4 GDPR Challenges Facing PR Firms
As a PR professional, you have likely heard of the General Data Protection Regulation (GDPR), which is the EU’s regulation for protection of personal data of EU residents. GDPR is a comprehensive set of laws passed in May, 2018 that affect EU businesses but also businesses outside of the EU that “control” or “process” EU residents’ data.
If you are a PR firm based in the US that pitches reporters or influencers in the UK, France, Germany or anywhere else in the EU – GDPR applies to you. This is because pitching a reporter, and even possessing her personal data (such as email, phone, etc.), fall under the categories of “control and processing.”
Even if your pitches to EU-based reporters are infrequent, you avoid “spray and pray,” and you target reporters smartly, GDPR compliance is required.
Since the GDPR text is 261 pages long – with 11 chapters, 99 articles and 173 recitals – we have decided to break down for you some of the essential requirements and challenges affecting PR agencies. Let’s assume that John is a reporter at Travel Today Magazine.
Tracking why you have the right to pitch each journalist
According to GDPR, you need to have a legal reason to pitch each reporter, and you need to keep track of what the reason is for each reporter. Some of these include “consent,” which means John opted in (he has told you before that he would like to receive pitches from you), or “legitimate interests” (e.g. John writes about travel and/or Travel Today Magazine focuses on travel, and you are pitching him a travel-related story).
How Propel addresses it: whenever you upload a media list or enter a contact manually into Propel, you are asked what legal basis you have to pitch this/these reporter(s). There is also a multi-select drop-down on each reporter’s profile page in Propel, so that you can keep track, and if needed modify, in one central location.
Giving reporters the ability to “opt out” of receiving pitches
You are required to give journalists the ability to opt out of receiving pitches in the future. As it says in Article 7, “the data subject shall have the right to withdraw his or her consent at any time.” This can be tricky for PR agencies, which may have dozens or even hundreds of media lists where John and his contact info exists. If John is on all of these different lists across teams and offices, how can you be sure that everyone will know not to pitch him? Having a centralized PR CRM, where all of your contacts live in a single database, is critical to being able to track and control opt-outs.
How Propel addresses it: using Propel, you have the option to provide reporters with a link at the bottom of each pitch that says “I don’t want to receive pitches.” If the reporter clicks on it, he can decide to opt out of all pitches related to that client, all pitches related to that topic/beat, or all pitches from the agency overall. Once a reporter opts out, it will freeze them out of the appropriate media list(s) in Propel so your team members won’t accidentally pitch them. Also, if reporter John opts out of all firm pitches, and your team member Sarah does a one off pitch to John using Gmail or Outlook, Sarah will receive a pop up warning her that John has opted out of all firm pitches and she should not continue.
Providing a reporter with an export of his personal data that you have
If John asks to see what personal data you have about him, you must provide him with a copy. If contact info or other personal data about John is inconsistent between media lists across your firm, because you have a new travel media list that is accurate and an old travel media list that isn’t, you would have to mine through all of these media lists to make sure you share with John all of the personal data you have on him.
How Propel addresses it: in Propel, you have a central profile page for each reporter, which means data for him is uniform across all media lists. If you receive a new email address or phone number, it is updated in the reporter’s central profile – and from there gets updated automatically in every media list. As such, you have one consistent copy of personal data for each reporter and are able to easily access and share it in a machine-readable format, through export or screen capture.
Modifying or deleting a journalist’s personal data across all media lists
If John requests that you modify his phone number, email or any other piece of personal data, you must modify it across your whole firm. Similarly, if he requests that you delete his data, you must do a GDPR-compliant permanent delete of all of his personal data.
How Propel addresses it: since each reporter’s data is centralized within their profile page in Propel, you can easily modify any information on him, which will automatically be updated in all media lists. You can also do a GDPR-compliant permanent delete of his data across your entire firm.