With the first anniversary of the 25 May effective date of the GDPR fast approaching, PR firms- regardless of if they are interacting with stakeholders in and beyond the EU- must be sure to act responsibly, transparently, ethically and legally when handling personal data.
Indeed, successful PR is dependent on the ability to build and maintain valuable relationships, both digitally and personally, and being able to build a base of trust with clients. Personal data is intrinsic to this balance, making GDPR now a central pillar of the PR world. Here’s what you need to keep in mind:
Words equal binding commitments
This time last year, email inboxes the world over were being flooded by notifications of updated privacy policies and requests for approval. What most firms did not realise is that simply updating a document and requesting opt-in consent does not equal compliance.
Firms must take additional steps depending on the nature of the personal data collected by a firm, including amending client and vendor agreements, updating internal information security policies, and updating the firm’s data breach plan. A firm cannot mindlessly adopt a new privacy policy or agree to new client or vendor obligations- the new agreement may not, after all, be realistic.
Keep in mind that the GDPR is not just an EU issue within the jurisdiction of EU regulators. Juliana Henderson, a spokesperson for the Federal Trade Commission, has said that the FTC could initiate an enforcement action in the US if a firm chooses to implement some or all of GDPR.
The option to operate outside of GDPR
Some firms may make the mistake of rushing into GDPR compliance efforts without considering what may be a more suitable alternative: taking deliberate steps to operate outside the scope of the GDPR.
GDPR only applies in certain circumstances for US-based firms, including the processing of personal data of individuals who are based within the EU. The data processing concerned is related to two specific areas: the offering of goods and services to individuals in the EU, or the monitoring of behaviour in the EU, including the tracking of an individual online using cookies for the purpose of internet-based advertising.
Agency client agreements
There are several pertinent, but unexpected, side effects of GDPR on agency-client agreements. Firstly, PR firms should be less comfortable making a standard “compliance with all laws” warranty, since it does mean the firm agrees to comply with all aspects of GDPR as well as a host of other unspecified laws.
In the same way, an agency not fully GDPR-compliant may encounter difficulties in retaining or pitching a client that is requesting data processing addendum. A PR firm should not sign an agreement of compliance while it is not actually in compliance, which would make it in breach of the agreement and expose it to oversight from regulators.
Ultimately, as firms encounter this new post-GDPR landscape, it is vital they recognize shifting consumer attitudes toward privacy and data protection. The goal of PR, as ever, remains unchanged: engaging with consumers, while respecting their privacy rights.