The General Data Protection Regulation (GDPR), a new law aimed at giving European Economic Area (EEA) residents more control over how organisations use their data, comes into effect on 25th May 2018, introducing severe penalties for organisations that fail to comply, and for those that suffer data breaches.
Data protection has never been so topical. With ongoing (and very public) controversies surrounding Facebook and Cambridge Analytica’s alleged manipulation of personal data, and with 25th May just around the corner, organisations across Europe (and the world) are grappling with GDPR compliance and data protection issues more broadly. Many communications professionals are still getting to grips with how to make sure their own practices comply with the regulation, and how to ensure they are properly prepared to protect their organisation’s reputation, should they be put under the GDPR spotlight.
FHF has created a guide to the GDPR, covering three areas:
- What communications professionals can do to comply with the regulations;
- How to be prepared for any issues or crisis situations arising from GDPR; and
- How to consider whether GDPR could or should be thought leadership platform for your organisation.
The GDPR is a complex piece of legislation with wide-ranging implications. As well as seeking expert legal advice, we recommend referring to more in-depth information such as the UK Information Commissioner’s Office website and these helpful resources from the PRCA, CIPR, ITPro and ResponseSource.
The political context
Already the subject of political interest, the use of data is the focus of widespread international political and public scrutiny after the investigation by The New York Times into Cambridge Analytica, a UK-based political consultancy firm that harvested users’ online data on Facebook during recent election campaigns.
The UK Information Commissioner’s Office (ICO) is also conducting ongoing investigations into 30 organisations’ use of data, including Cambridge Analytica and Facebook: Theresa May has said she expects them to “cooperate fully” with questions about whether users’ personal data was taken without their consent and there is pressure on the government to be seen to protect users.
The Data Protection Bill will also pose significant challenges for business: it will incorporate European privacy rules into UK law and update the existing 1998 Data Protection Act. This includes the “right to be forgotten”, a provision protecting personal data that will enable individuals to request that companies and social media firms erase their data if there are no legitimate grounds for retaining it. Due to be passed in May 2019, this bill is separate to the introduction of the GDPR but will help implement it under UK law as well as grant more powers to the Information Commissioner’s Office.
The potential risks
With the GPDR giving consumers more control over their data and businesses greater responsibility in how they use, manage and store customers’ data, the most significant reputational risk to businesses is customer trust. Customers trust, once consent has been given, that their personal data is being processed, stored and used appropriately according to guidance laid out by the GDPR. Any indication of a business’ inability to safeguard and/or stay in line with GDPR, could quickly lead to a loss of consumer trust.
A knock-on effect of this loss in customer trust, is subsequent loss in confidence in a business. Organisations could lose customers as a result of this erosion of trust through non-compliance to the GDPR.
According to a recent survey by the Cloud Security Alliance (CSA), almost a third (30%) of organisations are seriously concerned about incurring GDPR-related fines. There is cause for concern as the financial impact of falling foul of the directive could be significant.
For SMEs that lack the deep pockets of large enterprises, a GDPR penalty could put them in serious financial risk. In fact, two thirds of SMEs are worried that they may go out of business within three years if they have fallen behind in their data compliance and have poor IT security.
Recommendations for communications professionals
1. What can communications professionals do to comply with the regulations?
Most organisations will need to rely on consent as the primary basis for collecting, storing or processing personal data. However, if processing personal data is central to your business’ ability to function, then you may use what is called ‘legitimate interests’ as grounds to process people’s data. Many in the PR industry agree that media relations falls under the ‘legitimate interests’ clause, and therefore PRs shouldn’t need to gain consent from reporters to use their personal data for the purposes of conducting media relations (i.e. sharing information in order to get media coverage). However in the case of direct marketing (i.e. trying to sell things directly), consent does need to be sought.
No matter whether you are using consent or legitimate interests as the basis for controlling and/or processing data, you should consider the following steps to ensure you comply with GDPR:
- Assess what kind of personal data you and your team deals with, where and how it is stored and accessed, and what it’s used for
- Ensure your company has a written data protection policy, and that you and your team are complying with this policy
- Ensure you are properly handling personal data, e.g. encrypting media lists, storing them on a secure server etc.
- Consider taking part in training for you and your team on the do’s and don’ts of GDPR
- Ensure you have remedial procedures if something were to go wrong
- Check your contractual obligations and liability clauses (especially for third parties) – for instance, check your relationship with Gorkana – don’t assume you are covered just because you use a third-party database!
2. How to be prepared for any issues or crisis situations arising from GDPR
In a GDPR-environment, where mass consumer notifications and regulatory submissions will be made very quickly, preparedness is more important than ever. To ensure that you are well-placed to communicate appropriately you should make sure you have established:
- A good understanding of the IT/ technical side of the business and in particular the operational element of any PR related cyber-incidents
- The role which comms will play in any incident response – not just in managing the reputational impact, but in supporting mass consumer notifications, social media enquiries and reactive call centres
- Strong working relationships with the relevant IT and compliance leads, with an open and honest channel of communications
- Internal roles and responsibilities with a clearly defined plan
- A criteria for assessing the potential reputational impact of incidents
- An established activation protocol to ensure the correct people are notified internally
Questions you need to be asking internally:
- What are the areas where you feel most exposed relating to the GDPR? Has there been a risk assessment of where your organisation is most vulnerable – both reputationally and operationally?
- Who are the key stakeholders/audiences for you if you need to communicate on a GDPR related incident? For example, ICO, trade bodies, industry regulators. Who within the organisation owns the relevant relationship?
- If you were to manage a reputational issue relating to the GDPR, who are the internal people you would need to involve? Are they aware of what their roles and responsibilities will be?
- Do you have any existing messaging which you could quickly adapt to make sure you are communicating within the 72 hour deadline?
How we can help
Crisis scenario planning
FleishmanHillard is currently supporting a range of clients in preparation for the GDPR, bringing to bear our practical experience and expertise advising clients on live data breaches and cyberattacks. A scenario-planning session would see us collaborate with your legal and IT teams to ensure that the operational, compliance and communications elements are consistent and work seamlessly together.
Our support will ensure that your organisation can identify key reputational risks in relation to the GDPR, mitigate these risks through establishing processes and procedures for responding, agree the roles and responsibilities of individuals, and enable fast efficient response to GDPR incidents through the creation of pre-approved statements.
Live breach response
If your organisation does find itself dealing with a GDPR-related issue – from a data breach to an ICO inquiry – we have the expertise and capability to advise you.
Although our core skills relate specifically to crisis communications, we also have a deeply held knowledge and understanding of the world of cybersecurity and its associated risks. In the last five years alone, our teams have helped over 250 clients globally manage and prepare for a data breach.
FleishmanHillard is one of the only global communications agencies to have a dedicated cybersecurity practice. Led out of the US with regional leads across the globe, this function centralises and cements our cyber expertise and means we have a wide range of experience relating to cyber-attacks, data loss and leaks.
3. How to consider whether GDPR could or should be thought leadership platform for your organisation
Although the GDPR is a ‘hot-topic’ and multiple businesses will be discussing it and what it means for their industry in general, it isn’t always appropriate or necessary for your business to be giving a public point of view on the GPDR. Only companies that have something to add to the conversation should be promoting their point of view.
If your business does have a strong point of view, and will add value to the conversation, you should make sure the following are clear before proceeding:
- All areas of the business are aligned to the POV on the GDPR
- All spokespeople have had supplementary media training on the businesses stand on GDPR and the overall regulation
- Reactive statements are approved ahead of any scheduled media interviews
For more information, please reach out to us at firstname.lastname@example.org
Appendix: About the GDPR
What is the GDPR? The General Data Protection Regulation (GDPR) is a new regulation aimed at giving EEA residents more control over how organisations use their data. It also seeks to make data protection law more consistent across Europe. The regulation comes into effect on 25th May 2018, introducing severe penalties for organisations that fail to comply, and for those that suffer data breaches.
Who does the GDPR apply to? The regulation applies to ‘Controllers’ and ‘Processors’ of data. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data.
- A controller could be any organisation, from a profit-seeking company to a charity or government
- A processor could be an IT firm doing the actual data processing
Where does the GDPR apply? Even if controllers and processors are based outside Europe, the GDPR will still apply to them so long as they’re dealing with data belonging to EEA residents.
How does the GDPR apply? Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What does the GDPR define as ‘personal data’? The GDPR substantially expands the definition of personal data. For example, online identifiers such as IP addresses now qualify as personal data. Other data, such as economic, cultural or mental health information, are also considered personally identifiable information. Pseudonymised personal data (e.g. an online username) may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that counted as personal data under the UK Data Protection Act also qualifies as personal data under the GDPR.
People have the right to access any information a company holds on them, and the GDPR ensures people can ask to access their data at “reasonable intervals.” They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want. Controllers have 30 days to comply with these requests. Both controllers and processors must use plain language to explain how they collect people’s information, what purposes they use it for, and the ways in which they process the data.
What happens if there’s a data breach? It’s your responsibility to inform your data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. Those who fail to meet the 72-hour deadline could face a penalty of up to 4% of their annual global revenue, or €20 million, whichever is higher.