The GDPR (General Data Protection Regulation) is the EU’s instrument for regulating data protection and privacy for people and companies doing business with EU residents. As from 25 May 2018, those who do not comply risk a fine of 4% of their annual turnover (up to a maximum of 20 million euros). The GDPR specifically concerns marketing messages. These also include press releases that are sent unsolicited to journalists.
In a nutshell, after 25 May, when a PR professional contacts a journalist for the first time by sending an e-mail containing a press release about a new product, this is considered a marketing e-mail. The journalist will be entitled to ask you to show when and how they gave their permission to use their data. If you are unable to do so, you are at risk of enormous fines.
This means that from 25 May, when you contact a journalist for the first time, you must always start with a personal e-mail asking if you can send press releases in the future. If you work for a PR agency, you should explain the topics or companies these press releases will cover. You can only add journalists to your press list once they have given their unambiguous consent. A telephone call is also allowed, but then you have to record the conversation – with your conversation partner’s permission. That is easier said than done, bearing in mind that most journalists already find it annoying to get telephone calls after receiving a press release. The good news: GDPR rests on 6 legal grounds. “Legitimate interest” is one of them: you can contact people if it’s in their interest. Do you have news about the latest automotive trends? Then an automotive journalist has interest in receiving this information and you are therefore allowed to contact the journalist.
However, there is more to the GDPR than just consent. Five more tips:
A PR database is more than a press list
You should be as open as possible about the data you store and use, and why. What if a journalist asks to inspect the data? Then you should send it in a readable format. And what if a journalist asks to be removed from the database? It is not sufficient to simply remove them from your press list. You need to completely remove their data from your database. That includes their interview profile and all the data from your CRM.
Choose your PR tools with care
Whether you send press releases yourself or use an external tool, the responsibility lies with you as the sender of the press release. This means that you should know what data is collected, where and how it is stored, and when it is removed. At least make sure that all the data is encrypted so that it is not visible to anyone even after a possible leak.
Do not pass on press lists
The data in your system remains the property of the journalist. Which means that you may not pass information on to customers, partners, or other parties without the journalist’s express consent. If you are asked about the recipients of a press release, you can only say ‘a journalist’ in medium X. You must not provide names, e-mail addresses, or telephone numbers. The same applies when your customer asks who has opened a press release.
More than ever: Limit your press list
Of course, it is always a good idea to send press releases only to journalists for whom they are relevant. From now on, however, you must keep your press lists even more strictly up-to-date and be even more selective about the people who receive each press release. This way, you avoid journalists filing complaints because they feel harassed.
Protect your PR infrastructure
Time for IT to get to work! All the systems on which journalists’ data are collected, processed, or stored should be made as secure as possible. Install the latest updates and patches, make sure you notice violations and intrusions as quickly as possible and have a solution at hand in case security breaches do occur.
Want to know more? Please feel free to contact us!