GDPR for public relations: driving up standards

GDPR for public relations: driving up standards

Absolute answers on the impact of General Data Protection Regulation (GDPR) on public relations are hard to come by especially from database vendors. It's an issue I shared recently with ResponseSource founder and chairman Daryl Willcox.

Daryl rose to my challenge where others have failed. In this guest blog he discusses what GDPR means for public relations agencies and in-house teams that manage databases and lists of journalists and influencers.

He sets out compliance requirements and concludes that GDPR will drive up standards in public relations. It's a long read but you'll almost certainly want to share it with colleagues, and print it out for your senior managers.

By Daryl Willcox

General Data Protection Regulation (GDPR). A mouthful. And hard to get excited about.

While there are creative campaigns to come up with, colourful content to craft and scintillating stories to pitch, complying with a chunk of dry data protection law understandably falls down the priority list.

But if you’re not already looking at it now is the time to get down and dirty with GDPR. The clock is ticking before we all have to comply 100% with this critical legislation.

Scary, huh?

But let me present GDPR in a way that may motivate you a little more to embrace it, and perhaps even enjoy it.

GDPR is something I've been looking at for many months and it’s my firm belief that this cumbersome piece of regulation, that on the face of it appears to present a load of new hoops for us to jump through even though we have fairly strong existing data protection rules, could in fact be a force of good for the public relations industry and help to further elevate it as a profession.

I say ‘could’ because GDPR, as a set of rules designed to unify data protection legislation across the European Union (EU), is inevitably broad and high-level.

Exactly how it will work for you and me and the individuals whose data we hold will come down to guidance provided by the local agencies tasked with policing it – in our case the Information Commissioner’s Office (ICO), and case law that will take time to evolve.

The amount of guidance provided has been limited but so far the ICO is taking a pragmatic approach, which is reassuring.

Anyway, back to GDPR and what it means for the public relations industry. First of all let’s explode some common myths.

GDPR myths

First myth: GDPR is aimed at the public relations industry, because it has the letters ‘P’ and ‘R’ in it.

No. GDPR will affect every organisation in the UK that stores or processes people’s data. It’s not just a media industry issue, though the potential impact on us is perhaps more significant than other industries.

Second myth: GDPR is European legislation, once we've left the EU we can forget about it.

Fraid not. The UK government is committed to GDPR despite Brexit because if nothing else you only have to store one person’s data who happens to reside in the EU to have to comply completely with GDPR. UK PLC will have a great deal of difficulty trading with the EU if we don’t comply.

Third myth: media relations will grind to a halt.

Not so. Under GDPR ‘consent’ is an important legal condition under which we can store and process people’s data, but there are others too. I’ll go into this more later.

Fourth myth: compliance is just about making sure all your suppliers are compliant, then you’re compliant by default.

This couldn’t be further from the truth. All organisations have to be compliant in their own right, ensuring suppliers are compliant is just one small step in doing this.

Fifth  myth: the ICO will have powers of arrest and will send armed officers in to any company before fining them millions of pounds if they are suspected of the slightest infringement of GDPR rules.

Okay, I may have gone a bit overboard on this, but point I’m trying to make here is that although GDPR beefs up our already fairly robust data protection laws and the ICO will have greater powers, the indication is they will be using those powers in a sensible and proportionate way, in particular when it comes to smaller businesses.

Complying with GDPR: public relations organisations need to take a more assertive position

So myths busted, how do you go around complying with GDPR. You have to do so by 25 May 2018. The CIPR has issued a general guidance document for members and PRCA is offering training – and I hope soon they will start delivering more support to the public relations industry on the issue. I can’t give you a full A-Z on compliance in this post, but here’s my summary of what you need to look at to achieve compliance:


Publish a data protection policy that explains what data you hold, what you do with it and who you share it with. It should explain clearly how ‘subject access requests’ (that is, requests to reveal, change or delete data) are handled and give an overview of how you keep data secure. These are sometimes also referred to as a ‘privacy notice’ or ‘privacy policy’ – whatever you call it you need to be transparent about what data you process and what you do with it.


Make sure your IT systems and internal security processes are up to current good practice and your suppliers are compliant. Review regularly.

Team: corporate responsibility

Live and breathe respect for people’s data, ensure your entire team understands the spirit of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used, the importance of data accuracy and security, crucially, abide by your data protection policy.

There is obviously more to it than that but I believe if you consider compliance in terms of the three areas above you’ll be off in the right direction. GDPR compliance is not a check-box exercise, it’s a journey and one that will continue after 25 May.

Legitimate interest as a force for good

So, why do I believe GDPR has the potential to be a force of good in public relations? Well, remember above where I mentioned there are other conditions beyond ‘consent’ that allow for processing data? Of the other five conditions I’d like to focus on one called ‘legitimate interests’. Put very simply legitimate interests means that if the processing of personal data is a fundamental part of your day-to-day business, without which you would not be able to function, then you should be allowed to continue to do so.

It is my belief a fair and reasonable interpretation of GDPR is that public relations agencies and in-house departments would be exercising a ‘legitimate interest’ in storing and processing journalist data, and contacting journalists to provide relevant information. It is this basis upon which media database companies such as ResponseSource will operate too.

It's important to understand ‘legitimate interests’ is not a ‘get out of jail free’ card, all other aspects of the GDPR rules needs to be complied with – for example only processing relevant data, keeping data up-to-date and acting on change or delete requests swiftly and efficiently.

This article does not represent legal advice, though I am committed to the points I’m making here.

So, here’s the thing in terms of a force for good in the industry. For the public relations industry to use legitimate interests as a basis for storing and processing journalists’ data, it needs to ensure that the personal information held is used in an appropriate manner, that is to supply material to journalists that is relevant and useful.

Under GDPR lazy, scatter-gun media relations – launching long-winded generic pitches at thousands of journalists – is likely to chip away at the foundations of using legitimate interests to process data and could bring the ICO under pressure to use its enhanced powers to reign-in our industry, with potentially negative consequences for public relations, journalism and society as a whole.

Consider the alternative. If public relations professionals across the UK have to get specific consent from every journalist for every client and every campaign (granularity of consent in built into GDPR), then this will be disastrous for public relations and I believe disastrous for journalism – and democracy – too.

Public relations would be suffocated by administration and no journalist has the time to respond to every consent request (they’d still be bombarded, with consent requests rather than irrelevant pitches). The end result would be a substantial barrier to access to the media, a terrible hindrance on the ability for journalists to report fairly and comprehensively on what is going on in society and hold those in power to account.

Remember, access to the media should be a right not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes.

As an industry we must respect the privilege of ‘legitimate interests’ and operate in the most professional manner. Among other things that means keeping journalist data up-to-date, accurate and secure, refining press lists so what is sent is relevant and useful and responding swiftly and effectively to requests by journalists to amend or delete details.

The result will be a professional industry that we can all be proud of. We’ll have the EU and GDPR to thank for that.

Update: 19 January, 2018 - Daryl has drafted a FAQ as a follow-up to this post called Introduction to GDPR compliance for media relations – Q&A.

Making the Facebook newsfeed algorithm work for PR

Making the Facebook newsfeed algorithm work for PR

Don’t build your brand on rented land

Don’t build your brand on rented land