By Mark Pinsent, Managing Director, Hoffman Europe
One of my favourite quotes comes from the late Douglas Adams, author of ‘The Hitchhiker’s Guide to the Galaxy’ (though I should stress that I don’t necessarily subscribe to the view, I just like the quote!):
‘I love deadlines. I like the whooshing sound they make as they fly by.’
But while Adams may have had publishers willing to be flexible, some deadlines are difficult to ignore.
Here in Europe we’re hurtling towards the March 29th deadline for the UK leaving the European Union — the infamous ‘Brexit’ — after which none of us has any real clarity about what the short- or long-term effect will be. Without doubt, Brexit is 2019’s headline deadline.
A year ago, we were concerned (though, to be honest, slightly less so) with another impending deadline: that of the implementation of the EU’s General Data Protection Regulation, or GDPR.
In a similar fashion, even with the regulation coming into force on May 25th, 2018, twelve months ago many people were still largely unaware of the potential impact on their businesses, and how they needed to effectively prepare for GDPR. It was critical that they did, however, as the penalties for breach of the regulation can be punitive: up to a 20 million Euro fine or 4 per cent of annual turnover.
What is GDPR?
The goal of GDPR is a positive one: better protection of the personal data of individuals (in the European Union). In simple terms, it does this by regulating the processing of personal data by an individual, company or organisation. In reality, this gives individuals more transparency and understanding of how their data is being collected, stored, used and shared, and an ability to control this.
And just because GDPR is an EU regulation, and specifically designed to protect the personal data of those residing in the EU, it doesn’t mean that organisations based beyond the EU’s borders are exempt. If the data held relates to an individual who’s in the EU, GDPR applies.
Many businesses, of course, rely on collecting, analysing and using personal data to succeed — for instance in marketing and customer service — and the concern was that GDPR would see this ability significantly limited, as consumers opted-out (or declined to opt-in) to their data being collected used in these ways.
A fundamental part of the function of public relations — particularly on the PR agency side of the fence — relies on the collection, storage and use of personal information for media relations. The ability to generate earned outcomes inevitably relies on the ability to contact journalists, analysts and influencers, which implies the creation of media lists and databases holding personal data about these individuals. The worry was that in needing to seek the consent of these critical audiences to retain their data, many would take the opportunity to rid themselves of the burden of a bulging inbox and opt-out.
In reality, a couple of things have helped here: the admittedly rather grey area of ‘legitimate interests’, and the increased use of third-party media database providers.
How can PR agencies ensure they act in compliance with GDPR?
The concept of ‘legitimate interests’ is a useful one. Essentially it means that if an organisation can claim to need to process personal data in order to do its job, then it should be allowed to do so (though not that this negates any need for transparency in the data they capture and use, nor the ability for individuals to choose not to have their data kept and used).
But clearly, for PR agencies, there’s an obvious case to claim legitimate interests in gathering, storing and using journalist, analyst and influencer data in order to carry out their work. The UK’s Information Commissioner’s Office provides guidance on legitimate interests and suggests a three-part test to establish the case for legitimate interests. While this guidance is general to every industry, Daryl Willcox, founder of ResponseSource, looked at it in the context of PR, including creating a template legitimate interests assessment for a PR agency carrying out media relations. Handy stuff.
Many PR agencies have outsourced the task of media database creation and maintenance to third parties. Cision, Meltwater, Roxhill Media and Vuelio are just a few of the providers of comprehensive media databases, investing numerous man hours in keeping thousands of media relations contacts up-to-date and available to their subscribers.
Through their services, PR agencies can search and find the journalists’ details for contact, building media lists and pitching content. As you’d expect, given the nature of their businesses which rely on the collection of personal data, these service providers need to be entirely buttoned down on GDPR compliance. Any discovery that they weren’t would probably be ruinous.
Given the central role that personal data plays in their businesses, of course, you’d expect they would also have a strong claim on the above-mentioned legitimate interests. They provide guidance and content regarding GDPR, their policies and compliance: Cision’s is an excellent example. It’s also useful and interesting to read its data privacy notice for journalists and influencers. While some may read this and wonder why anyone would ever agree to be part of the database, clearly the media understands the benefits of allowing themselves to be contacted by PR agencies. Which is a relief …
Impact of GDPR on media relations
As a customer of the media database providers, I’m also very aware of the efforts they make in ensuring that users of the data also understand their own responsibilities (and the associated risks) in accessing and using that information. In using personal data — even when gathered, updated and managed by a third party — we as PR agencies become processors of that data, which then requires compliance with GDPR.
It’s also obvious to say that taking personal data from the media database and sharing this with others without the explicit consent of the individual (and, indeed, that of the media database provider) is very much prohibited, by both GDPR and the contract between the media database provider and the PR agency. In many ways this is a useful thing: there’s a legitimate reason why we as PR agencies cannot share personal data regarding journalists with, for instance, our clients. Further, it’s not unheard of for a newly appointed PR agency to request the client’s target media list from the outgoing PR agency. As you can imagine, this is always a bone of contention! Now there’s a clear and legal reason to deny this request.
Another interesting impact of GDPR has been in relation to events. Many of our clients still attend hundreds of events around the world, from huge shows such as CES and MWC, to small, specialist events. The media is often also in attendance and register themselves in advance with the event organisers to ensure complimentary access to the event and resources. In previous years, it’s been possible for clients and PR agencies to receive a copy of the registered media list, including contact details.
While this was incredibly useful — being able to identify relevant media who were definitely attending the event — GDPR has firmly closed the door on this. In theory, when registering media for their event, organisers could ask for their consent for contact information to be shared beyond their own walls, there’s little incentive for them to do so. While this obviously doesn’t reduce the opportunity to engage journalists, analysts and influencers at events per se, it does introduce an additional cycle of work, proactively contacting media to find out if they’re actually attending the event, before presenting the opportunity to meet a client to those who are. Additional time, requiring additional budget.
An example of the tightrope to be walked in relation to GDPR and events came up recently in the Hoffman office. On being told that we wouldn’t be receiving a media list for an event, a team member was heard to mutter, ‘I wonder if we’ve still got last year’s media list … ?’ (We didn’t, just to be clear).
Positive effects of GDPR on PR best practices
Despite the time and cost in organisations needing to understand and prepare for GDPR, and ensure their ongoing compliance, we should all agree that it’s a good thing. Few of us are growing less concerned about how our personal data is collected and used, and by whom, so moves to ensure transparency and control should be welcomed.
A knock-on impact of GDPR for PR agencies should also be the promotion of good behaviour and discipline in communications, whether with third-party influencers or end customers themselves. Journalists recognise the need for PR agencies to help them do their jobs. What they react against are poorly considered pitches that don’t take into account their specific areas of interest and focus, or general, scattergun approaches that border on spam. If GDPR has increased awareness of an appropriate use of personal data then again, it will have had a positive effect.
While the detail of GDPR can be seen as complex, its core principle is a simple one. If it hasn’t already done so, any organisation dealing with the personal data of EU residents in any way should take appropriate advice and action to ensure compliance. PR industry body organisations such as the PRCA and CIPR also provide useful guidance (only to members in the case of the latter).