Last year I was fortunate enough to help get a GDPR-preparation consultancy (Data Compliance Doctors) off the ground and demonstrate their expertise in the field with technical content for their site – example 1, example 2, example 3. The deadline has now passed, so I thought I’d take a look at how prepared those were and highlight some of how we’ve approached the risks relating to legitimate interest, consent and what is, in effect, marketing to journalists.
The UK’s preparation for GDPR
For the several agencies and in-house PR teams I work with, GDPR has been a big headache. Just what is legitimate interest, and how can you argue that it is in a journalist’s interest to receive it? Just what do you need documented?
And the whole process was made even more difficult by everything being left to the last minute – how do you get consent if you’ve just joined in with the bombarding of GDPR-consent emails that everyone is getting frustrated by?
If you want to see just how late, check out the Google search traffic chart above. In the last month three weeks searches tripled suggesting it was really left until the last second.
Have companies in the PR sector taken GDPR seriously?
I’m not going to go into detail on what’s needed / the implications – that’s been covered elsewhere (notably Daryl Willcox’s excellent blog on Wadds.co.uk) Even some of the major players in the sector aren’t giving the strongest signs that they have prepared well, for example the two media databases I’ve contacted (I won’t name names) still haven’t replied to say if they have consent from journalists to be on their lists.
From my point of view, there are a lot of grey areas and it’s easy to argue for a legitimate interest in holding contact details for a journalist that regularly covers topics relating to your client, has their contacts on the publication’s website and has recently / frequently covered client. If you have press lists with fewer than, say, 30 journalist from any given country you’re probably fine. If you have ones with 300, you’re probably in breach.
But is there a legitimate interest in a media database company, which sells these details, holding them? If not, who have they got permission from – can you get it from the publisher? or will it need to be from them?
How have we dealt with GDPR
Here at Fourteen we work with both in house teams and marketing agencies, to manage a PR function. Probably the hardest element is putting steps in place to prevent a breach – ensuring no list is shared outside of the team working a specific client, and even then, never over an unencrypted channel like email.
Identifying which journalists are we have consent or legitimate interest for sending releases (which are marketing communications) and documenting when we got this. Highlighting when we’ll need to get consent again. Creating policy documentation (our template is here) that anyone can view.