GDPR and public relations: an interview with Suzanne Dibble, the small business law expert by Ellen Carroll
I think that I’m pretty typical of many PRs (especially those of you that are freelance or run your own small agency) in that GDPR is most certainly on my radar. I’m working towards GDPR compliance for Nellie PR and feel I’ve got a handle on it as a small business or rather a micro business owner. But in terms of doing the day job – pitching to journalists, accessing client data to conduct interviews and the like – many GDPR and PR questions linger.
That’s not surprising – there seems to be a distinct lack of practical guidance about GDPR that is specifically focused on PR and comms coupled with the fact that some of the answers aren’t yet known as aspects of the legislation go through parliament.
I’m not alone – when I put it out there on the various PR groups that I’m a member of that I was as to interview a legal expert about GDPR and PR – lots of questions came in thick and fast.
As the majority of PR agencies and freelancers are small businesses, it made sense to interview a legal expert that could answer the GDPR and PR questions from a small business perspective. So thank you, Suzanne Dibble, for agreeing to be interviewed and your patience in answering all these PR and GDPR questions.
Interview and Q&A with Suzanne Dibble about GDPR and PR
Suzanne Dibble is a multi award-winning business lawyer, small business law expert and founder of the Small Business Legal Academy. She’s also the joint founder of Express Global – a global collective of entrepreneurial women – as well as the face and legal brains behind her own massively popular free GDPR Facebook group with over 7,500 members (at last count) where she has been going raw and uncut every night to share her take on GDPR in the most accessible way. And on the subject of accessibility, check out her GDPR mythbuster webinar for a bit of guided training on GDPR and what it all means for you as a business owner. On her Facebook group, you’ll also find video advice on legitimate interests, GDPR and photographers too, and go ahead ask her a question.
Suzanne, tell me about your own route into entrepreneurship?
I was a mergers and acquisitions lawyer in the City, at the world’s largest law firm, on the fast track to partnership at a very early age. Working 20-hour days, working on multi-million pound deals I realised that it wasn’t really a sustainable career if I wanted to have a family and children. So after holding a couple of really good in-house roles working for the likes of ITV, I decided to set up my own legal practice in 2010. I was thinking, ‘Who do I want to help?’ And it came to me; actually the people I wanted to help were people like me, women who had left corporate to set up their own business. Who I knew traditional legal services just weren’t helping. The way they are set up meant that small business owners and particularly female-led business owners and solopreneurs just weren’t taking the legal advice that they needed because of their perceptions of traditional legal services. I wanted to make law accessible to micro businesses, and particularly the female micro business owners, and still do.
What made you set-up your own GDPR Facebook group?
I was consulting with multinationals on GDPR but increasingly finding that small businesses were being left out in the cold. I was seeing that much of the GDPR information on websites and in the stuff that people were sharing with each other was just wrong. It really frustrated me that small business owners were running around in circles trying to work out what was fact and what was fiction.
So on a crazy whim, I decided that I would commit to doing a video a day in a Facebook group and share my take on GDPR, which is not the scaremongering headlines of: ‘As a small business owner, if you’re not fully compliant on the 25th of May, you are going to get fined 20 million Euros,’ because it’s absolutely not going to happen like that. So what I hope to offer in my group is just some really sensible, balanced guidance as to how small businesses can easily comply with GDPR. And it’s been an absolute hit. We’ve got over 7,000 members in there in less than a month and people are sharing it like crazy.
GDPR is complex regulation but I think because I am a small business owner and I don’t hang out with lawyers, I hang out with small business owners, I know what interests them, I know what language they talk. And I can translate it for them, and be the approachable face of GDPR for small business owners.
Is GDPR a good thing?
Yes, in my view it is absolutely a good thing. If you take away the scaremongering and look at it in its essence, it’s good for business owners and it’s good for the consumer. Certainly in the context of marketing, we small business owners need to be paying more attention to the quality of our marketing and it’s right that GDPR puts the focus on making sure that we’re sending the right information to people who actually want to receive it.
Because if you’ve got a big list of people – say you’ve got 10,000 people and 8,000 aren’t reading what you’re sending them because they’re just not interested, then that’s going to impact on your deliverability rates for the 2,000 who do actually want to read it. So you’d actually be much better off carrying out list hygiene and working out who doesn’t want to read your stuff, and giving them regular chances to opt out, and to update their preferences, so that you can make sure that people who do really want to see your stuff, and your potential customers, are actually seeing it.
In fact, I’ll read a quote from the information commissioner, Elizabeth Denham. She says: “This approach may require an up-front investment in privacy fundamentals, but it offers a pay-off down the line, not just in better legal compliance but also in giving you a competitive edge.”
There’s a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. It is a reputation issue.
How important is having a good privacy notice?
Privacy for consumers and individuals is such a big issue and increasingly so – you only have to look at what’s happening with Facebook and Cambridge Analytica.
If you as a business owner have a well put together privacy notice so that when people are giving you their data, you’re saying to them: ‘Look, we’re an organisation that actually really looks after your data. We comply with GDPR, we’ve got all the security aspects in place, we won’t share your data with third parties, we’re really keen on just giving you the types of information that you really want from us.’ That’s a competitive advantage.
I think that the small businesses and PRs that really embrace GDPR will absolutely have a competitive advantage.
How will GDPR impact PR?
The thing about GDPR is it’s not designed to stop people doing business – it’s designed to protect data.
I’ve had lots of questions in my Facebook group about theoreticals. Now, if you look at the exact letter of the law, then, yes, you might have to go and get consent for every single email address that you’re processing, if you can’t fall under a different lawful ground of processing. In reality, the only way that this is going to ever come to the ICO’s attention and for there to be any potential for any kind of investigation or a fine is if somebody reports you. And you’ve generally got to have been doing something pretty bad with that data for somebody to report you.
So if you’re a journalist or you’re in PR and you’re making those cold approaches but it’s done in a professional, respectful way, you’re not harassing people, you’re not sending them 20 follow-ups and saying, “Why haven’t you replied to me?” then I personally don’t foresee any problems. You need a lawful ground to process personal data and there are six lawful grounds for processing – consent is just one of them. The other two main ones that will apply to small businesses are legitimate interests and contractual grounds.
So if you’re reaching out to people with an opportunity, collaboration or something like that, then if you had to look at, what is the lawful ground of processing that data? The chances are it would fall under legitimate interests. In order to rely on legitimate interests, you have to carry out a balancing test, which is really about balancing your legitimate interest with the rights and freedoms of the person that you’re approaching. Now, is the person that you’re approaching going to suffer any harm to his rights or freedoms? No, because you’re doing a one-off processing of just sending him or her an email to see if they want to follow it up or collaborate.
What happens if you don’t have a journalist’s consent to send them an email, for example?
If you are sending emails on something that they would reasonably expect to receive, then there’s a strong argument that you could rely on the legitimate interest grounds and you wouldn’t need consent. The best approach is to carry out a balancing assessment as discussed before.
Do you have any tips on email best practice when you communicate with media such as journalists, bloggers, and influencers?
It depends what your lawful ground of processing is, but if you are saying it’s legitimate interests, then you should inform them of that fact – that you are relying on legitimate interests, and also point out what those legitimate interests are. There is a right to object to processing on the grounds of legitimate interests. So, in short, an opt-out could be used.
What people need to be thinking about is having a GDPR compliant privacy notice, telling people what they’re doing with their information. So I would be having a link at the bottom of each email to that privacy notice and a link to an opt-out.
Where should you store your media data such as journalist contact details?
Ideally, you would password-protect your data. Certainly sensitive data should be password-protected. But no, there isn’t one platform that you can use. If you’re storing data on something like Dropbox or a cloud-based solution, then that obviously gets you into the realms of data transfers and working out where their servers are, and then that would bring you into the realms of international transfers. But no, there’s no recommended solution to where you store it, it’s whatever works for your business. The main thing is making sure that those processes are GDPR compliant and have a reputable standard of security.
Is now the time to get rid of data that you no longer need?
One of the data protection principles is storage limitation and getting rid of data that you no longer need. The letter of the law is that you only store data for as long as is necessary. But ultimately, it comes down to what is the reason behind that? And the reason behind that is so that you don’t contact, for example, Mr. Smith, who’s 77, has asked you to delete his records – you don’t then email him later, or he dies and you email his family or something like that. It’s that kind of thing that GDPR is designed to protect.
Remember, really the only way that somebody’s going to know whether you deleted or not is if you’ve got a complaint. The ICO hasn’t got this vast police force that is going to come around and look through every element of your data and say you should’ve deleted this, and you should’ve deleted that. So if you’re handling data sensibly and there’s a chance that those contacts are still relevant and that they’re not going to mind an email from you or a contact from you, then keep them. If they are going to be cross that you’ve emailed them after so many years, then don’t email them and delete them. It’s kind of a straightforward, practical approach to it that’s needed.
Is there any distinction in the use of personal or freelance email addresses compared to the use of emailing a journalist at @BBC for example?
GDPR does not distinguish between individual and corporate subscribers. The Privacy and Electronic Communications Regulations (PECR) prohibits unsolicited direct email marketing to individual subscribers (which include sole traders and partnerships) without the prior consent of the subscriber. It was hoped that PECR would be amended in time with GDPR but they’re way behind on that. So the best estimate is that the revised PECR will come into effect during 2019. But the aim is to align them with GDPR.
So firstly, it’s unsolicited email marketing – it’s got to be marketing. So if you’re just reaching out to say, ‘How about this collaboration?’ then arguably that’s not marketing. And it’s got to be unsolicited. So if somebody’s asked you, or there’s been some kind of invitation to connect, then it’s not applicable. But if it’s unsolicited marketing to an individual subscriber (including sole traders and partnerships), then you need to have prior consent under PECR.
My guidance on that is to forget about the distinction between corporate and the individual subscribers and just apply the same rules for all.
For more information on PECR, visit Suzanne’s Facebook live video on PECR.
What should you do if a client, for example, wants to see your media database?
As this is your media list containing the personal data/email addresses of those journalists, they probably haven’t opted into that. If you’ve told them in your privacy notice that that’s what you’re doing with it, and they haven’t objected, then that’s probably okay.
You’d have to think about transferring it to clients outside of the EEA, as generally transfers outside of the EEA are prohibited. Transfers outside of the EEA is a complex area so best to come and watch one of the videos in my Facebook group about this.
Is it safer in terms of GDPR compliance to use a third-party media database, for example, rather than building your own? And, if media database owners are saying that they are compliant – does that make you compliant too?
In my experience, a lot of lists say that they’re compliant when they’re not, necessarily. So I would definitely do some due diligence on that, find out and ask some questions about how they are GDPR compliant. I would be wanting to see their privacy notices of when they collected the data, and what they were saying in that privacy notice, and that they had got consent. And remember, it’s got to be GDPR compliant consents now, so for old databases, that consent is probably no longer effective, so they would’ve had to get new GDPR consent from those people to share their data with third parties. So I’d want to see evidence of that. I’m not sure I would take a list-seller’s word on the fact that they’re GDPR compliant.
You’ve got to make sure that that consent has flowed through to you to have that information. And you’ve got to keep records of that consent. You’ve got to take more steps.
Do you need to register with the ICO?
The current ICO registration fee is being phased out and a new controller charge is being phased in. The new regulations dealing with this hasn’t been passed yet; it’s going through Parliament at the moment.
From the draft bill, it looks like the smallest level of business will pay £40 going up to £2,900 for tier three.
There is a schedule of exempt processing from this fee, and it actually looks to be wider exemptions than for the existing fee. So I suspect that in time the ICO will put together an online tool in the same way they do at the moment for the ICO registration fee. It takes small business owners through that, and then pops out a little answer that says, ‘yes, you need to register,’ or, ‘no, you don’t.’
In your GDPR pack there is a privacy notice template – is this suitable for PRs?
Yes, it’s across all sectors. There are two privacy notices in there: one that would go on your website if you’re collecting data through a website, and that’s a simpler form that would be if you’re collecting data offline. In the GDPR compliance pack, there are things like the legitimate interests assessment and whether you need to appoint a data protection officer, a data protection checklist, a data transfer checklist, a marketing checklist, the email to get fresh consent, tick box wording and lots more.
Do you put your privacy notice in your contracts to new clients and the like?
It’s better to have a stand-alone document – something that you would send if you’re doing hard copy contracts for clients, or email across as a PDF of your privacy notice. Again, it’s back to the competitive advantage and being transparent about how you’re going to look after their data.
What happens if you have to interview a customer of a client to get their approval on a testimonial, for example, but you’re using the client’s consent forms. As the agency, where do you stand in terms of compliance?
In the case where a client is giving you details of their customer for testimonial purposes – you have to think about the practicalities of it, and what’s the likelihood of that client being annoyed and complaining. Now, if they’re a happy client and you’ve been given the approval to contact them, the chances of that happening are very remote. Would you be able to rely on the ground of legitimate interests, or a different ground for getting in touch with those people? Probably. I think that’s absolutely fine. What we’re really thinking about here is large scale, automatic processing of data. So, again, if you’re doing it in a sympathetic, respectful way, I don’t think there’s going to be any problems.
Any final words of GDPR-wisdom?
Just to be sensible about it, really.
If the person you are contacting is dealt with respectfully, you’re not mass emailing, you’re not large scale data processing where you’re doing dodgy things with it, chances are you’re going to be okay. A really sensible, balanced approach will serve small businesses.
GDPR is not out to trip small business owners up with non-compliance, it’s out to catch the people that are doing bad things with data.
Thank you Suzanne.
Credits and for more information
The Information Commissioner (ICO)
The ICO is the best source for information on GDPR and you can access lots helpful tools on the site, including 12 steps to take now, getting ready for GDPR checklist, lawful basis for processing (quick glance) and the Information Commissioner’s blog. The ICO is also on Twitter and in my experience has been good at responding to requests for information and answering questions. There is also an ICO helpline for small businesses that you can call on 0303 123 1113 and further information on GDPR and small businesses.
PR and GDPR
The CIPR has issued guidance on GDPR but it is only available for members, and they’re running some PR and GDPR events.
The PRCA has a GDPR FAQ and is running Get your Consultancy Ready for GDPR masterclasses. Both were sold-out when I last looked.
You can follow my small business GDPR journey at Nellie PR and it is good to see that Response Source has been proactive on GDPR and here’s an interesting blog post from Wadds on GDPR for public relations.
Free Facebook group by Suzanne Dibble: GDPR for online entrepreneurs
Watch her GDPR mythbusting webinar and special offer GDPR compliance pack for only £97 (affiliate link) – the price goes up to £147 at 12.01am on Friday 30 March 2018.