GDPR: one year in and what it means for PR

By in Blog
On May 24, 2019


Sign up to our newsletter

Happy one-year anniversary to the General Data Protection Regulation (GDPR)!

On May 25, 2018, the most sweeping data protection laws were implemented in the European Union (EU). It applies to any business, regardless of location, that collects, processes or stores data on European citizens. Companies had two years in the lead-up to GDPR’s implementation to get their data practices in order, or else they risked fines of up to 20M€ or 4% of global turnover – whichever’s higher.

In the year since GDPR’s implementation, there have been over 200,000 reported violations and fines totaling 56M€. However, 50M€ of that came from just a single fine for Google, which is under appeal, stemming from its mishandling of consumer data. This may not seem like a lot, especially when you consider that 62% of organizations were still not compliant as of March 2019. But, regulators have promised a more rigorous enforcement agenda for 2020 now that they’ve had some time to start building cases.

The catalyst for industry self-reflection

Beyond fines, GDPR helped usher in a reckoning for the technology industry as it relates to the handling of personal data and the right to be forgotten. The regulation helped trigger a global conversation about the ethics of data collection, with other countries rushing to adopt similar regulations. Although the U.S. has yet to pass a federal regulation in this same vein, states like New York and California have adopted their own data privacy regulations.

One of the best outcomes of GDPR is the public awareness of how consumer data is being used, and the pressure they are putting on businesses to keep their personal information safe. Not only are businesses at risk of financial losses through non-compliance, but reputational loss as well. This is much harder to quantify, however, and can therefore be an even scarier prospect for businesses – and no one is safe, not even PR pros.

GDPR’s impact on the PR industry

When people think of data privacy, they tend to think of major tech giants that are notorious for their data collection practices – Facebook, Apple, Google, etc. And, while Google’s largest GDPR fine to date got a lot of attention in the press, the more common smaller fines tend to go under-reported. For example, German regulators fined a company 20,000€ for failing to adequately protect employee passwords. And an Austrian company was fined 4,800€ for operating an unauthorized security camera that hit part of a public sidewalk.

International PR campaigns

Suggested Post

The dos and don’ts of international PR campaigns

For any brand, expanding into a new region or territory can be a significant challenge. Along with the basic cost of...

Read More

You may be thinking “we’re too small to get noticed by regulators,” but any EU citizen can lodge a complaint if they feel their personal data is being mishandled. And, if you work in PR – whether at an agency or in-house – chances are you’re collecting information on and dealing with reporters living and working in the EU. Below are a few things to keep in mind to ensure you’re handling this data properly and avoiding the eyes of regulatory watchdogs.

  1. Create a culture of data privacy. One of the provisions in GDPR is requiring certain companies to formally appoint a Data Protection Officer. Even if this doesn’t apply to your business, there should be someone on staff that is well-versed in data privacy regulations to promote best practices internally and provide training on handling data, or answer any questions or concerns. A strong data privacy message should also filter from the top of the organization down. Establishing guidelines that outline your data privacy policies in writing will also help provide transparency into your data collection practices, and ensure everyone is marching to the same tune.
  2. Respect consent. It’s no longer appropriate for PR professionals to simply assume consent when pitching media based in the EU. This must be explicitly given and stored in case of an audit. If you’re using a media database, they will most likely have collected this consent already – but it is still your responsibility to make sure any third-party services you’re using are compliant. What complicates matters is when you transfer that information out of a database and into a list of your own. This brings us to the next consideration…
  3. Know how and where data is stored. Managing your data properly is the best safeguard against non-compliance. You must know exactly where data is stored, how it’s stored, and ensure it’s protected from potential breaches. Keep in mind that this applies only to personal, not business contact information. However, many reporters – especially freelancers – are increasingly using personal email and phone numbers. If, for whatever reason, you experience a data breach, this must be communicated to any EU citizen impacted within 72 hours.

It’s important to keep in mind that GDPR doesn’t just apply to information collected after May 25, 2018, but any personal information collected over the life of the business. For PR pros, this means any old media lists will also need to be scrubbed. Of course, this doesn’t only apply to media, but any personal information collected from clients, contest winners, event attendees, analysts, and bloggers, among others.

The passing of GDPR started a ripple effect when it comes to data privacy. There will be more cases and heftier fines in the years to come, as well as new regulations cropping up as other countries take steps to protect citizen information. If you think you’re small enough to fly under the radar; think again.

Want to find out more about our GDPR compliant PR or marketing services? Drop us a line at or visit our contact page.

Sign up to our newsletter
Back to Blog

Related Posts