Most organisations today should be GDPR compliant already. And hopefully, most organisations will avoid the fines and embrace the opportunities that GDPR will bring to the PR industry. However, only time will reveal the actual impact these regulations will have on businesses.
The definitive GDPR compliant checklist
Even if you’re a small business, you won’t be exempt from the rules. Making sure you know the facts is essential. Don’t make the mistake of thinking that GDPR isn’t relevant; not complying with it could result in a substantial financial drain on your company.
Streamlining and protecting data will not only have benefits for the people you work with, but it will also be critical to the relationships you build and grow with journalists. Being transparent about what data you hold on them, and protecting that data, will build trust and strengthen working relationships.
How to be GDPR compliant
1. Update your privacy policy
Make sure your privacy policy is up to date, with specifics stated such as:
- The data retention period
- The identity of the controller
- The purposes of data processing
- Who will have access to that data
- Data transfer policies
- An overview of the right to request
- Consent withdrawal
- How to lodge a complaint
Make sure it’s in a visible place on your website for individuals to reference at ease.
2. Define your legal ground for processing data
Ensure you have defined the legal ground for processing data, whether that’s consent or legitimate interest. Also, ensure you have the documentation should you need to prove compliance. If you opt for the legitimate interest route, ensure you carry out a Legitimate Interests Assessment (LIA) and that it’s available for everyone in your organisation to reference.
Note, however, LIA may not apply to your organisation either.
3. Handle deletion requests
Ensure you have a formal process in place for deletion requests from individuals and that everyone in the organisation is clear as too whose responsibility it is to remove data.
4. Audit third parties
Are they GDPR compliant? It’s not enough to assume that third parties and suppliers are compliant — you need to ensure that they too adhere to the new regulations. Audit your vendors/sub-processor for GDPR compliance.
5. Prepare your staff
Train staff on best practice when it comes to GDPR. Make sure they know your privacy policy, as well as how they should be sharing and storing data. They should also be made aware of how GDPR will affect their day-to-day working. It’s essential they understand that relatively routine tasks, such as email blasts, may need to undergo greater scrutiny to ensure compliance before being sent, once the rules come into force.
If you would like to learn more about the implications of GDPR on the PR and communications industry, please get your copy of “GDPR – The Ultimate Guide for PR pros.”
In communications, the most significant impact of GDPR will be on how the marketing industry operates. Spam mail and obtaining consent before marketing to people are two troublesome aspects. Of course, however, some of this will spill over to PR.
Personal data can include anything from a name or email address to the more sensitive data, e.g., passport information, bank details, etc. But, it’s what you do with this data that is of utmost importance. How do you retrieve it? And what legal ground do you have to use it?
As a communicator, you handle personal data daily. It could be retrieving journalists’ details and email addresses, or sending personalized emails and mass press releases. In short, you’re manipulating data. Under the new regulations, you will need to both process and store data carefully.
Worryingly, many companies aren’t taking the changes seriously. According to PORT.im, only 27% of businesses believe GDPR applies to them, and 7% fail to ask for consent to collect customer data.
How will it apply to the way you work?
You need to give extra consideration to how you process and store data.
- What are you using it for?
- Have you received consent to send the message?
- If not, do you have a legitimate interest to issue it (commercial, individual or societal)?
GDPR also states it must be balanced against the individual’s interests, rights, and freedoms.
A range of lawful ways of processing data exists. Two of these specifically relate to processing data in the PR industry: consent and legitimate interest. Both have been updated to be stricter and more precise than the previous Data Protection Act guidelines.
Consent refers to the recipient giving direct consent to receiving information. It could be via an opt-in, for example.
Whichever legal ground you use, consent or legitimate interest, you must be able to prove that you have legal ground.
For example, sending unsolicited PR content, via a mass e-mail to a list of old contacts, could be seen as irrelevant marketing. Thus, it doesn’t possess any legal ground. And, it could be viewed as an infringement of the new regulations.
How should you store data to be compliant?
Data breaches give cyber-criminals access to names, birthdates, addresses, and other information. For the people involved and for the company’s reputation, it is often devastating. In 2016, companies in the UK lost more than £1 billion ($1.4bn) to cybercrime.
Media lists are common in PR companies, but many are old, unprotected and stored in a variety of unorganized ways. Good practices that may contribute to GDPR compliance include:
- Storing data in a single location
- Keeping data relevant and up to date
- Having password protection and other security measures in place
Also, the rules mean you need to know what personal data you hold and where it’s located (e.g., laptops, mobiles or the cloud). Also, you need to have procedures to remove a person’s data, should you be asked.
What’s considered an infringement of GDPR rules?
Even if you have a good relationship with a journalist, the power is in their hands. If they ask to be taken off a media list, then you must respect this.
If, as a journalist, you reply and ask to be taken off a media list, you are revoking your consent. The PR company has a duty to delete that information. If another PR person from that same company contacts the journalist, then that could be a breach.
Robert Bownes, Founder of Old Street Communications
As part of the new regulations, you have the ‘right to be forgotten.’ If your contact wants their data deleted, you need to comply.
Another breach could take place if personal data is lost or is shared inappropriately with third parties. For example, it could be from media lists or journalist profile information. As such, measures need to be taken to secure data. You could do it by limiting staff access and other security protocols. You should implement best-practice infrastructure to deal swiftly and effectively with any breaches.
Various steps can be taken to become GDPR compliant and protect your company from a breach.
If you need to know more, check out our simple step-by-step guide. Also, find out how GDPR will affect PR. Get your free copy of GDPR – The ultimate guide for PR pros.