You may have heard the acronym ‘GDPR’. In fact I’d be very surprised if you hadn’t.
It stands for General Data Protection Regulation and is something I’ve been looking at closely as data protection is very important to ResponseSource. I feel there has been a shortage of guidance on GDPR in the PR industry and some of our clients are inevitably looking for some clarity.
So we’ve put together an introductory Q&A that explains GDPR in a way that’s relevant to us:
What is GDPR?
GDPR stands for the General Data Protection Regulation. It’s new European legislation that is designed to harmonise data protection rules across Europe, creating consistency in how organisations must deal with personal data. In the UK our existing data protection law is quite strong but in some other European countries it was quite weak, the GDPR creates an ‘level playing field’ across Europe.
Yeah, but what’s it all about?
To summarise, GDPR is all about getting organisations to give due respect the personal data that they process. It’s not about stopping companies from processing personal data, but ensuring it is looked after properly, kept accurate and not abused. By creating a clear set of rules across Europe the hope that this will help organisations provide better products and services and add value to the economy, without breaching the rights of individuals.
What is personal data?
Any piece of information that can identify a living individual is considered personal data. So, even a single email address is considered personal data. Details about media outlets are not personal data, so are excluded from GDPR.
What is sensitive personal data?
Sensitive personal data concerns anything that includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life. GDPR places strict conditions on processing data of this type and generally we don’t process sensitive personal data at ResponseSource.
Isn’t journalist info B2B data and therefore excluded from the rules?
This distinction existed to an extent under previous data protection law but under GDPR there is no distinction between business and consumer personal data – it’s all treated the same.
Who has to comply with GDPR?
Every organisation across Europe that processes (ie stores or manipulates) personal data must comply with GDPR. So the number of organisations impacted is huge – this is not just a media industry initiative.
Surely Brexit means we will no longer have to follow new EU rules?
The UK government is committed to GDPR despite Brexit because if nothing else you only have to store one person’s data who happens to reside in the EU to have to comply completely with GDPR. UK PLC will have a great deal of difficulty trading with the EU if we don’t comply.
When does everyone have to comply?
By 25 May 2018.
How big a deal is GDPR?
In the UK our existing data protection legislation (the Data Protection Act 1998) is reasonably strong, so the move to GDPR isn’t necessarily a huge step. GDPR does tighten things up and does give greater powers to each country’s data protection watchdog (in the UK that’s the Information Commissioner’s Office or ICO). So, it is a big deal but not a radical change. For ResponseSource, were already compliant with the existing legislation and had good processes in place, so for us it is not a big jump to be GDPR compliant.
Does GDPR mean that we need to get consent from every person in our media database?
The simple answer to this is no. Consent is one basis for processing personal data under GDPR, and the one that most organisations intending to store data relating to potential customers will have to adhere to, but it is not the only one. If processing personal data is central to what you do and your business cannot really run without doing so, then you may use what is called the ‘legitimate interests’ grounds to process people’s data. This is the basis under which ResponseSource will be operating in terms of processing journalists’ data.
So, will PR people need consent before sending material to journalists?
No. In the same way that ResponseSource will be using legitimate interests for processing journalists data we firmly believe PR agencies and in-house PR people can do the same. This would apply to any media relations activity they undertake (ie sharing information in order to get media coverage), but not direct marketing (ie trying to sell stuff directly).
So, it’s not the end of unsolicited pitches to journalists?
No, it’s not – as long as PRs are sending material that is genuinely useful for creating articles or other media output then they may continue to do so. However, they must comply with GDPR in every other way – for example only processing relevant data, keeping data up-to-date and acting on change or delete requests swiftly and efficiently.
Does GDPR make it easier for people to find out what data is being held about them?
Yes. GDPR tightens up the rules on ‘subject access requests’ – where people can access what is held about them, demand corrections or have data deleted. At ResponseSource we are making our processes for doing this clearer and have created a new email address (firstname.lastname@example.org) for people to make such requests.
Has GDPR got anything to do with data security?
Yes. GDPR beefs up the requirements to store personal data securely. At one end of this spectrum is ensuring our office is secure and strangers can’t walk in and access data, and at the other end is the use of encryption to secure data held on our central systems. One of the many things we have done at ResponseSource in this regard is to upgrade all our websites so they use encryption – the evidence of this in that all our sites are now prefixed ‘HTTPS’.
So, if a company uses the Media Contacts Database does this mean they are GDPR compliant?
No, it does not. All companies must be GDPR compliant in their own right. Using suppliers that are GDPR obviously helps with this a lot, but this is just one step to compliance. This does not mean PRs need consent from journalists before distributing genuine media pitches via our Media Contacts Database (see comments above about legitimate interests) but they do need to have a GDPR compliant data protection policy, live by it and maintain data securely.
What’s the first step to GDPR compliance?
The first step is to write a GDPR-compliant data protection policy (or privacy statement). This document should explain what data you process, what you do with it, how you look after it and with whom you share it. It should also explain clearly how people should make subject access requests. This document should be freely available and linked from appropriate places on your website (and in communications you send out). Our policy is at https://www.responsesource.com/privacy/
What are the next steps?
As mentioned above you need to make sure your IT systems and internal security processes are up to current good practice and your suppliers are compliant. Review regularly. But possibly more important than anything else is the need to get your team to understand the spirit of GDPR. They must live and breathe respect for people’s data, ensure your entire team understands the main concepts of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used, the importance of data accuracy and security, crucially, abide by your data protection policy.
There is obviously more to it than that but I believe if you consider compliance in terms of the three areas above you’ll be off in the right direction. GDPR compliance is not a check-box exercise, it’s a journey and one that will continue after 25 May.