwhile having a supplier agreement in place.
  3. Password protect your spreadsheets. If you have media lists, client to do lists or simply a data capture from an event, make sure they are securely stored away and password protected. If you’re unsure how to lock your work down seek help from your IT team who will be able to advise you.
  4. Don’t pass on details you don’t have permission to share. If you haven’t got permission, make sure you don’t share data with any third parties. If you do, this could it could lead to larger issues. If you’re unsure, check with the Data Protection Officer within your organisation for the correct process.
  5. The right to be forgottenthe new GDPR rules provide “data subjects” (individuals) with the right to request that their information be erased completely. This is not optional.
  6. Finally, know who your Data Protection Officer is. Most organisations will have an appointed person or team. Make sure you keep them in the loop if you’re unclear about the process or just want to clarify what you’re doing is the correct way.

Finally, we’d just like to add we are not qualified to provide legal advice, so if you have some bigger questions please do contact your legal counsel.

We hope you enjoyed our top tips; if you’re looking for a PR agency to support you or your business please get in touch with our award-winning team today.

Get in touch with the team