Why choosing the wrong PR agency could cost your company €20M

You probably know what the GDPR (General Data Protection Regulation) is. If you don't, the simple version is that it's a new set of data protection regulations that come into effect on May 25, 2018. 

By Richard Stone

It covers everyone who controls or processes the data of EU citizens. It does not matter where that data is stored, so you can’t escape its clutches by saying your servers are in the US, and it does not matter whether you actively use that data or not.

Similarly, it does not matter if you are only processing data stored by a third party, such as your parent company or, crucially, a PR or marketing agency.

If you are found to be in breach of the GDPR it could cost €20M or four per cent of global turnover. That's a lot of pennies.

Why is GDPR relevant to PR?
If you employ a PR agency, that PR agency must create lists of journalists, bloggers or influencers to do its job. Most PR agencies would then contact that list on your behalf in some way.

Many agencies rent these lists from a third party, such as Ghorkhana, MediaAgility, DW Publishing or Vocus. However, many agencies also create their own lists in Excel spreadsheets or Outlook. Or on the back of cigarette packets or restaurant menus, in some cases.

The problem with not using a reputable third party is that the agencies that make their own lists invariably don’t contact everyone on those lists to ensure the person listed wants their data to be used. In contrast, organisations such as Ghorkhana, MediaAgility, DW Publishing and Vocus do exactly that and are then clear about how that data will be used.

The key here is that, if you have a PR agency and that agency doesn't use a reputable data provider, or make regular phone calls to check that the people on their lists want to be there, you can be fined. Not just the agency.

How do I mitigate for this risk?
You should ask your PR agency:

1, Do you build your own media lists or use a third party to create them?

2, If you create your own media lists, how do you build them? Has everybody on that list explicitly consented to be on it, either directly to you or to a third party?

3, Does everyone on that list have the chance to remove themselves from it? Is it as easy to remove themselves as it was to join the list?

4, Do you build any other kinds of lists? For instance, individuals at trade bodies or individuals with high levels of social media influence? Have these people consented to be on the list and can they remove themselves?

Red flags in the answers you receive might include the phrases, ‘looking on the magazine’s website’, ‘we just know them’ or, worse case scenario, ‘we keep all their details in Outlook and they’ve just always been there’. However, don’t worry if your agency sends you reports in Excel, as .PDFs or even in Word – it’s not the reporting format but the methodology that counts.

Profiling and GDPR
You should be aware that, even if a PR person only stores profiles on the journalists he or she works with, including background, contact details or preferences for instance, the PR person still has to be GDPR compliant.

This is because the GDPR is not a set of regulations for direct e-mail, it’s a set of regulations for storing data. Profiling is a method of data storage and is thus regulated.

What if my company does PR in house?
If you have a person or team working for your business that handles the company’s PR, that person or team are also covered by the GDPR. My experience suggests that teams or individuals such as this are less likely to use a media intelligence company to manage their lists.

Normally, a company that has invested in its own PR team will not have also invested in the software that the PR person needs to do their job. This sounds counter intuitive but its true. I regularly interview in house PR people who have never used a media intelligence company, a media monitoring company, any social media software or any SEO software – because they don’t have the budget to purchase it.

So, you should ask the same questions of your in-house PR team as you would ask of an agency.

Is Stone Junction a GDPR compliant PR agency?
Like every other business in the UK, we are currently readying our normal business processes, such as HR, payroll and IT for the GDPR – and we’ll be ready by the May 25, 2018 deadline. But the PR services that we sell to clients are all already compliant with GDPR.

So, if you are working with us already – everything is fine. If you aren’t working with us already, you know who to call.

Richard Stone

Stone Junction is a cool technical PR agency based in Stafford. We work for all sorts of businesses, with a particular focus on technology, technical and engineering companies. We like being sent cake and biscuits by clients, journalists and prospects.

No comments: