The field of Public Relations and Communications typically does not require any formal training or certification. There is no need to complete continuing education courses, and most don’t need to have a degree in PR to go into public relations work. And, while those who join professional organisations such as the Public Relations Society of America (PRSA) or the International Association of Business Communicators (IABC) are required to agree to (and follow!) a code of ethics, these organisations are voluntary to join.
This means that, by and large, communicators are expected to comply on their own when it comes to staying up to date on changes in laws, requirements, and regulations. It’s up to each practitioner to abide by ethical data gathering and be responsible in its use. Adding to that, it’s also important to keep current on regional and societal norms. Even if laws are silent on some aspects of data collection practices, ethical collection and use is the goal.
Regulations
Understanding and following regulations and laws has become an increasingly important part of a communicator’s job. For brands that operate in European Union (EU) member states, a law known as the General Data Protection Regulation (GDPR) went into effect in 2018, bringing ethical data collection and use to the forefront of attention to virtually every business.
GDPR is part of a broader effort on the part of the EU to protect the transfer and use of personal data and is considered an important component of protecting individual privacy. At its core, GDPR seeks to protect the privacy of citizens of the EU by addressing the torrent of personally identifiable digital information that companies collect, use, store, and sell.
Every citizen of the EU is protected by GDPR, and this poses some interesting challenges for companies that collect email addresses for sales and marketing purposes—including companies that aren’t based in the EU but do conduct business with EU citizens.
A US-based company that collects personally identifiable information of customers who are citizens of the EU must abide by GDPR regulations, which contain a number of articles and principles that companies are required to consider.
Lawful uses of data involve questions of consent, such as did the individual provide consent to collect and process their personal data, and there need to be effective controls in place to protect the security of data collected.
Mitigating Bias and Ensuring Fairness
Another reason to prioritize ethical data collection and use is to address biases. Every human being has biases, what PR practitioners need to guard against is personal biases creeping into programs, analyses, and goals.
Getting the data collection side of the process right can help to prevent biases from becoming embedded into business practices.
An older but still useful example of how data collection can reinforce bias is one of Amazon’s earlier attempts to streamline its hiring processes. Data engineers built and tested an AI program to identify job candidates who were most likely to mirror successful former applicants and employees within Amazon.
The AI relied on a discrete existing data set to provide the baseline against which the AI was constructed. This built into the AI program a very specific bias towards male employees—not because Amazon thought males were better, but because over years the company’s job applicants and hires were predominantly male. For example, the program downgraded applicants who attended women’s colleges not because there was anything wrong with those institutions, but rather because most of its successful applicants had not gone to women’s colleges.
Getting the data collection side of any program right is crucial to protecting against established biases. Not every program will surface such clear-cut results, so attentive and ongoing analysis is key. By adjusting inputs or even the sources you’re monitoring, you can move towards more fair and equitable results.
Protecting against Misuse and Harm
The ethical use of personally identifiable data is important not just for compliance with GDPR and similar laws and regulations, but because trust with your audiences is something that can easily be lost if privacy is violated.
And, once lost, trust can be hard to reestablish.
Knowing the provisions of the laws is an important step. One requirement of GDPR is that information collected with the permission of the individual can only be used for the original purpose. If your organisation ran a contest and collected email addresses in the process, you might be permitted to use those email addresses *only* for the contest, and not, for example, to send emailed newsletters or marketing at a later date.
Another potential pitfall is sharing email lists, because GDPR requires consent prior to the sharing of personal data. Does this mean you cannot share a list with names gathered during a specific outreach campaign with another product team under the same brand? It might, particularly if there’s a possibility that citizens of the EU are on the list.
Incidentally, this prohibition on sharing without consent includes lists of journalists’ names and email addresses, something frequently shared between PR professionals. If you pitch journalists in EU member countries, you may need to provide them with a means to opt out of future pitches.
This provision can be a real challenge for larger PR firms, which may have dozens if not hundreds of PR practitioners who have carefully cultivated media lists. Some of these are likely to have the same reporter on multiple lists. If that reporter opts-out of future pitches, does it apply to that PR pro—or the entire firm?
While GDPR’s regulations might seem daunting to follow, data protection requirements have long existed for regulated industries in the US. Banking and healthcare are two prime examples of industries with stringent data protection rules.
Looking for guidance on how to develop internal practices that protect privacy might start with colleagues who have worked in regulated industries.
Conclusion
None of the above discussions is meant to be taken as legal advice; for that you’ll need to speak with whomever is designated your GDPR compliance officer. If you don’t have someone at your organisation specifically tasked with GDPR compliance—and this is a challenge for many small and mid-sized businesses—see if your general legal counsel might be able to help.
Again, in addition to simply being in compliance with laws and regulations, PR practitioners need to consider the value of trust. We work hard to build trust with audiences. Putting that trust at risk by not paying attention to the need for ethical data collection and use is unwise and could be costly.
The professional organisations mentioned in the first paragraph are also good resources for information and training. Carve out some time to bolster your organisation’s understanding of which regulations might impact your business. Consider doing an informal “audit” of internal practices, such as email list sharing. You might be surprised at how easy it is to make small adjustments in your established processes to become fully compliant.
