What does the EU GDPR mean for the PR industry?
Uncategorized
Posted 17 May 2018
The clock is ticking – on 25 May 2018, the General Data Protection Regulation (GDPR) will take effect! It establishes comprehensive guidelines on personal data stored and processed in the EU. It is intended to strengthen consumer rights. The GDPR has a major impact on PR and marketing departments, as they deal with personal data of journalists and their processing every day. With the introduction of the GDPR, the processing of data and communication with journalists is thus subject to completely new guidelines. It should be noted that the law affects not only companies in the EU, but also all companies that process data from EU citizens.
In the processing of data in the PR sector, the aspects of a declaration of consent and legitimate interest play a particularly important role. The declaration of consent distinguishes between explicit and implied consent. The explicit declaration of consent presupposes that the respective journalist made a declaration of intent in which he or she agrees to receive information. This is possible, for example, within the framework of an opt-in procedure. The implied consent includes all contact information published in the imprint of the medium, on the medium’s website or on your own website. The burden of proof of the GDPR states that one must be able to prove at any time that the person has consented to the use of the data. This consent must have been given obviously. Complicated terms and conditions with hidden clauses do not count as obvious consent. In addition, there must be a legitimate interest for the journalist in order to be contacted. The interests of the journalist must be weighed against whether he can expect his personal data to be processed by the company.
Furthermore, the GDPR states that the collection of personal details must underlie a defined, clear and legitimate purpose. Any further processing of the data for any other purpose or collection without a specified purpose is already a data infringement.
Another important point is the storage of the data. Press distribution lists are often outdated and stored unprotected. If press releases are sent to outdated or incorrect contacts, this counts as advertising or spamming and thus as a violation of the law. Therefore, the new EU regulation recommends central storage of distribution lists, regular assurance of relevance and topicality as well as password protection. If a journalist has asked to be removed from the mailing list but another person in the department contacts him or her again, this may already be a breach of the law. The new regulation also requires companies to be able to check immediately what data has been collected and where it is stored.
In addition, companies are required to be even more transparent: as soon as a customer or journalist asks which data of him is stored, information about it must be provided to him. In addition, if consent to the storage of data was originally given, this can be revoked at any time. Therefore, it must be possible to completely delete the data.
Another point is the data minimization regulation. Data processing must be limited to the bare essentials. Information that is not relevant, such as a journalist’s date of birth, must not be stored.
However, all this information and preparations are useless unless employees are trained and prepared. They must be aware that routine tasks, such as sending mass emails, must change as of May 25.
In case of a data breach, it is helpful to have an emergency plan. If stored data has been leaked in any form, the case must be reported to the data protection authority and, if applicable, to the persons affected within 72 hours.
Many companies have still not taken the appropriate measures. A study in mid-April showed that 87 percent of German companies have not adapted their processes to the EU GDPR yet. However, there are serious consequences if companies fail to fulfil their obligations: They must be prepared for fines of up to 20 million euros or four percent of the worldwide previous year’s sales in the event of data protection violations. To prevent these big penalties, PR and marketing companies should act as quickly as possible and adapt their processes to the new requirements.
Although there is a general negative attitude towards the GDPR, there is a chance that the consequences of the new regulation make space for a better PR industry, which only contacts journalists when the content is relevant. PR professionals should, therefore, perceive the GDPR as an opportunity to optimize their internal and external communication.
– This article was written by Christine Gierlich, Account Manager at HBI
