GDPR for Public Relations: Have You Done Enough?
After it was first officially announced two years ago, GDPR has now been rolled out. The new regulations mean a shake up for many businesses in the way that they handle personal data – and things are no different for those working in PR.
The changes set out under GDPR can seem a little complex, so with this in mind we’ve put together this guide with the aim of answering any questions you have regarding staying compliant.
What Exactly is GDPR and What Changes has it Made?
The General Data Protection Regulation was created by the EU to establish harmony across data protection laws in all of the member states. This will make it simpler for companies and bodies to determine what they need to do to comply, as well as enabling regulators to establish when laws are broken.
The biggest goal for the regulations is to offer citizens of the EU increased control over the ways in which companies are able to use their personal data. Under these rules organisations must now gather explicit permission before they can process personal data, and they must also detail exactly why they are asking for the information, how it’s going to be used and if there are any other companies or bodies that will be using it.
GDPR also gives individuals the rights to see what information about them a company is holding, and requesting that they be ‘forgotten’.
What Does ‘Personal Data’ Refer to?
Under GDPR, personal data means any type of detail that could be used as identification of an individual. This therefore includes things such as name, passport or national insurance number, or address.
In order to keep up with the advancements in technology, it also includes data such as cookie information and email addresses. There are also special categories of data which include more sensitive factors such as genetic and biometric data.
Data relating to particular organisations isn’t subject to the same rules as it’s non-personal, so for example if you used a database to find a list of companies in Spain you’d still be compliant unless it included personal email addresses.
Do I Need Consent?
Whether or not you need consent to use personal data in your organisation will depend largely on what you plan to do with it. For example, if you’re using a business database to find a journalist’s email address to send them a press release that is relevant to their interests, this could potentially be classed as legitimate interest, which is one of the bases for allowing data processing without the need to gain consent first.
If you need to use personal data for less relevant marketing purposes however, then you will need to gain consent. This must be explicit and freely given, so no pre-ticked checkboxes or opt-out systems for example. Instead, you should set up a system that utilises double opt-ins, and make sure you inform users exactly why you’re asking for this data and what your organisation is going to do with it. You should keep a record of every permission you get in order to be able to prove you’re adhering to the rules, should you ever need to.
An important point to note here is that you can only use the personal data for the purpose that you originally agreed with the individual. For example if you gathered data about someone through a booking or transaction you can’t then use this data to market to them – you’d need their permission for that basis as well.
How Will My Press Lists be Affected?
The personal data held in your press release ultimately still belongs to the journalists involved, so you are therefore not allowed to hand over this information to other companies or organisations without having asked for the journalist’s explicit permission first.
It’s also important to remember that you cannot reveal any data that may identify a member of your list, so mentioning names or email addresses etc will not be permissible.
Now more than ever it’s a good idea to tighten up your press list and only add those who are likely to have a genuine interest in the content you’re sending out. This will ensure you’re following regulations and also not at risk of being targeted by angry journalists who feel they’re being spammed.
Will GDPR Have a Negative Effect on PR?
While it may seem like a headache having to implement these changes to be fully compliant with GDPR, ultimately the new rules should be viewed as a chance for the PR industry to provide higher quality and more personalised content.
Using legitimate interest as a way to enable your organisation to process personal data will mean that you’ll have to target relevant individuals – and this not only benefits the recipients but the industry as a whole, as spamming low-quality and irrelevant press releases will hopefully become a thing of the past.
How Can I Prepare My Team?
It’s possible that you may need to appoint a Data Protection Officer in order to be compliant with GDPR; the main types of organisations who must do this are those that process personal data on a large scale and those who carry out systematic monitoring of a large audience.
Even if you don’t need a DPO, it’s a good idea to have someone in your organisation who is heading up your data protection activities, in order to keep things running smoothly and to answer queries from other employees.
You should also make sure you’re team are prepared for GDPR by giving them the training they need to have a solid grasp of what the new regulations mean, what their own responsibilities are, how to spot a data breach and how to report it.
How Can I Keep My Data Secure?
GDPR also means more stringent security measures must be in place in your organisation. Ensure that your current tools and systems are adequately protecting your data, so that any personal data you collect, use and store will be done so safely. If you’re working with a third party you should also ensure that you can share data securely, and that they too are complying with the new regulations.
Every industry needs to ensure they’re compliant with GDPR, and PR is no different. Hopefully this article has helped to clear up any concerns or questions you have about the process, and how you can ensure you remain compliant not just for now, but long-term as your organisation evolves.