The incoming GDPR regulation is causing all European businesses to reexamine their data management practices. What impact will that have on PR, communications and media relations? Amy Sandys investingates

Published in 1995, the Data Protection Directive was a product of its time. A way to respect individual data privacy while allowing free movement of data within the EU, the directive was a response to the rapid technological advancement of the 1990s – an era in which Finnish telecommunications firm Nokia led the market in global sales of mobile phones, the release of Windows 95 saw computers become widely available and the universal World Wide Web welcomed in a new age of communications. Times, however, have changed. Now, with instant messaging, artificial intelligence, virtual reality and app-based data sharing integrated into everyday life, the paradigmatic directive of 1995 is no longer fit for purpose.

With global immediate access to mobile communications and the internet, companies have become reliant on personal data for digital marketing and communication strategies. As a response to such shifts, the General Data Protection Regulation (GDPR) comes into force in May 2018. Replacing the Data Protection Directive, the GDPR is blanket legislation which aims to improve transparency and security for the use of personal data by all organisations in Europe. Yet, where the Data Protection Directive was contingent on individual government implementation, GDPR extends across all nation-states – in Britain, GDPR will be enforced regardless of Brexit.

“One of the main changes with GDPR is it’s a regulation, not a directive, unlike the 1995 act,” says Dr Andreas Splittgerber, partner and technology and privacy lawyer at the Munich office of global law firm, Reed Smith. “It’s a big change to have these same rules across Europe – GDPR applies to all organisations based in Europe, even if it’s just two people in an agency.”

Despite its European roots, the directive also applies to non-European organisations that sell products or services to Europeans. This includes international internet platforms based outside of Europe, such as Facebook, Google, or popular Chinese e-commerce platform, Alibaba. Yet, while the implications on B2C platforms is stark – clearer use of cookies, the need for permission for inclusion on marketing lists – there is increasing disquiet around the implications of GDPR on communicators, including public relations professionals and journalists.

For Amy Smith, PR and communications manager at digital marketing service MVF Global, the data-heavy nature of PR work means it is imperative for PR organisations to be knowledgeable about GDPR and its implications. “At first glance PRs might think the GDPR is only a concern for lawyers or marketers,” says Smith. “But running surveys, conducting market research, gathering consumer data and managing email databases are all fairly commonplace in our world; all these things mean collecting and storing data.”

One of the biggest changes facing PRs and journalists, adds Splittgerber, is justification. Where the previous DPD also covered ‘proportionality’ insofar as it considered the adequacy and relevance of collected information, a main focus of GDPR is on consent and purpose behind data sharing. “On PR and press, something organisations must be aware of is the basic principle of the justification of processing,” says Splittgerber. “If a brand sends a newsletter, it’s justified to have the email address if the person consented. If you book an airline ticket the airline can process your bank information and name and birthday, that’s in the contract – another justification. But in this area of brand, social media and PR, a lot of information is taken from public sources. Usually there’s a justification to do this, but just because it’s available it doesn’t mean everyone can use it.”

Splittgerber says a good a rule of thumb is to ask, “Why was this content published?” If the answer is to communicate personal information with the expectation to be used in business, or by companies for business-related purposes, then data use is justifiable. If it’s simply taken from a personal account where the owner has no intention for their data use in brand communications, however, data collectors must think twice – the consequences could be hugely financially detrimental. “With the levels of fines at 4% of global turnover or €20m, whichever is higher, no business can really afford not to comply,” says Julian Saunders, CEO and founder of data management and GDPR compliance company PORT.im. But, for Saunders, money is not the motivation behind implantation of GDPR. “The legislation hasn’t been written so the Information Commissioner’s Office (ICO) can fine people an enormous amount of money,” he says.

“It’s been written so businesses understand that it’s the way the future’s got to work if we’re going to trust our digital data.”

“There’s almost nothing more sensitive than the relationship between a brand and its customers around the data it holds and how it uses that data. Some of that data can be very intimate”

GDPR is applicable to anyone handling the personal data of EU citizens, including the employees internal to an organisation; everyone will become a ‘data subject.’ With transparency, justification and compliance at the forefront of the projected changes, the legislation also has the potential to consolidate relationships between all data-sharing subjects. Pertinently, this includes enhancing trust between brand and PR agencies, and their customers or clients. “There’s almost nothing more sensitive than the relationship between a brand and its customers around the data it holds and how it uses that data,” says Saunders. “Some of that data can be very intimate, and people are really worried about how that data can be used. If it’s misused, trust can be lost at phenomenal speed. If it’s respected, and it’s shown to be respected, trust can be gained.”

For Saunders, a key part of establishing deeper trust is how GDPR will make compliance visible – no longer is a hidden sheet of guidelines sufficient to cover business data usage. “There’s a move away from this idea that there’s one set of terms and conditions that allows a company to do anything with your data. GDPR keeps it very specific – asking small amounts of data for very specific purposes and expanding on that,” says Saunders. This clarity of purpose should help build a better relationship between brands and people based on trust and a common understanding of data usage, rather than resignation. Smith agrees, “GDPR is going to be a real win for companies looking to gain consumer trust,” she says. “Compliance and expertise in data protection is going to be a new USP for any business that is data-driven, and that’s definitely how MVF is thinking about GDPR.”

However, continues Smith, communicators need to be aware that new regulations change how data is gathered, processed and stored. “In this digital world, that applies to almost every industry,” says Smith. “PRs need to get familiar with all the changes the new regulation is putting in place around consent, transparency and consumer rights to keep up their expertise on copywriting, content development and campaigns for their brands and clients.” If implemented efficiently and correctly, GDPR will aid the oft-fragmented relationship between brands and customers by allowing consumers to regain control of their data. But, says Rob Bownes, founder of London-based PR agency Old Street Communications, part of this change is bound up in the potential for a few uncomfortable truths about where exactly data is stored. “GDPR might create a fright factor,” Bownes says. “How many times have you signed up to something, only to receive emails asking if you want x, y and z? People don’t like that because they wonder where their data has gone. But if you regain control of your data, you regain control over how the company behaves toward you.”

There will be challenges in the detail of GDPR, from communicating its benefits to compliance and implementation. Saunders, however, is optimistic. “GDPR is definitely not something to be scared of,” he says. “We know the objectives and we know the spirit of GDPR so the long-term objectives are fantastically good, for both businesses and people.” And starting from January, the EU itself is funding a Europe-wide public relations initiative which aims to inform the general population about the challenges, implications but ultimately benefits of the GDPR.

For Saunders, this forward planning is key to the legislation’s successful implementation.
Because of the impact the regulations will have on improving trust between businesses and between consumers and brands, GDPR may pave the way for more positive relationships in the future. “Businesses with good value propositions for the future will quickly learn that GDPR could be fantastic for them,” Saunders says. “In fact, it could be one of the best things that’s ever happened.”

GDPR may be complex but it’s a great opportunity
Julian Saunders, CEO and founder of data management and GDPR compliance company PORT.im, discusses how GDPR will usher in a near era for the communications industry

Broadly, GDPR covers how data is collected, managed, stored and analysed. Among the changes, people can now request for their data to be sent to them, amended or completely deleted. They also need to explicitly consent to receive marketing communications and can revoke this permission at any time. Crucially, these rules cover both customer communications and business to business.

A little known aspect of GDPR is how it will impact the relationship between journalists, PR specialists and the wider communications industry. Currently, journalists are inundated by unsolicited contact from press office teams and agencies. This contact can range from phone calls pitching story ideas and potential interviews to emails offering commentary and press releases.

The big question is whether these messages constitute a service message or pure marketing material. If it is the latter, then, technically GDPR is in play. PR specialists will need to gain consent to contact journalists and, if requested, would need to delete the journalist’s information or risk a fine. It is easy to imagine a world where journalists will exercise their rights aggressively.

This development could have a number of consequences. It will compel the PR industry and internal press office functions to invest in data management technology. For journalists, it would put an end to them receiving mass ‘spam’ mail-outs, hopefully, raising the general quality of communications.

Of course, it could be that GDPR does not cover the PR industry’s dealings with journalists. If that is the case, the PR industry may be strengthened. Confused? I’ll explain. Many organisations will, when they implement data management technology to become GDPR compliant, save a lot of money on traditional methods of marketing communications through increased effectiveness and a single customer view. Due to the ease at which customers can revoke consent, they will also need to be more careful with the frequency of messages they send. In some cases, there could be a chilling effect where some brands limit their traditional marketing.

Putting these factors together and the risk/reward profile of PR, it may be that PR is viewed as a much more important channel of communication. With budget freed from marketing function, more money could flow into the industry.

For more from Communicate magazine, follow us on Twitter