The PR in GDPR

The PR in GDPR

We are now one month out from that fated day: 25 May 2018, when the General Data Protection Regulation (GDPR) will become law. There are a lot of rumours flying around about this policy, from the idea that it will only affect large multinational companies to the notion that this is the beginning of the end of the PR industry. These couldn’t be further from the truth, but knowing that it is very nearly impossible to send everyone on GDPR training, it is worth a simple breakdown of what this means for PR professionals.

The Big Question

Will this be the end of PR? After all, if we’re not able to contact journalists, our capacity to secure earned media for our clients becomes significantly more difficult. As I mentioned, this is not something you should worry about.

If you are using media databases like Agility or Cision, you’re covered. These require the journalists or outlets to ‘opt in’ (i.e. give ‘explicit consent’) to have their contact information shared. Furthermore, business email addresses, such as or are publicly available information and therefore exempt from GDPR.

The one area where it does get a bit sticky is with freelance journalists – because many use personal email addresses. Again, if you get their contact through a verified database, no problem. Also, if you have a previous relationship with them, you’re free to contact them. If, however, you include them in a giant mail merge that does not have a ‘legitimate interest’, meaning a story that relates to the topic and region that they write on and therefore something that they could consider ‘marketing’, that could be a problem.

This is just another reason for PR professionals to tailor distribution to the journalists; no more spray and pray! And if someone asks to be deleted from your distribution list…delete them.

What you need to know

Beyond the dozens of opaque phrases like ‘processor’ and ‘personal data’, what else do you really need to know to be up to speed on how GDPR will affect your PR agency?

• Who is your ‘Data Protection Officer’?

Every company has to have one! If you don’t know, ask. They will likely be the person formulating your new data policies, and also the person you will go to with specific questions.

• Are you able to explain your new client contracts?

Again, every company will have to update its individual client contracts and/or have a blanket data protection policy that will be applicable to all clients. In general, it would be good to know what kind of data you hold, what you do with it (i.e. where will it be stored, how it will be deleted, who will have access to it), and the process that you will go through before using or sharing it. If you can summarise these points in layman’s terms, your clients are going to feel much more comfortable making you a ‘sub-processor’ of their data.

• Are your media lists up to date?

If you’ve been using the same media list for a while now, it’s time to update it. If you have old lists saved, now is the time to delete them. Think of it as spring cleaning.

After a two year transition period, we are now in the final countdown to GDPR. Someday all of these areas that we are struggling to understand will be commonplace, second nature, and set in stone. Next month will be the first step towards that, so if you haven’t gotten up to speed yet, now is the time.

CrowdStrike and the Global IT Crisis – What is happening? What should those affected do? What should CrowdStrike do?

Senior Political Counsellor, Leon Emirali, Discusses Starmer’s First Week as PM on BBC News

Add PLMR to your contacts

PLMR’s crisis communications experience is second to none, and includes pre-emptive and reactive work across traditional and social media channels. We work with a range of organisations to offer critical communication support when they are faced with difficult and challenging scenarios.