"GDPR will enable brands & PR pros to establish truly meaningful relationships"
The incoming EU data protection regulation will fundamentally alter the relationships PR pros and other communication professionals build and maintain. In our second interview with data protection expert Filipe Pereira, we spoke to him about the challenges and opportunities that lie within this legal change. You can find the first part in this interview series here.
How well prepared are PR pros and other communication specialists today with regards to the incoming GDPR?
As always, when it comes to European legislation, it varies from country to country. There will be PR and communication pros that are already aware and have the required mindset, either because they operate globally or because it’s a reality they're already facing within the context of their respective national legislation for example in Germany. Those operating in countries less aware of security compliance and data privacy will struggle more and must put more effort in to properly prepare.
In your view, what are the main challenges of the implementing GDPR compliant processes for communication pros?
To ensure compliance, any communication professional must guarantee that their operations, their agencies, their clients and their media data & tech suppliers make certain that any personal data handled will have been obtained with consent, that proof of such consent is kept and is readily available and that personal data is being processed lawfully at all times. This will require a review of all of their current workflow processes where personal data is used.
As the risk of data mishandling starts within, it’s of upmost necessity that all employees undergo specific training to get the required level of competence and awareness to avoid data leaks or theft. One of the most challenging tasks at hand will be to get the sponsorship from management and the buy-in from other heads of departments, including HR since it will be costly and difficult to change employees' mindsets accordingly. As for subcontracting, any service purchaser (controller) will be responsible when facing individuals and authorities, and service providers (processors) now share that responsibility. Moving forward, subcontracted agencies will not be able to 'hide' behind e.g. their data suppliers or their clients’ when faced with a data protection complaint. The data supplier and the agency using purchased personal data will both have to make sure the data is lawfully used. Data protection agreements and safeguard clauses will need to be added to all contracts to ensure a common and full understanding of how to handle personal data is achieved.
The European Commission believes GDPR will stimulate innovation - how so?
The evolution on the concept of data privacy pushes organisations to become self-aware and fully structured with regards to their internal processes as well inclined to become fully digitised. The information mapping and risk assessment, alongside with the implementation of privacy by default and by design, will empower organisations to better identify their gaps and strengths, being able to derive knowledge from their dormant data.
As for examples… Several databases scattered all over your business will become centralised and – even better – managed allowing for a truly and more effective CRM output. What used to take weeks to follow up on a campaign targeting 40 thousand clients - which didn’t want to hear from you - will now become a much more productive project requiring days to reach out to an opt-in attentive database of 5 thousand clients which not only want to hear from you but will most likely establish a trusting enabling relationship. The need and quest to accommodate individual concerns and provide what is perceived as personally tailored services, will push brands to become more innovative and competitive.
How should PR and corporate brand teams prepare for the new legislation?
They must most definitely adjust their mindset and outlook to become transparent and open with regards to data processing. It’s no longer about convincing consumers without them realising it. It’s about the brands establishing real and meaningful connections.
Can you give some practical examples of how daily operations of a PR agency or a multinational brand team will have to change?
Marketing teams need to ensure to work with an opt-in contact database prior to the launch of campaigns and be prepared to answer any requests, for example through front office staff, from data owners in a timely manner to access, edit or remove personal data. With regards to Internal Communication, it becomes necessary to ensure staff’s buy-in and appropriate behaviour. As for Corporate Communication, this will become a “must have” item on the Reputation & Crisis Management menus.
GDPR empowers consumers to manage their personal data more securely and effectively - what does that mean for a company’s risk management such as the handling of data breaches?
It means that there’s little room for oversights or negligence. Even less for non-preparedness. If that was not the case before, then now each consumer is a proactive stakeholder, one that need to be kept informed and contempt, not just about services or products.
The best way to manage data breaches is of course to prevent them or at least be in the position to identify these before clients or other possibly impacted parties do.
What does GDPR mean for communication pros within the EU versus companies located outside the EU?
If companies handle personal data of individuals residing within EU territory, it means exactly the same regardless where these professionals are based. For those operating outside the EU, you could argue that a different set of rules apply and therefore you can segment accordingly to facilitate processes. In reality you would just be adding an extra layer of complexity to your data management. Having in mind that such data privacy legislation and some of these novelties (opt-in consent requirement) are not particularly original (Peru, Mexico, Uruguay, Colombia) you’d be better off by aligning these rules to your entire datasets and processes. This is a non-stop train with a well-defined terminal station.
What impact will Brexit have, if any?
None. British legislation was already pointing to similar changes and the decision of the country's Parliament will most likely follow GDPR even when only targeting UK-based consumers. No matter what happens, these changes have been considered after evaluating the digital world which does not conform with borders or nationalities.
What is Privacy Shield framwork and how does it relate to GDPR?
In brief, the EU-US Privacy Shield was designed to be a legal framework for transatlantic data flows replacing the Safe Harbour agreement. This framework aims to protect the fundamental rights of EU citizens where their data is transferred to the United States and ensure legal certainty for businesses. However, the proof of requirements within the GDPR and the change of mindset of consumers will not let the whole certification process be handled by a generic EU/US agreement. Meaning, there will be consumers that will be hands-on, following their personal data flow to the extent that a Privacy Shield agreement is not enough to guarantee compliance. In order for the current Privacy Shield agreement to maintain relevance, it has to adjust itself and become much more specific in term of its certification process.
What will be the long-term effects of GDPR?
GDPR will help form a society that fully embraces a digital world. A digitised European mindset that will allow for a much more fast paced and equally fast evolution. As mentioned already, the changes of attitude towards digital are not only being experienced with data privacy – despite being the most visible and individually felt – we’re have been experiencing it for years already with products, services, transportation and health. The only thing missing was to check ourselves in the mirror and waking up to this new world. GDPR is a small step in that direction. And as communication is part of who we are, GDPR strikes a chord and resonates in our core as individuals. PR pros have yet another opportunity to demonstrate how relevant they are going beyond advertising and establishing the meaningful relationships brands will be so desperate to maintain. Where are we aiming at? The beginning of a new beginning.
This second part ends our GDPR interview series. You can find the first part here. The team at pr.co thanks Filipe wholeheartedly for this interview!
About LCG Consulting: LCG provides consulting services, with multidisciplinary skills in the areas of strategic and operational management, information systems, decision management support and business intelligence, finance and accounting, legal and incentives. You can find more information about the company on their website or on their pages on LinkedIn or Facebook.
About Filipe Pereira, Head of Digital Lead & Protection at LCG - Filipe has over 10 years of experience in communications' consultancy, over 5 years of experience in data management and heads up LCG's digital compliance team. You can connect with him via LinkedIn.
Recommended further reading on GDPR:
1) Ernst & Young LLP: EU General Data Protection Regulation: Are you ready?
2) Pat Clawson, CEO Blancco Technology Group: An interview on organisation readiness
4) Mimecast - Download Forrester Research brief: You Need An Action Plan for GDPR
5) Ardi Kolah LL.M Executive Fellow & Co-Director, GDPR Transition Programme: “The next big personal data attack waiting to happen…“
6) Martin Sloan, Partner, Brodies LLP Cyber Risk, Data Protection and the GDPR: Why Senior Management Should Be On Board