A new data regulation regime is here. European Union has promulgated a new set of data protection regulations known as Global Data Protection Regulation; or GDPR for short. It is designed to harmonize data privacy laws across Europe, protect the personal data of European Union citizens regardless of where they live, strengthen their right to data privacy, and reshape the way organizations handle data by promoting transparency, security and accountability by data collectors. GDPR was approved by the European Union Parliament in April 14, 2016. And May 25, 2018 was set as the enforcement date.

This has obvious implications not only for companies alone but also for Public Relations practice. Public Relations professionals now have the responsibility to promote new thinking, new attitudes and new behaviors on how personal data is handled within organizations where they work. They are expected to make organizational leaders and members aware of the obligations GDPR imposes on them. It is now their duty to provide strategic intelligence on data issues to the top management of their organization/clients for informed decisions on how to secure and maintain compliance with the law.

The 7 Critical Things Public Relations Professionals Should Know

GDPR is a complex and far-reaching legislation, touching organizations in numerous ways, and at different levels. In this article I intend to take this complexity out of it and address seven critical things that Public Relations professionals should know about it to enable him play their roles effectively. Let’s look at them one by one:

1.       GDPR is Extra-Territorial

It is tempting to think that organizations operating outside the EU should not be concerned about GDPR.  That is very far from the truth. As long as your company does business with EU citizens, and requires the collection of their personal data, whether they are resident in an EU country or not, GDPR may apply.

EU regulators can fine companies outside the EU which are found to have violated GDPR and work with the authorities of the country where they are domiciled to ensure its compliance. Written in GDPR is a clause stating that any action against a company from outside EU must be taken in accordance with international law.

2.       What Constitutes Personal Data

PR professionals should know what constitutes personal data in the context of GDPR. According to the regulation, “Personal Data means any information relating to an identifiable natural person (Data Subject). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

In the context of this EU Law, what constitutes personal data is rather broad. It can be anything from name, home address, a photo, an email address, medical information, web data such as location, IP address, cookie data and RFID tags, biometric data, health and genetic data, racial and ethnic data, bank account information and so on. Lawyers are in the best position to interpret the clause on personal data clearly.

3.       Conditions for Processing Data

It is important for PR practitioners to know that there are six conditions under which an organization can lawfully process personal data under GDPR. They are as follows:

i.        Consent of the data subject. Consent is defined as  “Freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Under GDPR consent must be

  • Unbundled – separate from any other terms or conditions of service.
  • Active – The data subjects must take a particular action to authorize processing of their data e.g. fill a form or check an opt-in box to signify consent, or otherwise.
  • Granular — Data subjects must consent separately to each type of data. They should state the preferable methods by which they want to be contacted e.g. email, SMS, phone for each purpose of processing their data.
  • Named — Clearly state the organization which will be relying on the consent to process personal data. State clearly if your organization will share the data with a third party.
  • Easy to withdraw – Create a mechanism that makes it easy for data subjects to withdraw their consent at any time.

ii.       Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.

iii.      Processing is necessary for compliance with a legal obligation.

iv.      Processing is necessary to protect the interest of a data subject.

v.       Processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the data controller.

vi.      Processing is necessary for the purpose of legitimate interest pursued by the data controller or a third party except such interests are overridden by the interests, rights and freedom of the data subject.

4.       Right of Data Subject under GDPR

          PR professionals need to know that personal data is processed in accordance with the rights of the data subjects. In her website, UK’s Information Commissioners office summarized the rights as follows:

  • A right of access to a copy of the information comprised in their personal data.
  • A right to object to processing that is likely to cause or ts causing damage or distress.
  • A right to prevent processings for direct marketing.
  • A right to object to decisions being taken by automated means.
  • A right in certain  circumstances to have inaccurate personal data rectified, blocked, erased or destroyed, and
  • A right to claim compensation for damages caused by a breach of the Act.

5.       Breach Notification Timeline

It is crucial to know that the time within which an appropriate supervisory authority should be notified in the event of a personal data breach is just 72 hours. Should a data controller determine that the data breached is likely to put the data subject in a high risk, he or she should also be informed without any delay.

Knowledge of this short time span helps Public Relations practitioners to prepare far in advance for such breaches and puts them in a better position to head off reputational damage such a breach is capable of.

6.       Categories of Companies Affected

PR professionals should also know that GDPR applies to any company that stores or processes personal informational of EU citizens, even when they have no physical presence within the EU, specific criteria for companies required to comply are as follows:

  • A presence in an EU Country
  • No presence in the EU but processes data of EU citizens.
  • More than 250 employees.
  • Fewer than 250 employees but its data processing impacts the rights and freedom of data subjects, is not occasional, or includes certain types of sensitive personal data.

7.       Implication for PR Practice

Knowing the implication GDPR has on PR practice is good practice itself. It shows you are on top of the situation.

In PR, we process the data of journalists, digital influencers, bloggers and other stakeholders. It is important to know the legal ground on which to stand when processing the personal data of EU citizen. Depending on the circumstances, consent and legitimate interest are the legal grounds relevant to Public Relations practitioners.

Most organizations are afraid of the gargantuan fine of 20 million Euros or 4% of global turnover of a company found to be breach of the law. But for Public Relations, it is the implication such breaches could have on the reputation of an organization. As Dan Golding puts it in an article in Communication Director Magazine, ‘under GDPR, data privacy and security will become the new frontline in corporate reputation”. Data breach could mean loss of stakeholders’ trust. Public Relations practitioners have a significant role to play in ensuring that their clients or organizations can manage the risks effectively and efficiently, especially considering the 72 hours timeline for breach notification and the time squeeze for handling such a crisis. According to Yoko Ogawa, “solving a problem for which you know there’s an answer is like climbing a mountain with a guide.” The answer to GDPR challenge is to understand its letters and spirit. This article has only scratched the surface from a layman point of view and is meant to draw your attention to it. Working with legal practitioners is the only way to deepen your knowledge and understanding of how it affects your organization, how it affects your Public Relations practice and how best to ensure compliance.