Annoying yes, but likely to be a short-lived symptom of General Data Protection Regulations (GDPR) coming into force.
So what does GDPR really mean for journalists, if anything?
Put simply, GDPR clarifies how organisations can process personal data, makes this more transparent and allows people more control over how their data is processed. It also gives the relevant authority – the Information Commissioner’s Office (ICO) in the UK – more power to enforce data protection rules.
Of course, if these rules were to apply in full to journalists it could severely compromise their ability to do their job. How could you investigate a person who may have done something wrong if you are unable to store and process details about them without notifying them or giving them consent? Or if they initiated a ‘subject access request’ as soon as they got a whiff you were looking into their affairs?
Criminals, dodgy businesspeople, politicians and the like could use the new, stronger data protection rules to nobble journalists and weaken a critical pillar of our democracy.
The good news is that there are exclusions to much of the data protection rules for journalists. These existed for the old law – the Data Protection Act 1998 – and have been carried forward under GDPR by the new Data Protection Act which was passed by Parliament today (23 May 2018). However, there continues to be demand from some MPs and pressure groups for the media to be restricted further, despite the UK already being ranked 40th on the Reporters without Borders World Press Freedom Index.
The other way GDPR will impact journalists is in the way it applies to how organisations – represented by public relations (PR) professionals – process journalists’ personal data. Unlike journalists, the PR community must comply with GDPR in full. Therefore the way they process journalist personal data needs to comply with the new rules.
A great deal is said about ‘consent’ in GDPR – the apparent requirement for organisations to get permission from people before they process their data. Consent simply does not work in the fast-paced, information hungry world of journalism. While it may on the face of it be a solution to irrelevant pitches, requiring consent for PRs to contact journalists could be just as annoying for journalists and would be damaging restriction on access to the media, as I have written before.
But consent is in fact just one of six ‘grounds for processing’ organisations can use under GDPR.
What fits the bill for PR is something called ‘legitimate interests’. What this means is that PRs have a legitimate, fair reason to process data in order to do their job. The ICO has provided specific guidance on legitimate interests and recommends organisations do a three-part test to check it is suitable – I have done a sample ‘legitimate interests assessment’ for media relations which demonstrates how this works.
What this means in a nutshell is that PRs will continue to process your data, but the law will motivate them to do so better. This will include keeping data more up-to-date and secure. In addition, the rules (and the potential of an ICO investigation) should put pressure on PR professionals to be more targeted in their pitches, which has got to be a good thing.
It may take time for the hysteria of GDPR to settle down. For a while some PR professionals may ask you to ‘opt in’ to their lists – entirely unnecessarily. The threat to the exclusions from data protection rules that journalists require in order to do their jobs will hopefully fade. On the whole your data will be looked after better and you should continue to be able to investigate those at the centre of your stories unhindered by GDPR.