Privacy policies, data leaks and “Hi there” emails

How GDPR could affect media outreach and public relations, and tips on how to navigate the challngees that lie ahead.

Does the GDPR spell the end of "spray and pray" outreach?

Ahead of the recent EACD Dublin Debate on GDPR, we asked two of its speakers - Stephanie Tutton, senior analyst at EuroComply, and Paul Hayes, chief executive officer and founder of Beachhut PR – for their insights into how GDPR will affect communications, media reach out and public relations, and how to navigate the challenges that lie ahead.

Interviews by David Phillips

Stephanie, what’s the most common question your clients ask you about GDPR?

There are a number of questions that crop up frequently, partly because the GDPR has introduced more questions than it has answers, but also because there are a lot of reinforced misunderstandings circulating about what GDPR compliance actually means. A lot of questions boil down to: do I need to delete my entire database because I don’t have consent? Data is money for companies and we understand that.

"A lot of questions boil down to: do I need to delete my entire database because I don’t have consent?"

There are other grounds that you can rely on and we want to focus on helping our clients with that.

Paul, one key part of the conversation at the Dublin Debate is the potential impact of GDPR on media relations. What are your thoughts on this?

Obviously, the challenges of preparing will be much greater for smaller businesses who may not have the expertise, or resources to ensure compliance. For these entities, now is the time to educate themselves on the kind of support out there, whether technological or otherwise. They may eventually require investment in the kind of tools and consultancy to ensure they are able to operate.

Eventually, if GDPR spells the end of “spray and pray” practices then what remains will be more quality, targeted outreach.

We have become too dependent on the “Hi there” email that should be the follow-up, not the initial contact. Such practices are soon to enter a period of reckoning under GDPR.

What kind of processes should be in place to raise awareness within the company about GDPR and data protection, and what kind of questions do communicators need to be asking now about the state of their company’s data protection handling?

Stephanie: There are several effective ways of raising awareness within a company about data protection. Firstly, make sure that staff receive adequate training and have clear guidance in their employee handbooks.

Employees should know how to recognise a breach, and should know the reporting line in their department if one is detected. There needs to be someone to take ownership of compliance or it doesn't get done, so departmental heads must be informed and ready to act.

Paul: The very real danger will be for those companies who operate too far away from actual established media relationships – those who rely on very wide dissemination of unsolicited information to journalists. These kinds of practices have the potential of majorly impacting the turnover of smaller companies in particular.

Therefore companies will need to audit the internal practices of individual employees and provide proper communication and training to ensure compliant practice. Externally, we need to be as transparent as possible with all of our stakeholders, whether they are journalists, clients or investors when it comes to our data management practices. Under GDPR no one will be able to run and hide.

When launching a campaign, how critical is it to be aware of not only the data that is used in targeting but also the prospect of data leakage and/or theft during the campaign?

Stephanie: Data leakage is tricky as it can often go unnoticed. Where a person’s behavioural characteristics and interests are being processed in the context of providing targeted ads, this data may include sensitive personal data (ethnicity, religious beliefs, political views, sexual orientation).

When it comes to calculating fines, the regulators will be taking into account the ‘nature of the personal data’ subject to a breach and so sensitive personal data should be given particular attention and good protection under GDPR.

How is the way that companies are communicating about privacy changing? Many companies share a short privacy statement via email - is that enough to replace the multi-page privacy policies of old?

Stephanie: Businesses are starting to listen to their customers and are introducing much more digestible privacy policies, which is a positive change. Companies are using privacy as a competitive advantage as people are naturally becoming wary of how their data is being used.

When it comes to privacy policies, more is usually less. To create a clear privacy policy, you need to consider your audience. If the majority of your audience are children, provide very simplified language for example. If your audience is a very varied age group, you can consider providing both a more detailed policy, and alongside this a simplified version for the younger audience.

It’s also important to remember, clarity and transparency is great, but it’s really important business don’t feel that this gets them off the hook. Processing personal data should be done responsibly first, and communicating this to customers should come after.

Are companies doing enough to push the subject of data protection as part of their corporate reputation management? I’m thinking of when Apple refused to hand over their customers data to the US government, and the huge reputation boost they received in the wake of that…

Stephanie: I think that companies are becoming increasingly aware of the great reputational boost that can be gained from enhancing GDPR compliance. In the wake of this I do think it’s important that we hold businesses to their word as well, as there is a risk that businesses will not always practice what they preach.

It is in all of our interests and is a collective effort that we make sure that personal data is being protected responsibly and effectively after we volunteer it to businesses.

Paul: GDPR is a codification of what we should always have been doing. We welcome it as a minimum guarantor for our clients that we are treating data correctly. Whether we are dealing with a couple of journalists or millions of customers the same standards should apply.

Since we are in public relations, we will be front and centre of the firing line, and thus we have to be above reproach. For the first year, public relations agencies will be scrutinised heavily. We have to operate beyond GDPR.The good thing is that the nature of our data tends to be straight forward.

"For the first year, public relations agencies will be scrutinised heavily."

We tend to hold non-complex and non-controversial data, unlike many healthcare organisations for example. However, public relations will be the testing ground for GDPR, the battlefield where this legislation will be tried and tested. Smaller agencies will likely be the first casualties, so for them, being compliant will be the difference between make or break.

It’s early days, but when do you predict companies and advertisers will be seeing the consequences of the GDPR?

Stephanie: Once GDPR is in force, companies handling personal data in a reckless manner will simply lose business, these kinds of practices are already being recognised as unacceptable. In terms of the behaviour of the regulatory authorities, it is unlikely that they will start becoming trigger happy for the sake of it by handing down lofty fines.

Regardless, the impact of GDPR will be felt. Not meeting the revised procurement standards for example will inevitably cause problems. 

Paul: We have been operating under the guidelines of GDPR for some time, but like many other agencies, who do not have specialised resources in place, such as a data protection officer, we will likely only truly comprehend the consequences once it actually comes into effect. It is from the mistakes of others that we will gain a better understanding of the boundaries in which we should legally operate on a daily basis. Every sector holds different depths of data.

From a public relations viewpoint, it feels only right that we should have these kind of regulations. There may be initial teething problems with regards to the abuse of power with GDPR on both sides, but it is good for getting all of our houses in order. We have no excuse in the public relations industry not to get this right, because our data is not very complex. Bad public relations practice will fall to the wayside.


Stephanie Tutton

Stephanie Tutton is a data protection subject matter expert and senior analyst of EuroComply responsible for Central Europe. After completing her law degree at the University of Law in London, Stephanie completed her Masters in European Union Law at Leiden University where she specialised in data protection law. She was contracted as an international consultant for the OSCE (the Organisation for Security and Co-operation in Europe) the world’s largest regional security organisation and worked for the EU’s judicial cooperation agency, Eurojust.

Paul Hayes

Paul Hayes is chief executive officer and founder of Beachhut PR, where he drives strategy for a wide variety of tech clients in multiple verticals and geographies. He and has mentored over 150 startups through Launchpad, DCU Ryan Academy and Dogpatch Labs. He works with founders on all aspects of their strategic communication from fundraising to IPO. Paul has extensive experience in technology communications and notably developed the messaging for early Irish tech success stories such as Havok and Demonware.