Friday 24 Nov 2017
So GDPR is looming like a big, badly understood beast. Feeling helpless? Don't. We have some simple steps for your team to follow to cast away doubt, increase general understanding and turn that beast into a baby who's actually very friendly if you treat it right...
To read our previous post on this please click here
PLEASE NOTE - NOT LEGAL ADVICE
What Can I do?
In our previous post we suggested that communication teams would do well to ask themselves some questions about who they communicate with, what these people expect you to do with their data and whether your use and storage of that data lives up to these expectations. To read this post please click here
The 4 Key Questions
Once you have come up with a statement of expectation for each group you hold data on, the next thing to do is ask some very specific questions. Note the aim of this exercise is to think and honestly question your working practices. It is to assess the privacy risk surrounding the people you store data on; it is not to assess the risk of your company being prosecuted under GDPR by any of these people. This is a very important and subtle point. If you are looking to defend rather than assess your working practices, you'll end up skewing the whole thing.
Here's another way of looking at it. Restaurants have to have a certificate of hygiene before they are allowed to serve you food and that's a good thing. If restaurants only had to show something if someone made a complaint, then you can bet that they would be a lot less thorough about their standards. They'd be more able to 'play the odds' and think "what's the chance of someone getting sick and making a complaint?". It's the same with GDPR. Come up with the data protection equivalent of a hygiene certificate to hang with pride upon your wall and two things will happen. Standards will improve and you will therefore be complying with the whole spirit of GDPR. Win win.
So, let's get started.
Question #1 Can You Show Where You Got Your Data From and How you Use it on an Ongoing Basis?
Here's the Legal Bit
Article 5a says that "personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency')". The simplest way to read this is to say "It's lawful to hold and use this information if you have the consent of the person to use this information". So now we need to have a look at how we have collected the data we currently store and use in order to assess if it has been processed lawfully.
Here's the Practical Bit
Let's take journalists as our main group of people we hold data on. So that massive excel spreadsheet that you have on the shared drive - where did those contacts come from? Here are some possible answers:
A contact database (such as PRgloo, Gorkana etc). Your contact database provider should be able to show how they comply with the above GDPR requirement and please do ask for this information. Happily, journalists often put themselves under a special consent condition which states that that if the person makes their personal data manifestly public, then this is in effect them giving consent to have their data used but this is not always the case - so do ask to see your providers statement on GDPR. Oh, and you can't just leave it at "oh they collect it lawfully" either. You have to show that YOU are also using it lawfully - I.E. you're not using it to sell on to insurance companies etc. Please see article 9(2)(e) conditions for special categories of data – “Processing relates to personal data manifestly made public by the data subject”
Your own black book of contacts. You're in communications for a reason and that reason is that you like to communicate with people. Hence you'll have contacts you want to communicate with. However, can you show where you originally sourced these contacts from? Are they even still up to date? Perhaps you have an email from them somewhere in your inbox discussing meeting for coffee, but this is not one of the best ways of showing ongoing consent. Especially when you share this information with others in your team.
They asked you for something. So if they have asked you for information and you provided this to them, then that's great but unless you can show when and how they asked for this information, it again is difficult to show consent.
Potential Risks: The fact is, if you can't see where you got your data from and why you collected it in the first place, you are less likely to know how and why consent was given. And if you don't know why it was given (E.G. keep me posted on all US news as opposed to let me know about any good story) then you are less likely to be treating the data in accordance with the journalist's expectations.
Potential Solution: One of the easiest ways to show where you got these contact details from is to have a CRM system which integrates into your contact database. This way you can easily show all of your interaction with each journalist, including why you started contacting them in the first place and how you have continued to use their data. You may still get it wrong and end up sending emails to people you shouldn't have, but at least you'll be able to see issue and be able to easily rectify it. Something you can't do with a spreadsheet.
Question #2 Can you show you had a valid reason for collecting this data?
The Legal Bit
Article 5(b) states that "personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;" and Article 5(c) states "personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
The simplest way to read this is to say "Ensure all data is collected for a reason, make sure that reason is damn good and make sure you don't store anything else but what you need to fulfill that damn good reason".
The Practical Bit
Good news! You guys are way too busy to store information on people you don't want to communicate with. So in practice we would say that most PR teams ace this requirement. Who's got time to stuff a mushroom right?
The Potential Risk
As we mentioned above however, if you can't easily show where your data came from, then showing that you have collected this for a specified, explicit and legitimate purpose (as opposed to say buying in a list of journalists from a dodgy site) is going to be difficult. Similarly if you can't easily show all the data you store on someone (comments about meetings with them, notes on events they have attended etc) then again you're at risk.
Just like with the hygiene certificate for the restaurant: you may in practice have fantastic standards but unless you can show where you sourced your food, what its expiry date is and how you store it, you're not gonna get that certificate.
That's it for now!
Tune in next week for our final installment covering ...