Monday 1 Jul 2019

Privacy Statement & GDPR

If you are a journalist, please click here

Data Protection and GDPR Statement

PRgloo is both a processor and a controller of data.

Data Processor: When customers add contacts into their PRgloo platform, and proactively mark these contacts as ‘media’ as opposed to ‘Media Private’ or some other available tag, then PRgloo’s research team are provided with visibility of these contacts (name, email, organisation, mobile, phone number, job title) to research and validate for inclusion in our central contacts database called Gloo Influencers. In this way we are a processor of data on behalf of the customer.

PRgloo is also a Data Controller sourcing and updating personal data on journalists and government officials for use by our customers. This is made available within the module called ‘Gloo Influencers’.

The purpose of Data Processing by PRgloo is to provide customers with personal data on Journalists from the UK, EU and globally so that targeted communications can be sent to them in line with the wishes of the data subjects- namely that they be sent targeted news so that they can perform their professional functions. The data processed from our customers is available for the exclusive use of our customers.

We comply with the following GDPR principles:

  1. Article 5(a): “processed lawfully, fairly and in a transparent manner in relation to individuals” PRgloo will review all submissions made by customers to see if the contact is a current member of the media and to see what personal information is available about them online. We will also research publications and journalists independently of customer suggestions in order to expand our contact database. Only publicly verifiable information about the data subject will be used in the Gloo Influencer module which is seen by all customers (any other information collected by the customer but not verifiable online – such as a personal email address or mobile number – will remain visible to the customer but to no one else in PRgloo). Note: our researchers always document the sources where information about the data subject was found online. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the Gloo Influencers database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency. Please see later section on Lawfulness for more information. 
  2. Article 5(b) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” PRgloo’s Gloo Influencers Module is built in order to provide our customers with an up to date database of journalists, media outlets and government officials who are interested in receiving news and information from organisations.
  3. Article 5 (c) “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;” PRgloo will only store information on data subjects which will assist and improve the above mentioned legitimate purpose. We do not store information (even if it is publicly available) which does not help with this purpose. We will (for example) provide information on the type of stories the data subject is interested in and the region in which they operate so that they will be able to receive targeted communications which are of interest to them.
  4. Article 5 (d) “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;” PRgloo monitors the twitter accounts of data subjects within the Gloo Influencers module. Where changes are made, our research team will review their data to make sure that they have not moved publications, changed subject areas, or moved out of journalism all together. PRgloo also monitors email bounce backs and customer feedback with all issues being dealt with within 3 working days. In this way we ensure that data is kept up to date and relevant.
  5. Article 5 (e) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” Data subjects who no longer fit the criteria for inclusion in Gloo Influencers are marked as ‘no longer in journalism’ and much of their personal data (email, phone, mobile, topics of interest, geographic reach) is wiped from the system to ensure they are not contacted by accident. After a period of 6 months, these data subjects are deleted completely.
  6. Article 5 (f) “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” This data is securely held and processed using methods outlined in related policy documents such as the Information Security Policy, with all the data residing in the EU region.
    1. Measures taken to protect data are documented in the PRgloo Information Security Policy. PRgloo make every effort to protect customer data from unlawful or unauthorised processing, accidental loss or damage.
    2. All PRgloo staff have background checks to ensure their suitability to work with customer data and are only granted access when necessary to perform their tasks. All staff are made aware of their customer and data protection responsibilities and sign confidentiality agreements as part of their employment contracts. Regular training is provided to staff on the latest security issues and compliance requirements.
    3. All customer data is held securely in facilities which operate under ISO 9001 and ISO 27001 / 27018 standards. Regular audits and reviews are conducted to ensure the standards are maintained in all facilities utilised by PRgloo.
    4. If PRgloo become aware of data breaches of personal data, we will notify the Data Controllers without delay. Where applicable PRgloo will maintain logs and audit trails to support the remedial action required during a breach.
  7. Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” PRgloo’s researchers document where information on the data subject which is available to any customer or data subject on request. In addition, PRgloo have an appointed Data Protection Officer (DPO) to ensure ongoing compliance with GDPR. The task of the DPO is to inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to the regulations. To monitor compliance with the regulations and to provide staff training.

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. PRgloo uses “(f) Legitimate interests”

 (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Legitimate Interests

Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

There are three elements to the legitimate interests basis.

  • identify a legitimate interest; Journalists want to receive news. They make their contact information publicly available so that news can be emailed to them or communicated to them via the phone. PRgloo collects this publicly available information and makes it available to communication professionals only. We therefore believe we have a legitimate interest for processing this data and making it available to communication professionals
  • show that the processing is necessary to achieve it; In order for communication professionals to communicate with journalists, they need to know their professional contact details (name, job title, email address, phone number) and where possible some information regarding the sort of news which would be of professional interest to the journalist.
  • balance it against the individual’s interests, rights and freedoms. The journalists within the PRgloo platform have all made it clear that they wish to be contacted about tailored news and information by publicly stating this via publication contact pages, via their professional websites, via social media or via direct contact with PRgloo. We therefore believe that this is strongly in the interest of the data subject in their professional endeavours and one which would accord with the expectations of this category of data subject.

PRgloo and Necessary Processing

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.

In order to supply journalists with information with which to write stories, it is necessary to store contact information (name, email, phone number) along with details of what they are interested in receiving (from social media, their job title, their author profile page on their publication website etc).

PRgloo and the Lawful Principle

  • Who does the processing benefit? The data subject who needs news stories to perform their professional role and expect this information to be communicated to them
  • Would individuals expect this processing to take place? Yes, which is why they make their professional contact details available online
  • What is your relationship with the individual? PRgloo will have a minimal relationship with the data subject. Our customers will have an ongoing relationship with a subset of the data subjects we control.
  • Are you in a position of power over them? No
  • What is the impact of the processing on the individual? To receive information which will help them perform their professional duties
  • Are they vulnerable? No
  • Are some of the individuals concerned likely to object? Only if they are sent badly targeted news which they are not interested in. Because of this we attempt to gather as much publicly available information on the type of stories they publish so that our customers can make informed choices.
  • Are you able to stop the processing at any time on request? Yes, data subjects can opt out of receiving information from any customer and from being included in the central contacts database

PRgloo and Fairness Principle

Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

PRgloo deals only with journalists and only processes information made publicly available by the journalist for this purpose. A typical example would be storing the data held on the ‘contact us’ page of the publication website or information made available on the contact’s twitter handle (often in the form of “got a story – email me today”). The data is only made available to communication professionals who aim to send news to these individuals as expected by the journalists.

PRgloo and the Transparency Principle

Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important - as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’. You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

In PRgloo every email communication with the journalist comes with a link to the customer’s privacy and GDPR policy plus a link to unsubscribe with one click.  Each customer has the ability to respond to a subject access request to show all the data currently stored on each individual data subject. PRgloo also publishes their GDPR statement and provides the ability for a contact to have their details permanently removed.

Common Questions 

Q: Does PRgloo have an effective process to identify, report, manage and resolve any personal data breaches?

A: Yes we have an internal process to identify, report and resolve personal data breaches of that data which we control and that data which we process. 

Q: Does PRgloo have a process to routinely and securely dispose of personal data that is no longer required in line with agreed timescales?

A: Yes. We do this for data we control (journalist, customer and sales leads) and data which we process (journalist data from the customer). 

Q. Does PRgloo have a process in place to meet the GDPR reporting timeframe for breaches?

A. All breaches are reported to the affected parities within 2 hours of discovery and to the ICO within 72 hours

Q. At the end of the contract what will happen to the data processed by PRgloo?
A. PRgloo does not hold processed data and this is due to the special way in which we use the data. When a customer logs an interaction with a journalist who is not in our contact database, they can choose to submit that person for addition into our contact database. At this point, PRgloo becomes a processor of that data. Once received, PRgloo's researchers will then go and find all publicly verifiable information about this person. Whatever they find, they then add to the central contact database (for which PRgloo is the data controller). Any non verifiable personal data stays within the customer's section of PRgloo and they are then responsible for it's upkeep and the customer is then the data controller. At the end of the contract the customer can then download all their data. 

Q. Does PRgloo have a process for obtaining consent and processing data?

A. We comply with article 9(2)(e) Conditions for special categories of data where – “Processing relates to personal data manifestly made public by the data subject” in order to establish consent and therefore the lawfulness of the processing. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the Gloo Influencers database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency without having to obtain consent from the data subjects in advance. 

Q; Does PRgloo make sure data is kept in a simple format which is easy to understand by the general public in the event the data is requested via a subject access request?

A. Yes. Within the platform you can click a 'Subject Access Request' button which exports a word document outlining all the customer's interaction with this contact together with all the data held on this contact by PRgloo and the customer combined.