GDPR comes into play next May and it’s putting PR and comms pros into a bit of a spin

GDPR has thrown a curve ball but it’s making us more responsible for data and our publics.

With GDPR only six months away, there’s a lot of information to consume and there are things we must action, both as PR/comms pros and advise on clients to action, in order to comply.

The long and the short of it is, data is being sold onto third parties without our consent, sometimes with our consent but we don’t know as the small print is too small, and businesses must take responsibility for their duty to the public and personal data.

Here’s what I’m going to do:

  1. Alert email lists of GDPR and what it means. This also presents an opportunity for re-opt-in if required, for example if I’ve added people to my Aura lists without specifically asking them if they want to opt-in
  2. Tell the list how and why I’ve got their data and exactly what I’ll use it for e.g. direct marketing products/services/events etc.
  3. Tell people they can have a copy of the data I hold, and that it can be erased upon request and they can log-in and change it (via MailChimp)
  4. If regulators ask for proof of compliance, this can be provided via the likes of MailChimp, which documents list activity
  5. As Aura is a small business I don’t need to appoint a Data Protection Officer (DPO)– this only applies to the likes of banks, hospitals and insurance companies, which process large amounts of personal data

Here’s a useful checklist via adexchanger.com (which I spotted via Zude’s email this morning):

Determine whether your company is a controller or a processor. The distinction will have an impact on how you approach compliance.

Conduct a data protection impact assessment (DPIA): Run a risk analysis of your data process. The first step is to map your data flows and get a clear understanding of where you’re collecting data from, who you’re sharing it with, if there’s the potential for data leakage and how you maintain, retain and protect data when you have it. A DPIA helps companies figure out if they’re in compliance with GDPR and/or how much work they’ve still got to do to get there.

Take a look at your contracts: Review your supply chain to determine whether your agreements with partners are up to date and include GDPR-related clauses – for example, what to do in case of a breach or an enforcement action. This can be part of the DPIA process.

Do you need a DPO? Whether a company is required to appoint a data protection officer depends on the scope and scale at which it tracks data subjects. The law says “regular and systematic monitoring … on a large scale.” But having a DPO is always better than not having one.

Documentation: Controllers are required to document that the processing of data being done on their behalf is up to the GDPR’s standards, including the creation of internal policies on opt-ins, data retention and management. If a Data Protection Authority comes knocking, you need written proof of your procedures at hand.

I’ve come up with some useful GDPR questions to help you write your data and privacy policy and make it public:

  1. Why do you collect data
  2. How do you process/use it
  3. Where is the data stored
  4. If it’s stored in an external platform such as MailChimp, here is a useful guide from MailChimp about GDPR. Also, here’s an excerpt which helped me understand if I’m a controller or processor, as I use MailChimp for the majority of my clients and my own work at Aura

“In the context of the MailChimp application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information from their contacts or subscribers is uploaded or transferred into their MailChimp account; direct MailChimp, through our application, to send emails to certain subscribers on their email distribution lists; and instruct MailChimp to place advertisements on their behalf on third party platforms such as Facebook or Instagram. MailChimp is acting as a processor by performing these and other services for our customers.”

  1. What about data you already have e.g. email lists? MailChimp says: “Keep in mind that any consent you obtain from your subscribers and contacts must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your subscribers or contacts when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent. We recommend consulting with local counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your subscribers and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.”
  2. Is there a single or double opt-in
  3. How do people opt-out/unsubscribe
  4. Can you send someone the data you hold about them
  5. If questioned, can you produce a document or policy outlining data usage and measures taken to comply with GDPR, including evidence of measures you’ve taken e.g. emails to ask to opt-in, emails alerting databases etc
  6. If you’re a large organisation which now needs a DPO, do you have a job description, specifically outlining key responsibilities for data processing and controlling
  7. Have you contacted suppliers to alert them to your new policy and your expectations around agreements and new ways of working
  8. Review any pop-ups on your website. You should write each form to make sure that language in the body and/or footer is clear, specific, and covers all possible reasons for using the information being solicited. Be very specific about the intended use of the information you are collecting.
  9. Update your privacy and security policy on your website
  10. Do you have cyber security policies, including for crisis management?
  11. Suggest looking into cyber security insurance and adding data breach to risk assessments and scenario planning
  12. Staff training – PR, comms, digital, web, IT, senior management and leadership team

I hope this is of use and if you think I’ve missed anything please let me know!

If you wouldn’t mind, can you please share this blog post among your network as I have a feeling it will put people’s worries to rest and also aid most with actionable points to help have everything in place before GDPR kicks in next May.