General Data Protection Regulation (GDPR): What you should know if you work in PR

During the month of May, you may have noticed an influx of emails from businesses asking for your consent or approval to continue receiving communications. In case you hadn't heard, the new EU General Data Protection Regulation (GDPR) law is to blame for that. It's also the reason why many companies have had to delete a plethora of users' personal data. The threat of potentially being fined up to 20 million euros is the driving factor behind the fact that companies have been shouting from the rooftops to get your attention, trying to asses who's data they can keep, modify or eliminate.

You might be asking yourself how this directly affects your day-to-day activities in PR or communication. In this article we'd like to address the topic so that, as a professional in PR, you'll walk away with a clear understanding of the legal limits affecting emails, invites, etc. and the importance of managing your contacts properly, including those of press, VIPs or influencers.

Emailing in PR: Does GDPR affect me as well?

The GDPR law affects any business that deals with personal data belonging to European citizens. This means that regardless of where you're based, whether it be the US, Japan or Argentina, you must bear in mind the restrictions this law has placed. In many cases we don't have a history of where our data came from, which means we're lucky if we even know what language the contact speaks. If you have a considerably large database, you must face that fact that it's impossible to control 100% of the information you have on your contacts.

Therefore, if your marketing and communications department handles a long contact list of journalists, influencers or partners–but no information on how you got those contacts or where they originated–you must heed the GDPR restrictions, even if you're not in the EU.

One of the demands this new law places on businesses is related to the "control" of personal data. In other words, as companies we are expected to know what type of data we're storing, how, when and why we're doing it, as well as guarantee that this data can in no way be filtered out or lost. This means that when dealing with or creating Excel sheets, Spreadsheets in Google Drive, lists in Word, etc. they need to be controlled extremely well; especially because they are delicate systems in which you can easily lose or misorganize information.

Now that you know this, we're sure you'll understand why the answer to the above question is a resounding "yes"–even if you work in PR and your day-to-day activities have nothing to do with the legal or email marketing departments. Remember to bear these restrictions and demands in mind in order to follow the GDPR law when handling personal data and communications with your contacts.

Emailing as a Journalist: Can I keep contacting them and storing their data within our fashion or lifestyle communications department?

A journalist's database obviously involves collecting and dealing with personal data belonging to other professionals in the field, which the GDPR law also affects. It would do no harm to send an email to a group address like editorial@media.com since, in this case, you're addressing a media team and not an individual. Yet, when dealing with any contact in your database with a first and last name, and email address (even if it's their work email), the GDPR law comes into play.

There are three options or alternatives that your company can consider when facing this situation:

• Resort to an external database: there are external database providers that can relieve you of any potential headaches related to getting your contacts' consent. Working with one of these service providers means you'll be playing it safe, as they are the ones that would be responsible for any mis-treatment of personal data. On the other hand, using tools connected to a professional community of journalists (such as GPS Radar) can also be a great way to ensure GDPR compliance while contacting other journalists–correspondence on such a platform also feels more natural.
  .
• Carry out a strategy to get consent: The best thing to do–if you have your own database–to be 100% sure that you're respecting the GDPR restrictions, is to get consent from your contacts so you can continue storing their personal data and send them communications. Consider a progressive strategy in which you email all of your journalist contacts individually asking for their consent, or directing them to a page where they can give consent in one click, like the examples you'll see below by Stradivarius or Bershka.
  .
    .
• Take advantage of the "legitimate interests" legal basis: Many companies are now using the "legitimate interests" exception to justify interactions, such as ones between communications departments and journalists. The "legitimate interests" exception doesn't require that your contacts give consent for you to store of their data or to send them communications, as long as the communications involve "transmitting information within a business scope" and that it be of interest to the receiver when it comes to their professional life. This exception is quite ambiguous and it's up to your company to decide if it's worth putting to use, based on the types of communications you plan on sending out. Just make sure that if you end up jumping on the "legitimate interests" bandwagon, you ONLY send your contacts information that will benefit them when it comes to their journalist-related work and that it has zero commercial interest.

Managing contacts: 3 rules to help you get organized

The new regulation not only demands that companies manage communications responsibly and respectfully, but that they have a strict control of personal data. This means knowing exactly what type of personal information you're storing, having a register of consent from your contacts, and constantly updating and controlling your database.

That's why having a digital tool that helps you centralize all personal data (including that of journalists, influencers, VIP contacts, etc.) is imperative as of now, to help you meet the demands of the GPDR law.

Wondering how you should organize your contacts from now on? Here are three ways:

1. Based on their consent: you'll come across temporary contacts (those who you invite to an event and after said event, you delete because you don't have their consent to keep their data) or permanent ones (those who have either given consent or are contacts that fall under the "legitimate interests" exception).
2. Based on their activity: The GDPR regulation establishes an obligation that, up to now, was ignored by many companies. It requires constantly controlling your database and this is when having a clear register of your contacts' activity is fundamental. When it comes to press contacts, it's quite common for high turn-over in media companies (journalists who leave or move to another department, etc.), which is why using a database system in which you can use "activity" filters (e.g. whether they've clicked on any of your communications within the past couple of years), will be key to staying ahead of the GDPR game.
3. Based on typology: careful with the type of personal information you store because it must be justifiable. This means you must avoid storing details such as sizing, unless your relationship with this contact involves sending them samples of garments or accessories they would wear. Be careful with any notes on their marital status, nutritional needs or even birthdays, because as of now, they must be justifiable, and if they are, using personalized fields in your contacts management tool will help you quickly find this type of information.

Make it easy for users to unsubscribe, modify data or read the privacy policy.

This new EU regulation also involves specifications regarding communicating the right to "unsubscribe", or to be deleted from the company's database. This must be present on every piece of communication that your fashion, luxury or cosmetics marketing and communications teams send out from now on. That's why it's fundamental that when you send out mass emails –whether they be press related, event invites, product launch announcements, etc. – through an automated tool (CRM, email marketing platforms, etc.) you include links to your privacy policy, the unsubscribe, and "modify data" pages.

There are emailing tools that automatically provide landing pages in which users can easily ask for their data to be eliminated or modified.

Make sure to include access to these landing pages at the bottom of your emails or to use a system that automatically integrates these links.

When it comes to emailing in PR or communications, there is always an overhanging doubt: Can I send emails from my personal email address? The answer is "yes", as long as they are of personal or even professional nature, are not part of a mass send-out, and don't involve storing personal data; in which case you don't need explicit consent.

Establish a protocol for data elimination

Another point that GDPR addresses is the user's right to access all personal data stored by a company. If you were to receive this type of request from a contact, you would need to be as quick as possible as the law establishes a 72-hour timeframe for providing this type of information.

In any case, if you receive a request from a contact to be removed from you database, you have up to 72 hours to do delete all information related to this user. Remember, as we pointed out before, it's highly recommendable to centralize all of your contacts' data in a system that is able to offer you the agility you need to deal with personal data.

Feel free to browse through the slideshare below which includes points that you should bear in mind when using contacts management tools that make your life easier with the new GDPR law.

As you can see, GDPR is not something that is only pertinent to your legal or email marketing departments, rather something that all PR professionals must be aware of when performing day-to-day tasks. If you still have any doubts about emailing in PR, we recommend you check out our guide: PRLike a Pro: Emailing Do’s & Dont’s for Fashion, Luxury & Cosmetic Brands.And, don't hesitate to leave a comment below!

* While the content of this article is designed to help PR teams understand the impact of GDPR for their day to day business activities, the information contained herein may not be construed as legal advice and you should consult with your own legal counsel with respect to interpreting your unique obligations under the GDPR law and the use of a company’s products and services to process personal data.