Data Privacy Week: How PR and privacy work together
By Helena Carnell, Junior Account Executive
Data – collected through computers, smartphones, and every internet-connected device out there – is rather valuable, so when underestimated it can be very dangerous, leading to an array of serious and costly issues.
With the significance of data privacy in mind, the National Cybersecurity Alliance (NCA) expanded Data Privacy Day into Data Privacy Week, with 2023 marking the third year of this extension. The US Data Privacy Day is itself a version of Europe’s Data Protection Day and, although different in name, both days and the full week were created to help businesses understand the importance of respecting user data.
But, what is data privacy law and what guidelines are available in the UK?
There have been many advancements to data privacy law, with the General Data Protection Regulation (GDPR) at the centre of all of it.
The UK’s Data Protection Act 2018 – its own version of GDPR, essentially – controls and establishes how businesses can use your personal information, holding everyone accountable for upholding data protection and privacy by providing ‘data protection principles’. The way businesses use and adhere to GDPR and this Act depends on the type of business; in the PR world, due to the frequent handling of the data of clients, journalists, analysts, and other media professionals every day, understandably some PR professionals were unsure how it would affect how they do their job. But by ensuring an understanding of where the line is drawn, data protection and PR can comfortably coincide.
Agency-side: like airport security, there’s a list of do’s and don’ts
Think of data regulations like airport security: there is a strict line drawn between right and wrong, with catastrophe a certainty if done wrong, causing your consumer trust and brand name to be blacklisted. Remember no shampoo, no sharp objects, and no ignorance of privacy law!
The Chartered Institute of Public Relations (CIPR) recommends that agencies should review the grounds for processing any personal data and seek consent where possible. Out of the six, there are two legal conditions within privacy law that public relations should be aware of when getting consent isn’t an option: Public Task and Legitimate Interest.
Public Task is the processing of necessary information for you to perform a task which is in the public interest or for your official functions.
And then there is Legitimate Interest, the clause which gives the PR industry the green light to keep doing what they do best, sending journalists, analysts, and other media contacts emails, as long as it fits into one of these categories:
- Purpose – the legitimate interest can be your own or a third party including commercial, individual, or broader societal benefits. Using emailing a journalist as an example, there is both individual and third-party interest as you want to get your client’s work published and journalists want material to publish.
- Processing – the processing must be necessary. For example, emailing a journalist is necessary as it is less intrusive and less of a hassle than calling or turning up on their doorstep.
- Balancing – there must be a balancing act between your interests and the journalists’. If they would not reasonably expect your email, or if it would cause unjustified harm, their interests are likely to be unbalanced to your own.
- Record and file away – you must keep a record of your legitimate interest assessment and include details of it in your privacy information, in case a demonstration is required.
Client-side: Getting them onboard with PR advice on privacy
When onboarding a new client, public relations agencies must make it clear how they plan on using and storing the client’s data, whilst also ensuring they are up to date with any changes to the right to privacy across digital platforms.
PR agencies are responsible for steering clients clear of crises and privacy violations. But with the increasing value of data, what happens if worst comes to worst, and a client is cyberattacked?
Although PR agencies have little influence over a client’s security infrastructure, they can provide guidance and crisis management support. Our best advice for businesses is to get ahead with a GDPR action plan which ensures preparedness to prove they have everything in place to protect their data. The plan will be unique to their business but every successful plan needs to have a clear roadmap which covers all routes and areas, is entirely transparent, and is constantly being updated.
The point of the plan isn’t to be in replacement of any security you have in place, but rather evidence that you are secure, and insurance that if something does happen, you have a plan B, C, and D if someone tries to steal customer and employee data.
The cost of failing to comply
The GDPR compliance deadline has flown past; those who are prepared can be more certain of a safe journey, but those that are uncertain can find themselves in ‘panic mode’ which may lead to a crash landing – a costly mistake.
The Information Commissioner’s Office (ICO), the UK’s independent body set to uphold information rights, is the pilot of the GDPR operation in the country, in charge of ensuring the misuse of personal data is dealt with. For example, in August 2016, when Flybe sent an email to 3.3 million people who opted out/ unsubscribed to being contacted, asking “Are your details correct?”, the ICO landed them with a £70,000 fine. Ignorance of the law doesn’t fly with ICO.
The final leg of our journey – landing the facts straight
Ensuring privacy in the digital age is imperative, with this week marking the global effort to create awareness about respecting privacy, safeguarding data, and enabling trust. Organisations need to keep in mind their brand and how customers see them, with three-quarters (76.3%) of consumers suggesting they are still concerned about data when interacting with a brand.
Therefore consideration of how your brand is viewed and how you store customer data should always be seen as a priority (and this applies to those of us in PR as well as our clients).
Our industry-leading team is capable of creating a PR strategy with a range of tactics, whilst accounting for all the relevant data protection and privacy guidelines on all sides. Take a look at our case studies and contact us today to find out how we can help you avoid a bumpy ride.