Data Protection and GDPR Statement
PRgloo is both a processor and a controller of data.
Data Processor: When customers add contacts into their PRgloo platform, and proactively mark these contacts as ‘media’ as opposed to ‘Media Private’ or some other available tag, then PRgloo’s research team are provided with visibility of these contacts (name, email, organisation, mobile, phone number, job title) to research and validate for inclusion in our central contacts database called Gloo Influencers. In this way we are a processor of data on behalf of the customer.
PRgloo is also a Data Controller sourcing and updating personal data on journalists and government officials for use by our customers. This is made available within the module called ‘Gloo Influencers’.
The purpose of Data Processing by PRgloo is to provide customers with personal data on Journalists from the UK, EU and globally so that targeted communications can be sent to them in line with the wishes of the data subjects- namely that they be sent targeted news so that they can perform their professional functions. The data processed from our customers is available for the exclusive use of our customers.
We comply with the following GDPR principles:
- Article 5(a): “processed lawfully, fairly and in a transparent manner in relation to individuals” PRgloo will review all submissions made by customers to see if the contact is a current member of the media and to see what personal information is available about them online. We will also research publications and journalists independently of customer suggestions in order to expand our contact database. Only publicly verifiable information about the data subject will be used in the Gloo Influencer module which is seen by all customers (any other information collected by the customer but not verifiable online – such as a personal email address or mobile number – will remain visible to the customer but to no one else in PRgloo). Note: our researchers always document the sources where information about the data subject was found online. This complies with article 9(2)(e) Conditions for special categories of data where – “Processing relates to personal data manifestly made public by the data subject” in order to establish consent and therefore the lawfulness of the processing. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the Gloo Influencers database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency.
- Article 5(b) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” PRgloo’s Gloo Influencers Module is built in order to provide our customers with an up to date database of journalists, media outlets and government officials who are interested in receiving news and information from organisations.
- Article 5 (c) “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;” PRgloo will only store information on data subjects which will assist and improve the above mentioned legitimate purpose. We do not store information (even if it is publicly available) which does not help with this purpose. We will (for example) provide information on the type of stories the data subject is interested in and the region in which they operate so that they will be able to receive targeted communications which are of interest to them.
- Article 5 (d) “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;” PRgloo monitors the twitter accounts of data subjects within the Gloo Influencers module. Where changes are made, our research team will review their data to make sure that they have not moved publications, changed subject areas, or moved out of journalism all together. PRgloo also monitors email bounce backs and customer feedback with all issues being dealt with within 3 working days. In this way we ensure that data is kept up to date and relevant.
- Article 5 (e) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” Data subjects who no longer fit the criteria for inclusion in Gloo Influencers are marked as ‘no longer in journalism’ and much of their personal data (email, phone, mobile, topics of interest, geographic reach) is wiped from the system to ensure they are not contacted by accident. After a period of 6 months, these data subjects are deleted completely.
- Article 5 (f) “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” This data is securely held and processed using methods outlined in related policy documents such as the Information Security Policy, with all the data residing in the EU region.
- Measures taken to protect data are documented in the PRgloo Information Security Policy. PRgloo make every effort to protect customer data from unlawful or unauthorised processing, accidental loss or damage.
- All PRgloo staff have background checks to ensure their suitability to work with customer data and are only granted access when necessary to perform their tasks. All staff are made aware of their customer and data protection responsibilities and sign confidentiality agreements as part of their employment contracts. Regular training is provided to staff on the latest security issues and compliance requirements.
- All customer data is held securely in facilities which operate under ISO 9001 and ISO 27001 / 27018 standards. Regular audits and reviews are conducted to ensure the standards are maintained in all facilities utilised by PRgloo.
- If PRgloo become aware of data breaches of personal data, we will notify the Data Controllers without delay. Where applicable PRgloo will maintain logs and audit trails to support the remedial action required during a breach.
- Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” PRgloo’s researchers document where information on the data subject which is available to any customer or data subject on request. In addition, PRgloo have an appointed Data Protection Officer (DPO) to ensure ongoing compliance with GDPR. The task of the DPO is to inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to the regulations. To monitor compliance with the regulations and to provide staff training.
Q: Does PRgloo have an effective process to identify, report, manage and resolve any personal data breaches?
A: Yes we have an internal process to identify, report and resolve personal data breaches of that data which we control and that data which we process.
Q: Does PRgloo have a process to routinely and securely dispose of personal data that is no longer required in line with agreed timescales?
A: Yes. We do this for data we control (journalist, customer and sales leads) and data which we process (journalist data from the customer).
Q. Does PRgloo have a process in place to meet the GDPR reporting timeframe for breaches?
A. All breaches are reported to the affected parities within 2 hours of discovery and to the ICO within 72 hours
Q. At the end of the contract what will happen to the data processed by PRgloo?
A. PRgloo does not hold processed data and this is due to the special way in which we use the data. When a customer logs an interaction with a journalist who is not in our contact database, they can choose to submit that person for addition into our contact database. At this point, PRgloo becomes a processor of that data. Once received, PRgloo's researchers will then go and find all publicly verifiable information about this person. Whatever they find, they then add to the central contact database (for which PRgloo is the data controller). Any non verifiable personal data stays within the customer's section of PRgloo and they are then responsible for it's upkeep and the customer is then the data controller. At the end of the contract the customer can then download all their data.
Q. Does PRgloo have a process for obtaining consent and processing data?
A. We comply with article 9(2)(e) Conditions for special categories of data where – “Processing relates to personal data manifestly made public by the data subject” in order to establish consent and therefore the lawfulness of the processing. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the Gloo Influencers database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency without having to obtain consent from the data subjects in advance.
Q; Does PRgloo make sure data is kept in a simple format which is easy to understand by the general public in the event the data is requested via a subject access request?
A. Yes. Within the platform you can click a 'Subject Access Request' button which exports a word document outlining all the customer's interaction with this contact together with all the data held on this contact by PRgloo and the customer combined.