No recent EU directive has received quite as much attention as GDPR (General Data Protection Regulations), which will be enforced from 25 May onwards. Ahead of this approaching deadline, Paul Hayes, EACD Regional Coordinator and CEO of Beachhut PR, invited four experts to discuss the impact of the regulation on the communication industry.

Paul opened the debate with a frank description of the confusion surrounding the pending enforcement. The aim of this evening’s discussion (conducted under Chatham House rules) was to clarify even the simplest questions and provide practical tips for communications professionals. Sharing their views with the audience were:

•    Paul Quigley, CEO, NewsWhip
•    Emerald de Leeuw, CEO, EuroComply
•    Jason Burns, Analytics Architect and GDPR Leader (Ireland), IBM
•    Laura P. Flannery, Lead Consultation Specialist, Office of the Data Protection Commissioner

Implications for B2B
The discussion opened with each panellist offering their stance on GDPR. It was explained how the B2B relationship between vendors and corporations will come under significant scrutiny. Vendors move from being an asset to a liability as corporations will become responsible for their entire data supply chain and possible vendor breaches. Regardless of the new regulations, organisations will lose credibility if they attempt to blame third-party vendors for lax data security.

Self-certification
An important question was raised by the audience: if no one is actively auditing your company then is it technically possible to self-certificate? The panel’s answer is yes, but the designated data controller must produce the documentation, records and policies to demonstrate compliance upon request of the data protection authorities. How can a Small Medium Enterprise prove itself compliant with limited resources? It was explained that there are exemptions for companies with less than 250 employees. SMEs should complete a legitimate interest assessment and delete the parts of their database which do not have a lawful basis, such as a contract or legal obligation. It is also important to justify your retention period of data and send out privacy notices to explain how user data is being processed.

International operations
In light of Facebook moving 1.5 billion international users from its Irish server to its US server, Paul Hayes invited the panellists to comment on multinational firms operating in Europe. According to our panel, the Facebook case proves why GDPR was introduced in order to protect users from relaxed laws overseas. The discussion turned to how GDPR triggers a wider debate on legal schools of thought, where the civil law of the European Court of Justice has individual dignity and privacy as core values. However, there will be variation within the EU due to the historical tradition of common law in English-speaking countries, which has freedom and minimal governance at its heart. GDPR has therefore been described as a regulative rather than a regulation because there are still areas which need to be transposed into member states’ law.

Reporting a breach
Under GDPR, the responsibility still largely lies with the data controller. The data processor is subject to greater responsibility as they are now obliged to inform the data controller if they suspect a breach, and will be liable if they act outside the instructions of the data controller. Only if there is a significant risk do you report a data breach to your customers or the data protection authorities. However, the point was raised that individuals should think carefully about which platforms they use and the consent they give for their data to be shared. Data can be processed in any way as long as the organisation has explicit consent, but a privacy policy must be formulated in accessible language. Gone are the days of checking yes to a 15-page policy because you want to use an app.

Campaign outreach
Looking for advice, Paul asked how PR agencies should behave when contacting journalists. The key to outreach is defining a legitimate business interest and to ensure there is an opt-out option to protect the rights of the individual. It was reiterated that the term “legitimate interest” should not be used as a get-out clause for consent. Under GDPR, individuals can take cases to court, i.e. if suffering distress or humiliation due to lack of data privacy, and claim compensation.

Brand boost
GDPR is, of course, about more than just compliance. Aside from the legalities involved, panellists asked the audience to imagine the damage to their brands in the wake of a data breach or failure to comply to the new regulations. It was also emphasized that GDPR does not stifle innovation and technology, and these in turn are not mutually exclusive to data transparency and privacy. If you follow GDPR properly, users will respect you more and you can significantly enhance your business’s reputation. Good data governance should form part of ethical PR efforts and corporate citizenship.

Getting the C-Suite to listen
The audience was encouraged to embrace GDPR as a positive change instead of viewing it as a burdensome task for business functions. It was admitted that selling GDPR as a positive cultural shift in data ethics is too vague for the C-Suite, who want to understand the concrete business value. In the panellists’ experience, 4% fines and brand awareness are what resonates most with senior management.

Data flow
The discussion closed on the idea of building products that deliver value without processing personal information. Companies are often tempted to build in features that mine data as they see tech giants profiting from this (Google, Facebook) but times are changing and entrepreneurs should take an ethical, sustainable approach. On a final note, the audience were encouraged to map all data flowing through their organisation. A clear idea of all data flow will result in lower risk to brand, improved transparency and the opportunity for better analytics.

View our picture gallery and watch the speaker interviews and highlights video. Over the drinks that followed the Debate, individual audience members were able to grab a few words of advice directly from our guest speakers – our sincere thanks to them for so generously providing their time and their expertise at a memorable addition to our annual debate series. The next EACD Debate will take in Brussels on 24 May on “A changing political landscape - what's next for Europe?” Reserve your spot here.