GDPR: Top 10 to-dos for PR Pros to remain data protection-compliant
Successful PR and Marketing activities depend to a large degree on the ability to build and maintain meaningful and valuable relationships, digitally or personally, and being perceived as trustworthy. As all such relationships run on personal data, such as biographical or contact data, which is subject to the new European Union’s General Data Protection Regulation, coming into effect May 25th, 2018.
From that day onwards, brands for example won’t be able to use personal or personally identifiable data unless they have the explicit permission to do so. Fines for breaching the GDPR can go all the way up to €20 million ($22.5 million), or 4% of global turnover, whichever is higher. Next to the financial impact, there is a possible reputation fallout to consider as regulators have made it clear they intend to go after high-profile brands to force businesses to comply. Consequently, nobody working in PR - or in related fields such as Marketing, Media or Advertising - can ignore the far-reaching impact the incoming GDPR will have. We've put together the top 10 recommendations to get you GDPR-compliant:
1) Respect data privacy
The personal contact or biographic data of a journalist or social media influencer doesn’t belong to you as the PR pro, it belongs to the individual journalist and he/she has rights. Remember to be pro-active about it as the responsibility (and possible fines) rests with you.
2) Manage personal data
It doesn’t matter if you work with an external media database provider or an internal Media Research team. You must understand what data you’re gathering and also classify it. Make sure you understand where it’s held, how it is kept and how & when to delete it. Also, back it up, anonymise it or encrypt it. Do whatever you must, just don't avoid managing it.
3) Don’t spray and pray
Now more than ever, In the name of relevance, avoid abusing personal data by sending irrelevant content to large numbers of recipients. Rather, ensure you work with an up-to-date list of journalists or influencers and apply a very personalised approach in the selection of your communication targets as well as your communication strategy and tactics overall.
4) Gather consent & keep proof of it
Communication professionals can no longer fly under the radar and assume tacit approval when sending out press releases or other types of content. If you use personal data, consent by the individuals in your communication campaigns must be “freely given, specific, informed and unambiguous”. Also, records of given consent must be kept whether they may be in the form of audio recordings, paper trails, digital checkboxes or web forms.
5) Secure management buy-in
Ensure proactive engagement of your organisation’s administration and C-level as both must be aware of GDPR’s impact, supportive of the task at hand and also financially sponsor the implementation.
6) Name a champion for personal data
Many but not all organisations are required to formally appoint a Data Protection Officer. But, even if you don’t need one, best practices "demand" to have a data champion to drive knowledge management projects and have a competent go-to person for internal and external queries.
7) Secure your digital infrastructure
Don’t leave it to chance and map and secure all systems processing personal data. Establish robust access controls and profile management and ensure you have processes in place to review software licensing, guarantee patch management and identify any threats. Be prepared for external hacking or internal leaks by having mechanisms to identify possible data breaches and having solutions to act on it.
8) Be transparent
Be open about your processes and don’t treat it as a secret. Your influencers, customers and other stakeholders will trust you as long as you prove to be trustworthy. The paradigm of data management in today’s information society requires a high degree of transparency as opposed to secretive marketing and business intelligence procedures.
9) Train & prepare your team
The best way to protect anything really is to only share it with people who know how to handle it and that we trust.
10) You can’t run… and you can’t hide
GDPR affects all companies as any organisation processing any level of personal data of EU resident citizens, whether these are journalists, social media influencers, clients or staff.
Recommended further reading on GDPR:
1) Ernst & Young LLP: EU General Data Protection Regulation: Are you ready?
2) Pat Clawson, CEO Blancco Technology Group: An interview on organisation readiness
4) Mimecast - Download Forrester Research brief: You Need An Action Plan for GDPR
5) Ardi Kolah LL.M Executive Fellow & Co-Director, GDPR Transition Programme: “The next big personal data attack waiting to happen…“
6) Martin Sloan, Partner, Brodies LLP Cyber Risk, Data Protection and the GDPR: Why Senior Management Should Be On Board