Four critical issues in the post-GDPR world for PR firms

Now that the May 25 effective date of GDPR is in the rearview mirror, PR firms must act ethically, transparently, responsibly, and legally when processing personal data.

Photo credit: Getty Images
Photo credit: Getty Images

Successful public relations and marketing activities depend on the ability to build and maintain meaningful and valuable relationships, digitally and personally, and being perceived as trustworthy. These relationships often run on personal data, such as behavioral data and contact data, which may be subject to the European Union’s General Data Protection Regulation (GDPR).

Now that the May 25 effective date of GDPR is in the rearview mirror, PR firms, whether they are connecting with stakeholders in and outside the U.S., must act ethically, transparently, responsibly, and legally when processing personal data.

Here are the four critical issues for PR firms to keep top-of-mind:

Words create binding commitments
In the days leading up to GDPR’s effective date, email inboxes around the world were flooded with notifications of updated privacy policies and requests for consent. What many companies did not seem to understand is that just updating an online document or asking for opt-in consent does not equal GDPR compliance. Companies whose practices fall within the scope of GDPR must take additional steps. These steps will depend on the nature of the personal data collected by a firm, but the steps include amending client and vendor agreements, updating internal information security policies, and updating the firm’s data-breach plan. A firm should also not mindlessly adopt a privacy policy or agree to obligations in a client or vendor contract since that policy or obligation may be too cumbersome or too costly to undertake.

GDPR is not just an E.U. issue within the jurisdiction of E.U. regulators. Juliana Henderson, a spokesperson for the Federal Trade Commission, has stated that the FTC could initiate an enforcement action in the U.S. if a firm chooses to implement some or all of GDPR and makes promises to the U.S. consumers about how it will treat their personal data and information. If the company does not comply with the promises it makes to U.S. consumers, the FTC will regard it as deceptive and misleading to U.S. consumers, and therefore in violation of the FTC Act. Therefore, it is important to keep in mind that compliance requires active monitoring and demonstrations of compliance in practice, not just updating a privacy policy.

The option to operate outside of GDPR
Some companies, particularly public relations and marketing firms, may make the mistake of rushing into GDPR compliance efforts when there is a more suitable alternative: taking affirmative steps to operate outside the scope of GDPR. GDPR only applies in certain circumstances for U.S.-based firms. It applies to the processing of personal data of individuals who are situated within the E.U., where the data processing is related to two specific items: the offering of goods and services to individuals in the E.U. or the monitoring of their behavior in the E.U., which includes tracking individual online using cookies, including for interest-based advertising.

Many public relations and integrated marketing firms may not be receiving E.U. personal data at all or can operate in order not to receive E.U. personal data. For instance, many PR firms often perform email-distribution services for clients in addition to creating the content of such emails. Some PR firms are now opting only to create the content, and to have their clients send the emails. This prevents the PR firms from receiving any E.U. personal data. In making the assessment of whether or not to operate within the scope of GDPR, a PR firm should consider what is best for their business, not only from a regulatory perspective, but also from a budgetary and operational perspective.

Agency client agreements
There are several unexpected side effects of GDPR on agency-client agreements. First, PR firms should be less comfortable making a standard "compliance with all laws" representation or warranty since it unwittingly means that the firm will be agreeing to comply with all aspects of GDPR and a host of other unspecified laws. Similarly, an agency not fully GDPR-compliant may face problems retaining or pitching a client that requests a data processing addendum. The immediate issue, upon receiving a client’s DPA, is not the content or negotiation of it but rather the agency’s internal operations that many not be GDPR-complaint. A PR firm should not sign an agreement of compliance while not actually being in compliance. The agency would be in breach of the agreement upon signing it. It also may face exposure from regulators.

Second, in the post-GDPR environment, clients may have additional leverage requesting that a PR firm agree to contractual provisions that agencies were able to previously resist. For example, clients may have an increased ability to request broader audit rights since GDPR gives "data controllers" the right to audit a "data processor." Clients may also more successfully seek a PR firm to protect all data, and not just personal data, since the definition of data to be protected under GDPR is very broad.

U.S. consumers are starting to care
Many marketers and their PR firms have been asking the question: do U.S. consumers really care about privacy the way E.U. consumers do? In the past, it seems that U.S. consumers were more than happy to trade their personal data for convenience. However, in the wake of the Facebook-Cambridge Analytica scandal, there has been a shift in U.S. consumer attitudes and U.S. laws)in favor of consumer privacy.

In the six weeks after the May 25 effective date of GDPR, the California legislature enacted the California Consumer Privacy Act of 2018 that applies to the privacy of the personal data of state residents. Since May 25, six other states—Colorado, Louisiana, Oregon, Virginia, Iowa,  and Nebraska—have also updated their privacy-related laws to protect the personal information of residents in their states. Even some cities, most notably Chicago, have proposed additional privacy protections for their residents.

As more U.S. states react to GDPR and new consumer attitudes toward data protection and privacy, PR firms and their clients should prepare to update their data practices and policies. The goal, however, remains constant: to find ways to engage with consumers while respecting consumer privacy rights.

Michael Lasky is a senior partner at the law firm of Davis & Gilbert, where he leads the PR practice group and co-chairs the litigation department. He can be reached at Vivian Wang, a Davis & Gilbert associate specializing in privacy and technology, assisted with this article. She can be reached at

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in