PR Firms in the Crosshairs of Data Protection and Regulation
GDPR is here, at least in Europe, and early adopter states in the U.S. are following quickly behind. California and Colorado are two states that have employed GDPR-like policy, though with a bit more sensibility than the harsh and sometimes vague guidelines of GDPR. Others are falling in line too, as this article reports. Bottom line is that the way we use data will never be the same. Marketing communications firms are in thick of this changing landscape and should be aware of the implications.
There are enough pages of GDPR legislation to make your head spin. Few outside of the legal and governance fields have even skimmed them. But there are good summaries available. For example, Luke Irwin of IT Governance outlines the 6 data protection policies of GDPR:
“1. Lawfulness, fairness and transparency
The first principle is relatively self-evident: organizations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects…
2. Purpose limitationOrganizations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose…
3. Data minimization
Organizations must only process the personal data that they need to achieve its processing purposes…
The accuracy of personal data is integral to data protection… Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
5. Storage limitation
Similarly, organizations need to delete personal data when it’s no longer necessary…
6. Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be ’processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measure.’”
GDPR apparently enjoys working with the number ‘6’ because there’s another important list to consider. This one is concerned with how any organization such as a PR firm can legally comply with GDPR or state laws in light of existing data collection and usage practices. There are six ways that companies can avoid the scrutiny and wrath of regulatory organizations relative to GDPR. According to the blog, Signatureit:
“1. With the individual’s unambiguous consent
Under the GDPR, one of the lawful ways to process the personal data of European Union residents is by obtaining the consent of the data subject, and it is the characteristics of this consent that are one of the main new features introduced by the Regulation…
The main problem posed by this new legal regulation is that consent previously obtained in one of these ways must be collected once again.
2. Contractual obligation
This applies when the processing is related to the parties to a business, employment or administrative agreement and is required to maintain or fulfil the agreement.
3. In the legitimate interest of the data controller
When the processing is necessary for compliance with a legal obligation of the data processor, as long as this is not overridden by the interests or rights and freedoms of the data subject, bearing in mind the reasonable expectations of the subject based on their relationship with the data controller…
4. In the vital interests of the data subject
In this case, the processing is necessary to protect the vital interests of the data subject or another physical person….
5. In the public interest
The processing is required for the purpose of fulfilling a mission carried out in the public interest or in the exercise of public powers conferred on the processor. For example, schools may obtain a central sex offenders’ registry clearance certificate, which is required for everyone who works with minors…
6. In compliance with legal obligations
It will not be necessary to obtain consent for processing personal data when this is required for the purpose of compliance with the legal obligations of the data processor who has collected the data.…”
So what does this mean for PR firms? Most, in fact the clear majority of them, fly under the radar of GDPR and U.S. state regulations (so far) due to their size or revenue. As IAPP points out, GDPR generally limits its regulation to firms over 250 employees (there are few exceptions) and California, for example, has a limit to (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information. The above law is enforceable in California and applies to data subjects there, but given the nature of data processing, most companies will need to consider whether to apply the rules to all users.
It is understood by the experts in compliance that neither the European Union nor individual U.S. states are out to shut down small businesses. Rowan Fogarty, COO of Vigitrust, a world leader in compliance, helped put this in context when I spoke with him recently. Rowan explained that the primary purpose of GDPR is to prevent the misuse of consumer data that was collected for one reason and then used or resold for a different purpose. Those are atypical circumstances for the PR world. But beware if you fall into a category of marketers or specialized PR firms that use data this way.
Nevertheless, he pointed out that almost all PR firms could be held liable by association. Most firms use at least one third party database containing large numbers of reporter names and information. Most regulations consider responsibility for the use and management of information from third parties to be shared by the compiler and user. That means you and me in the PR world. Therefore, you should check and recheck that your suppliers of databases are compliant with GDPR’s very strict standards since a portion will likely cover European media.
The larger media database providers are not unfamiliar with GDPR. Typically, they’ve been planning for this and proffer a new lengthy and not-so-sweet ‘understanding and liability agreement’ which is often easily check-boxed on their site but contains a wealth of warrants and representations that you probably don’t want to know but really should. Read it, then read it again and have it checked by an attorney.
There is a tendency for the holder of data to want to say “that there is implied consent by constituents,” in our world, media and analysts. Fogarty warns above all else not to fall for this. “You’re opening a can of worms by even suggesting that this is defensible. You’re asking for a full-on investigation and good luck defending on the basis of implied consent.” Perhaps most plausible for any PR firm or third party database company would be the legitimate interest of communicating with the media and therefore the need to hold their data. However, since this is also open for interpretation, and with an enormous amount of media data held by PR firms, there should be internal policy to manage the data.
Data laws are evolving rapidly. To say that legislation is changing weekly would not be an exaggeration. One never knows when regulation will land squarely in his or her corner. Therefore, precaution is in order. My suggestion is that PR firms follow a (yes, you guessed it) 6-step process to protect against scrutiny.
- Determine how you have consent for the data you hold. Is it legitimate interest or are you asking for agreement from the media?
- Have a policy. Develop one that is reasonable and defensible. In that policy, specify what information is being held, why it’s being held, and for how long. Include how the information is used, why you have the right to hold it, and what you do to secure it during use and once deleted.
- Write the policy down, explain it to your staff and ensure that they understand and comply.
- Check with third party vendors to understand their policies, and compliance, liability and consent agreements.
- Have IT find solutions to data integrity, storage and transfer; live by that process
- Quality control and check for internal compliance from time to time but not infrequently.