This first appeared as a guest post on Stephen Waddington’s blog wadds.co.uk.
General Data Protection Regulation (GDPR). A mouthful. And hard to get excited about. While there are creative campaigns to come up with, colourful content to craft and scintillating stories to pitch, complying with a chunk of dry data protection law understandably falls down the priority list.
But if you’re not already looking at it now is the time to get down and dirty with GDPR. The clock is ticking before we all have to comply 100% with this critical legislation.
Scary, huh? But let me present GDPR in a way that may motivate you a little more to embrace it, and perhaps even enjoy it.
GDPR is something I have been looking at for many months and it’s my firm belief that this cumbersome piece of regulation, that on the face of it appears to present a load of new hoops for us to jump through even though we have fairly strong existing data protection rules, could in fact be a force of good for the PR industry and help to further elevate it as a profession.
I say ‘could’ because GDPR, as a set of rules designed to unify data protection legislation across the European Union, is inevitably broad and high-level.
Exactly how it will work for you and me and the individuals whose data we hold will come down to guidance provided by the local agencies tasked with policing it – in our case the Information Commissioner’s Office (ICO), and case law that will take time to evolve.
The amount of guidance provided has been limited but so far the ICO is taking a pragmatic approach, which is reassuring.
Anyway, back to GDPR and what it means for the PR industry. First of all let’s explode some common myths.
First myth – GDPR is aimed at the PR industry, because it the letters ‘P’ and ‘R’ in it.
Nope. It will affect every organisation in the UK that stores or processes people’s data. It’s not just a media industry issue, though the potential impact on us is perhaps more significant than other industries.
Second myth – GDPR is European legislation, so once we have left the EU we can forget about it.
Fraid not. The UK government is committed to GDPR despite Brexit because if nothing else you only have to store one person’s data who happens to reside in the EU to have to comply completely with GDPR. UK PLC will have a great deal of difficulty trading with the EU if we don’t comply.
Third myth – media relations will grind to a halt because we’ll have to get permission in triplicate from every journalist before we can send them as much as a single-sentence pitch.
Not so. Under GDPR ‘consent’ is an important legal condition under which we can store and process people’s data, but there are others too. I’ll go into this more later.
Fourth myth – compliance is just about making sure all your suppliers are compliant, then you’re compliant by default.
This couldn’t be further from the truth. All organisations have to be compliant in their own right, ensuring suppliers are compliant is just one small step in doing this.
Fifth and final myth – the ICO will have powers of arrest and will send armed officers in to any company before fining them millions of pounds if they are suspected of the slightest infringement of GDPR rules.
OK, I may have gone a bit overboard on this, but point I’m trying to make here is that although GDPR beefs up our already fairly robust data protection laws and the ICO will have greater powers, the indication is they will be using those powers in a sensible and proportionate way, in particular when it comes to smaller businesses.
Complying with GDPR
So myths busted, how do you go around complying with GDPR (which, by the way, you have to do so by 25 May 2018). The CIPR has issued a general guidance document and PRCA is offering training – and I hope soon they will start delivering more support to the PR industry on the issue. I can’t give you a full A-Z on compliance in this post, but here’s my summary of what you need to look at to achieve compliance:
Make sure your IT systems and internal security processes are up to current good practice and your suppliers are compliant. Review regularly.
Live and breathe respect for people’s data, ensure your entire team understands the spirit of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used, the importance of data accuracy and security, crucially, abide by your data protection policy.
There is obviously more to it than that but I believe if you consider compliance in terms of the three areas above you’ll be off in the right direction. GDPR compliance is not a check-box exercise, it’s a journey and one that will continue after 25 May.
Legitimate interests as a force for good
So, why do I believe GDPR has the potential to be a force of good in PR? Well, remember above where I mentioned there are other conditions beyond ‘consent’ that allow for processing data? Of the other five conditions I’d like to focus on one called ‘legitimate interests’. Put very simply legitimate interests means that if the processing of personal data is a fundamental part of your day-to-day business, without which you would not be able to function, then you should be allowed to continue to do so.
It is my belief a fair and reasonable interpretation of GDPR is that PR agencies and in-house PR departments would be exercising a ‘legitimate interest’ in storing and processing journalist data, and contacting journalists to provide relevant information. It is this basis upon which media database companies like ResponseSource will operate too.
It is important to understand ‘legitimate interests’ is not a ‘get out of jail free’ card, all other aspects of the GDPR rules needs to be complied with – for example only processing relevant data, keeping data up-to-date and acting on change or delete requests swiftly and efficiently. (I have to say at this point that this article does not represent legal advice, though I am committed to the points I’m making here.)
So, here’s the thing in terms of a force for good in the industry. For the PR industry to use legitimate interests as a basis for storing and processing journalists’ data, it needs to ensure that the personal information held is used in an appropriate manner, that is to supply material to journalists that is relevant and useful.
Under GDPR lazy, scatter-gun PR – launching long-winded generic pitches at thousands of journalists – is likely to chip away at the foundations of using legitimate interests to process data and could bring the ICO under pressure to use its enhanced powers to reign-in our industry, with potentially negative consequences for PR, journalism and society as a whole.
Consider the alternative. If PR professionals across the UK have to get specific consent from every journalist for every client and every campaign (granularity of consent in built into GDPR), then this will be disastrous for PR and I believe disastrous for journalism – and democracy – too. PR would be suffocated by administration and no journalist has the time to respond to every consent request (they’d still be bombarded, with consent requests rather than irrelevant pitches). The end result will be a substantial barrier to access to the media, a terrible hinderance on the ability for journalists to report fairly and comprehensively on what is going on in society and hold those in power to account.
Remember, access to the media should be a right not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes.
As an industry we must respect the privilege of ‘legitimate interests’ and operate in the most professional manner. Among other things that means keeping journalist data up-to-date, accurate and secure, refining press lists so what is sent is relevant and useful and responding swiftly and effectively to requests by journalists to amend or delete details.
The result is a professional industry we can all be proud of. We’ll have GDPR to thank for that.