GDPR for PRs: How to Get Ready for May 25th
In the (slightly misquoted) words of Justin Timberlake ‘it’s gonna be May’, which in 2018 means only one thing: GDPR regulations come into force across the UK. Unsurprisingly for an industry that relies on contacting journalists, sometimes cold, with pitches, this news has thrown the PR industry into something of an all-out panic. I even came across a great quote from ResponseSource founder Daryl Wilcox, who’d been forced to quash rumours that “the new regulations were specifically aimed at PRs because of the inclusion of the letters ‘P’ &’R’ in GDPR.”
This handy guide is aimed at all PRs worried about the impact GDPR could have on their business, busting certain myths and giving you a handy checklist to stay one step ahead of the game.
What is GDPR Really?
For those of you who snorted coffee out of your nose with fear on reading Mr Wilcox’s above quote, please don’t worry – GDPR is not solely aimed at PRs, or in fact the marketing industry. It’s a blanket EU ruling designed to monitor who holds personal information on other private individuals, and how that data is stored and shared.
For anyone who’s been keeping an eye on the recent Cambridge Analytica scandal, or had a call about a car accident that wasn’t their fault, this should actually be a relief. You’d also be right to relax, as these are arguably the kind of activities GDPR is designed to rein in, rather than above-board PR activity. To understand how this might then apply to PR teams, let’s look at the full wording of the first four clauses of the ruling:
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
While that might be all Greek to you if you don’t speak fluent legalese, it’s actually pretty simple. In short, any personal data your company might hold needs to be:
- Collected fairly (i.e. not stolen) and with some level of notice to the individual.
- Used for ‘legitimate purposes’ you specified you would be collecting it for, and not anything additional or underhand.
- Only relevant to what you need it for (e.g. if you want to add them to a mailing list, you need a personal email, not a phone number.)
- Right. Or, in other words, up to date and factually correct!
Other clauses expand upon how long data can be stored on your systems (basically only as long as you need it) and how it should be stored safely. So far, so simple, right?
The grey area in which PR gets caught is that “legitimate purposes” wording. We know that PRs need access to a wide database of journalist phone numbers and emails to strike up relationships and maintain contacts in order to place stories. We also know that the only contact details usually available are generic news desks, which could see your carefully crafted pitch fall into a slush pile from which it will never return. But are we still able to store that data, and share it with others in our team who don’t yet have their own little black books?
The answer is…maybe. In the UK, it will be the ICO who decide how to translate the GDPR into rules that can be applied to UK activity, and they have yet to confirm how they’ll actually do that. However, it’s arguable that PR doesn’t need to worry too much: as we often contact journalists to pass on news or product launches they want and need to show consumers to keep their engagement high, we have a more symbiotic relationship than in other cold-calling industries. It should be apparent to governing bodies that the news cycle can’t just grind to a halt in four weeks’ time, which can lead us to the assumption that PR’s storing of journalist contacts has a ‘legitimate purpose’.
However, before you breathe a sigh of relief and click away from this article, it’s worth remembering that none of this is yet certain. To protect yourself and your team from any complainants or breaches, it’s worth following the steps below.
Preparing for GDPR: A Step-by-Step Guide
- Check the compliance of your suppliers, including their security and how they obtain information. Journalist databases should all have records of this to shore up their own compliance – simply ask your Account Manager for a copy of their data policy.
- Ensure your own databases are accurate, safe and secure. This means the dreaded day on which you need to clear out all of those Excel media lists hanging around on the internal server is finally upon you, but also ensure information on third party CRMs such as Buzzstream is up to date. To be really safe, delete all media lists wherever you find them.
- Consider publishing a data transparency policy. If you’re working for a big corporate, this is likely something you already have, but if you’re at a small independent, it might be worth talking to your Manager or Senior Management Team about pulling one together with Legal.
- Ensure there are data protection processes in place for your team, and that they understand them. You can’t measure accountability if no one really understands what they’re accountable for. Work with HR to draw up some updated training on data protection with your team, and make sure there’s simple step-by-step instructions on storing and handling data even the most junior member can follow.
- Take spam off the menu. If a PR agency or team does come under fire from GDPR regulators, it’ll likely be because there’s been a complaint against them from a contact. The easiest way to avoid this is by just stopping the spam, including mail merges, follow-up ‘blasts’ or impersonal emails. If you are still doing any of these things, you may also find that your conversion rate improves when you stop it!
- Review what information you share with third parties, including clients and partner agencies. While you arguably have a legitimate reason to store a journalist’s name or email, in order to contact them, your client doesn’t if they’re hiring you to do that work. If you’re sharing contact information, whether in presentations or media lists, now would be a good time to stop.
- Don’t panic! GDPR is certainly a new ruling, but it’s not been designed to bring the PR industry to its knees. While it’s important to defend yourself against any potential fall-out there could be, the overwhelming likelihood is that life will just continue as normal, albeit with a few less calls about mis-sold PPI. And who could say fairer than that?
Whether or not you’re feeling prepared for the 25th May, or just looking for some more information on how to move PR forward for your business on a more general level, email firstname.lastname@example.org. We’re also happy to meet for a coffee and a chat!
By Casey Paul - 01/05/2018