The General Data Protection Regulation (GDPR) - one of the most significant changes to data protection for individuals within the European Union - comes into force later this year.
As well as wide-ranging events on the subject and detailed training courses, there are several specific resources that PRCA members seeking to understand and address GDPR should consult first and foremost:
- The ICO's 12 Steps to Take Now;
- The PRCA and Lewis Silkin's handbook to getting ready for GDPR;
- The ICO's "GDPRmyths" series;
- The output from Firefly, Lewis Silkin, and PRCA's joint event on preparing for GDPR;
- The ICO's checklists for both data controllers and data processors.
In addition, the below FAQ should address some of the more common, industry-specific questions that PRCA members might have; these FAQs constitute advice on legal matters and do not represent legal advice (nor should they be treated as such). In addition, the below FAQs will be updated with any new questions received, have further detail added where appropriate, and be edited for any necessary clarity or in light of any relevant output from the ICO.
What is GDPR and what does it apply to?
GDPR replaces the Data Protection Act (DPA) in the UK and is concerned with “personal data” (effectively “meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier” such as their name, location, online identifier, email address, or phone number). As such, PR and communications practitioners need to be aware of the implications and the new processes they will need to implement.
What date does GDPR start?
GDPR comes into force on Friday, 25th May, 2018. Given that GDPR is a regulation (rather than a directive), it will apply automatically and without the need for UK legislation. This follows a two-year transition period.
Is GDPR simply a threat to the PR and communications industry?
GDPR represents a significant change to the UK’s already-strong data protection regulations; with this in mind, there are a great many organisations highlighting the GDPR changes as a threat to businesses and noting that the regulation itself is overlong and cumbersome. Ultimately, GDPR can represent an opportunity for PR and communications practitioners and their employers and clients to develop their reputation with individuals in a structured, manageable, and proportionate way. ICO’s latest survey (January 2017) on consumers and personal data found that 75% of UK adults do not trust businesses with their personal data.
From a reputation perspective, handling data in a respectful manner shows individuals that you are safe guardians of their personal information. As individuals become more aware of their existing rights and GDPR, organisational trust will continue to be central to any continued relationship you might have with them. Ensuring that your organisation is compliant ahead of time signals to individuals that your organisation has made a serious, rights-centric commitment to their rights and privileges.
From an engagement perspective, and taking consent as an example, individuals actively opting-in to being contacted means they are more likely to engage with that content. GDPR also encourages organisations to work with granular consent, a situation that sees individuals manage their preference and ensure that they only received information which is strictly relevant or useful to them. GDPR provides an opportunity for the industry to ensure its data is “in order” which consequentially results in a clearer return on any marketing or promotional expenditure.
From a structural perspective, the processes laid out in GDPR should – in theory – make data processing (and using data) more efficient throughout the industry. Working towards GDPR compliance should involve a reconsideration of every current process, scrutiny of best practice at your organisation, and potentially highlight better ways of working inside the parameters of compliance.
Is there any specific guidance for PR and communications consultancies getting ready for GDPR?
Yes, please see here for a guide from our legal partners, Lewis Silkin. It covers direct obligations, indirect obligations, and concludes that: “While well intentioned, the GDPR is too prescriptive for 21st century PR agencies, which vary significantly in size and remit, but it’s here to stay. Brexit or no Brexit. Taking the time now to adjust offerings, systems, processes and (importantly) contracts, will help PR agencies not only to manage their own risk and cost base, but also to provide reassurance to clients and improve the attractiveness of their offerings. All this should, of course, help to improve (or at least reduce the impact on) the bottom line.”
Is it aimed at the PR and communications industry? Should our preparation be any different?
GDPR will affect every organisation involved with personal data: it is not specifically targeted at certain industries but obviously has clear implications for standard, commonplace marcomms activities. Of course, data protection goes hand-in-hand with trust and reputation, meaning that PR and communications practitioners have a significant interest in making sure their organisation and clients can manage the risks and take advantage of the trust-building opportunity.
How can I lawfully process personal data under GDPR?
For the most part, PR and communications practitioners, when thinking about the lawful basis for processing personal data, are going to be relying on consent or legitimate interests. Consultants might need to process data using contract as their basis when dealing with clients, for example, and employers of all size are going to need to process data based on legal obligations, but practitioners will mostly find they are working within these two lawful bases. Consent and legitimate interests are relatively broad; they are not, for example, as situation-specific as public task (for public authorities) or vital interests (for emergency care). These examples demonstrate the absolute breadth of what is being treated as personal data under GDPR and reiterate the fact that GDPR is not aimed at the PR and communications industry specifically.
The need to identify, understand, and apply your basis for lawfully processing personal data under GDPR ahead of any actions cannot be understated. It is not about retrofitting the reason for your actions, but about accessing whether you can legally do the processing you intend to do. You need to be clear that what you are doing is right under the new rules, rather than assuming it is acceptable.
I need to process personal data: how does consent work under GDPR?
The standard for consent when GDPR comes into force will be exceptionally high and it is important that practitioners understand the mechanisms involved – consent should, in practice, enhance your reputation by building trust and focusing on engagement. Given this reputational dynamic, all PR and communications practitioners should understand the organisational risks and opportunities involved here: they will almost certainly require you to update your practices.
Consent is a lawful basis for processing personal data; as the ICO state, it is not “inherently better” than any of the other several bases for lawful processing and you must make sure that you are genuinely offering a choice, otherwise asking for consent is “misleading and inherently unfair”. Do not, for example, make consent a precondition of service as it is unlikely to stand-up to scrutiny. Relying on consent gained inappropriately or through invalid means is essentially damaging to your reputation and raises other organisational risks.
Obtaining consent from people is straightforward if you implement the process properly and understand and appreciate the rights they have under GDPR:
- Consent “must be freely given”.
- Consent “should be obvious”, require “positive action” to opt-in, and consent requests need to be prominent, concise, understandable, and “unbundled” from other terms and conditions.
- Consent must specifically state the controller’s name in the organisation, the “purposes” of the processing, and the “types” of processing activity.
- Consent should be reviewed and refreshed regularly.
Some of these are obvious – such as consent being freely given – and some of these require a more clear explanation. Positive action, for examples, means the end of automatic opt-ins or pre-ticked boxes to gain consent for marketing. Similarly, there are no set rules around when you review and refresh this processed data, but you should be guided by individuals’ expectations and precisely how you set out your intentions in the consent request. If you have processed data with one an intention and find that your needs change, you need to expressly consider whether that existing consent is in anyway valid if you are choosing to rely on consent as the lawful basis.
As detailed by the ICO, this means your requests for consent (ideally “granular”, so that people can opt-in or opt-out for different purposes, rather than a “binary” option of consenting to everything or consenting to nothing) should cover:
- The name of your organisation.
- The name of any third party controllers who will rely on the consent.
- Why you want the data.
- What you will do with it.
- Note that individuals can withdraw consent at any time.
Again, some of these are obvious – such as the name of your organisation and the name of, for example, the client you are working for will need access to this processed personal information – and some of these require a more clear explanation. You need to be clear from the start why you want that individual’s data: this should not be vague or overly general. Similarly, what you will do with that data needs to manage expectations and lay out your intentions.
Keep in mind that if you a relying on existing consent, it needs to be fit for purpose and meet the standards set by GDPR. In some cases, this will involve you contacting entire lists for consent because your current processes are not up to that standard; on the upside, this means that you can obtain consent now, well-ahead of GDPR coming into force at the end of May 2018.
I intend to use consent as my lawful basis: is there a checklist?
The checklists for asking, recording for consent, recording consent, and managing consent, can be found here on the ICO’s website. PR and communications practitioners should look over these checklists and formulate their own, internal checklists based on their needs.
I need to process personal data: how do legitimate interests work under GDPR?
As the ICO note, “legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate” and centres around “compelling justification” for processing and using personal data or when you are using it in a way people would reasonably expect while having a “minimal privacy impact”.
Choosing to rely on legitimate interests is a perfectly reasonable decision in many cases, but PR and communications practitioners need to be aware that they are taking on responsibilities when they do this. It is not enough to simply rely on legitimate interests without considering the implications and the article which lays out the lawful basis states: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Effectively, the PR and communications industry should think of this as a three-part test, which is precisely how the ICO have explained the process:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
Legitimate interests is a highly flexible basis. Given that, and given the fact it may not always be appropriate, PR and communications practitioners should fully familiarise themselves with the ICO’s guidance. When it comes to electronic marketing, legitimate interests can be used provided that you do not need consent under the separate PECR rules. The three parts of this test can be unpacked and understood in the PR and communications environment.
“Purpose” can be considered relatively clear: is it in your own interest? The interest of the person whose data you are processing? Is it a commercial interest? Or do you genuinely and reasonably believe that it serves a “wider societal benefits”? Ultimately, you need to keep this under review – especially if you are a consultant – as a significant change can alter whether your actions pass this legitimate interests test. What starts off as (or is planned to be) a campaign with a certain message and purpose can change as you adapt to a changing environment.
“Necessary”, however, requires you to evaluate your actions: are you processing the data in “a targeted and proportionate way”? Are there more reasonable and less intrusive means that could achieve the same result for your campaign? The ICO’s checklist for this point is relatively clear: “checked that the processing is necessary and there is no less intrusive way to achieve the same result”. This may require you, for example, to reconsider how you decide to engage the public in a campaign, especially if they have not consented to this and you are genuinely relying on legitimate interests.
“Balancing” requires you to take a step back from your own interests and might lead to you reconsidering whether you can process data: would these individuals reasonably expect you to use their data in this way? Does it cause them “unwarranted” harm? In the grand scheme of this, do their interests actually override your own because of your answers to those two questions? The ICO adds the following caveat: “your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.”
The legitimate interest details laid out by GDPR, in some cases, simply formalise best practice for the PR and communications industry: you should, for example, know the purpose of your use of an individual’s date and you should have clearly considered the best possible way to achieve the outcome you are seeking. This is about behaving professionally, refining your communications, targeting properly, deploying empathy in considering the interests of other people, and keeping clear lists with portable data that people can ask to be deleted, amended, or sent to them.
Ultimately, the PR and communications industry should not be complacent about the data it is processing relating to journalists and members of the public, even if their email address, for instance, exists in the public domain. You need to be able to show how you comply with GDPR, rather than seeking to use legitimate interests as a retrospective defence of your actions.
I intend to use legitimate interests as my lawful basis: is there a checklist?
The checklists for legitimate interests can be found here on the ICO’s website. PR and communications practitioners should look over these checklists and formulate their own, internal checklists based on their needs. It is also important, for the sake of this basis, that you have conducted a legitimate interests assessment and kept a record of it.
Given the size of organisations conducting PR and communications (the latest industry census shows consultancies are most likely to be made up of between 11-50 people and that in-house teams are usually 2-5 people), do we benefit from any “small business exemptions”?
If you process personal data, you must comply with GDPR, although size has an effect on what you need to document. SMEs (organisations with fewer than 250 employees – so all but 7 PR and communications consultancies, according to the latest PRWeek Top 150) only need to document processing activities that are “not occasional”, “could result in a risk to the rights and freedoms of individuals”, or “involve the processing of special categories of data or criminal conviction and offence data”. This reduces the burden of GDPR to tasks which are effectively a common occurrence to PR and communications practitioners such as managing media lists containing journalists’ personal email addresses or collecting and processing data from a public engagement event.
Who is responsible for enforcing this all?
The Information Commissioner’s Office (ICO) – the UK’s independent authority which exists “to uphold information rights in the public interest, promoting openness by public bodies, and data privacy for individuals” – is responding for GDPR in the UK. Crucially, it exists not solely to enforce but to education organisations and uphold these new rights for individuals.
How different is GDPR to the previous data protection regulations?
Major regulation already exists and should – until GDPR comes into force – continue to inform all organisations’ work with data relating to individuals. The DPA was introduced a significant time ago: since then, there have been clear changes and complex additions to the nature of privacy and data breaches. DPA lays the groundwork for regulating and – effectively – processing (obtaining, holding, and disclosing) data relating to individuals. GDPR works to build on DPA and there are several key changes which the PR and communications industry should pay special attention to:
- The maximum fines have increased.
- Jurisdiction has increased.
- Consent has been strengthened.
- Specific data subject rights have been introduced.
Does Brexit alter (or prevent entirely) GDPR for organisations based in the UK?
GDPR will apply during the UK’s membership of the EU and after the UK has left the EU.
As recently (January 2018) reiterated by the Minister for Digital and the Creative Industries, Margot James MP, in her written answer to this same question: “All UK businesses together with all organisations that process personal data will be required to comply with the General Data Protection Regulation GDPR after Friday, 25th May, 2018, and the UK's full data protection regime as set out in the Data Protection Bill. The ICO provides guidance and support to UK organisations and have already published a number of resources on the ICO’s website to help organisations prepare. The ICO has: launched a dedicated helpline service for smaller organisations; updated its 'SME toolkit' to reflect the requirements of the GDPR; simplified its ‘12-step’ GDPR preparation guidance; and published tailored guidance for charities.”
Similarly, notes to the Queen’s Speech in 2017 made clear that the Government wants “the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU”, despite some discussion of inevitable post-Brexit changes that will result from negotiations from the UK and EU. It is reasonable to assume that these changes will ICO and be centred on collaboration and uniformity.
What are the fines and how worried should we be?
Under DPA, the theoretical maximum fine that the ICO can levy is £500,000 and, in practice, the maximum fine so far has been £400,000. GDPR will see the theoretical maximum fine increased to €20 million or 4% of annual global (rather than UK) turnover, whichever figure happens to be highest. In our view, it is reasonable to note that serious fines already exist for data protection issues and these have been applied to various organisations in the history of DPA. It is also worth noting that this represents the absolute limit rather than the expected norm; organisations need to ensure they are complaint but be aware that financial risk is not the sole reason to comply, as explained elsewhere.
Given the ICO has never levied a fine at the current maximum, analysis and reports that use the GDPR maximum and assume that some or all of the fines in their model will be at that maximum are as unhelpful as they are unnecessary. Similarly, the concept that GDPR is solely focused on financial punishment ignores many of the crucial opportunities GDPR presents for organisations.
Where does this apply?
GDPR applies to “processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU”, as summarised by ICO. The aim is to harmonise data protection regulations across the EU and means that any non-European. PR and communications practitioners need to be aware, therefore, that it does not matter where their organisations or clients are based when it comes to processing data for EU individuals.
Press officers may be asked to respond to media questions relating to a member of the public: does GDPR mean these press officers are limited in how they respond?
A typical scenario might be that a member of the public has contacted your organisation to complain about an experience or product. As soon as they contact you, your organisation starts processing personal data related to them. Under full GDPR compliancy, you should be sending back processing notices stating clearly what you will do with this person’s data. If someone provides you with details indirectly, be absolutely certain these events happen to the person.
As you begin responding to media questions, you are – in essence – releasing personal data to the media which could be against the wishes of that person and they could therefore object. To be compliance, you should contact that person, let them know that the media has contacted you regarding their complaint, and ask the person what they want you to release about them to the media or what information you can pass over to the third party. GDPR compliance, therefore, requires some back-and-forth in this scenario if you are relying on consent.
What about data we already hold?
If that data already meets the new rules – and many organisations are currently working towards that goal – then that existing consent will still apply when GDPR comes into force. Some major organisations have attracted widespread coverage for deleting entire mailing lists already: this could be because they have lost track of consent, decided that the risk outweighed the marketing value, or because of concerns around the ICO’s enforcement of current rules.
When it comes to existing data and existing consent, you should still bring to attention the individual’s right to object to their attention. Similarly, they have the clear right to be forgotten and “without undue delay”.
Does GDPR change best practice for using photography?
Explicit written consent from everyone featured should already be part of your best practice; a photography release form is the easiest way to do this and should state clearly how you intend to use the photo(s) that includes them.
GDPR explicitly includes photos and there are three rights to consider: the right to be informed, the right to access, and the right to erasure.
First, look at the subject of the photo(s): if that subject is clearly a person (or people) who can be identified, then you have to keep GDPR in mind. Secondly, consider the commercial risk involved of including someone in a “positive” photograph of an event when – in fact – they found it a “negative” experience. Thirdly, consider those GDPR rights in practice. This means that you must be clear how it is going to be used (e.g. social media and in a press release); that individual has the right to access this personal data on request; and, should they request it, that the photo(s) be removed from all digital channels and (future) print work.
What should our privacy policy look like?
There are various examples which exist: notably, if any organisation has recently asked for your GDPR-compliant consent, you will have been party to one. Example toolkits we have previously cited with templates are here and here. We have our own privacy policy (consent with no third-party) here. The privacy notice checklist is the best possible resource - that compliance needs to then be met with compelling marketing.
How do we manage meeting notes (with, for example, an MP) going forward?
The core question here is what legal justification for processing data you will be relying on. Covering consent, it can be limited and may not be the most appropriate basis when engaging with external parties. Indeed, any data processing based on consent requires you to manage expectations and ensure your processing remains reasonable and in-line with the privacy policy. Covering legitimate interests as the basis for processing, this is a possible remedy to the situation. Legitimate interests is flexible, and may not always be the most appropriate, but it helps when you have justification for your actions and it is a three-part test. Effectively, you need to consider the interests that exist (“Recording these comments is highlight important; not sharing this information with our client would be negative; there is a public benefit to a large organisation knowing their local MP’s position on their key issue; there is a public benefit”), then consider necessity (“Does recording their private comment on the amendment further that interest? Is it reasonable? Can I be less intrusive?), and finally the balancing testing where you make a judgement call on whether the impact overrides the interest (“Do I believe they would find something they shared with me, a stakeholder, highly intrusive if shared with a similar stakeholder? What sort of positive or negative impact might this have? Would I be happy explaining my actions to them?).