Cyber summit.jpg

TRAVEL WEEKLY has just hosted its first Cyber Security Summit in London. Despite questioning its relevance to Public Relations practitioners, I attended. I’m glad I did.

As the morning progressed, something became very apparent: it is very likely we will all be victims of cyber fraud one day, so we need to know how to protect ourselves and our businesses.

One of the main focuses of the morning was the European Data Protection (EU GDP) act and its entry into UK law (Brexit or no Brexit) at the end of May 2018. Companies are now collecting an incredible amount of data so it has become vital to harmonise all data protection laws across Europe.

Peter Gouch from Deloitte highlighted the key components of the new regulations and how they will affect British businesses. He told us it will be the responsibility of individual companies to protect data and keep it secure. Accountability, transparency and consent will be the cornerstones of the new law and will be prioritised by regulators – what companies are doing with their databases, the impact on individuals and the extent of the damages caused by breach.

Other speakers made points which raised serious questions for PR practitioners and PR companies. What do we do with our own data – client data, journalist data, new business data? And what do we do keep it safe?

One point kept coming back: education is key.

How accountable and transparent are we?

The EU GDP will make businesses accountable and responsible for guaranteeing data privacy. Beyond 2018, regulators will become more powerful, more aggressive and will require proof and documentation from companies showing that they have taken the right measures to ensure protection of personal data. For example, if data is hosted by a third-party supplier, the company must ensure its supplier complies with regulations. If it hosts the database on private computers or servers, it needs to show it has taken the necessary precautions to protect it with decent firewalls and anti-virus software, regular password changes and compliance education of staff. When it comes to transparency, we need to be able to communicate how and why data is being used. If the data is not relevant or out of date, it needs to be deleted.

Does consent apply to PR companies?
‘Consent’ raised an interesting debate. To comply with the new regulations, companies need to reconfirm consent from everyone they hold contact details for – having ticked a simple opt-in box will no longer be considered ‘explicit consent’. You could tell by the audience reaction how difficult this was going to be, and the impact it would have on the size of companies’ marketing databases.

Most PR agencies use or subscribe to a third-party provider, such as Gorkana or Cision, to access journalist databases. Because we pay for access to these database, we assume these companies will have secured the right level of consent to hold and share journalists’ contact details.

Are the journalists whose contact details are on the database aware of how many PR agencies have access to them?

How can PR agencies ensure third-party suppliers comply with the new regulation?

Does that mean that when we download and/or share these media database within our own business, we become liable for ensuring their safe-keeping? And do we need to reconfirm journalists’ consent to be contacted?

Bearing that in mind, how far do we need to go? Should adding an ‘unsubscribe’ disclaimer at the bottom of a press release become new practice?

And what of our new business databases? New business mailouts and cold-calling are essential to grow our businesses. How do you get consent to be approached by someone you haven’t been in touch with before?

There are many questions – some specific to the PR industry – that need to be answered, soon. The industry has a duty to address these ahead of the deadline of May 2018, but we also have a duty, as individual businesses, to start putting our affairs in order now.

Julie Giraud