How GDPR Changes Data Security – What PR & Marketing Must Do to Prepare

Image source: Bobby Hidy via Flickr

Only 6 percent organizations say they are prepared for the extensive General Data Protection Regulation (GDPR) that goes into effect in less than four months, it is reported in a new State of Data Governance Report by erwin Inc.

The law greatly strengthens data protection and privacy of European Union citizens regardless of where they live or work. It applies to companies that market products to them, even if they don’t operate in the EU, including companies that receive web traffic from EU countries. Companies not meeting the law risk heavy fines of up to 4 percent of their annual revenue or 20 million Euros. Besides fines, brands risk reputational damage if they violate the rules.

“The results of the State of Data Governance Report are validating but also a bit shocking,” states Mariann McDonagh, CMO for erwin, in a news release. “The fact that 94 percent of organizations are not prepared for what is arguably one of the most important data privacy and security regulations in recent years – with fines up to four percent of their global revenues – is stunning.”

PR will not Own Contact Information

Under GDPR, personal contact and background information on journalists, bloggers and social media influencers don’t belong to PR pros who collect their data. Journalists and influencers retain rights to their personal information.

The GDPR also:

  • grants customers and other communications recipients the power to control how their personal information is used,
  • sets standards for data protection in order to prevent data breaches and misuse,
  • requires companies to inform customers about the purpose of collecting data, who will process that data, and their ability to withdraw consent, and other rights.

The High Cost of Compliance

Cost is a major factor. Forrester Consulting research finds that 48 percent of data and compliance decision makers recently at companies in the U.S., the U.K., Germany and France have allocated at least $1 million to meet the regulation, according to AdAge. Nearly a fifth allocated more than $5 million.

“The first trend we’re seeing is panic,” Jessica Lee, a lawyer at Loeb & Loeb, focusing on marketing and privacy, told AdAge. “For publishers and brands who have a direct relationship with consumers, there are concerns about the level of transparency and specificity needed to obtain consent to the data processing activities they rely on to build their audience, reach their consumers and, in some cases, to provide their services.”

Exactly how the law will impact PR will depend on the Information Commissioner’s Office (ICO), the agency tasked with enforcement, and case law that evolves over time, predicts Daryl Willcox, founder and chairman of ResponseSource.

The regulation may elevate PR, Willcox writes in Stephen Waddington’s blog for corporate communication, marketing and PR. It will likely squash scatter-gun, mass generic media pitches.

PR experts offer these recommendations to stay out of regulator’s crosshairs:

Forget about tacit approval to receive PR and marketing messages. Consent must be “freely given, specific, informed and unambiguous.”

Understand where data is stored and how to manage it, including how to delete it if necessary.

Publish a data protection policy that explains what data you hold, what you do with it and who you share it with. It should cover how “subject access requests” (requests to reveal, change or delete data) are handled.

Some organizations may wish to appoint a data protection officer. Even if they don’t have an official position, tap a “go-to” person for data management.

Make sure data is secure and suppliers are compliant.

“Live and breathe respect for people’s data, ensure your entire team understands the spirit of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used, the importance of data accuracy and security, crucially, abide by your data protection policy,” Willcox urges.

Bottom Line: The General Data Protection Regulation will change how PR and marketing professionals collect, store and manage information of journalists and social media influencers. Mass email blasts to reporters who don’t want your PR pitches will no longer be acceptable. Companies will face stricter requirements for safeguarding customer information. Most organizations say they are not yet prepared for the regulation that goes into effect in less than four months.