What does GDPR mean for journalists?
No journalist will be immune to the most obvious impact of the new data protection rules, the relentless stream of emails asking for you to opt-in to mailing lists or, slightly less bothersome, informing you of a new privacy policy.
Annoying yes, but likely to be a short-lived symptom of General Data Protection Regulations (GDPR) coming into force.
So what does GDPR really mean for journalists, if anything?
Put simply, GDPR clarifies how organisations can process personal data, makes this more transparent and allows people more control over how their data is processed. It also gives the relevant authority – the Information Commissioner’s Office (ICO) in the UK – more power to enforce data protection rules.
Of course, if these rules were to apply in full to journalists it could severely compromise their ability to do their job. How could you investigate a person who may have done something wrong if you are unable to store and process details about them without notifying them or giving them consent? Or if they initiated a ‘subject access request’ as soon as they got a whiff you were looking into their affairs?
Criminals, dodgy businesspeople, politicians and the like could use the new, stronger data protection rules to nobble journalists and weaken a critical pillar of our democracy.
The good news is that there are exclusions to much of the data protection rules for journalists. These existed for the old law – the Data Protection Act 1998 – and have been carried forward under GDPR by the new Data Protection Act which was passed by Parliament today (23 May 2018).
The ‘Part 5 exemption’ under the new act applies to personal data ‘held for the purposes of freedom of expression and information’ so long as:
(a) the processing is carried out with a view to the publication… of journalistic, academic, artistic or literary material, and
(b) the controller (ie editor) reasonably believes that the publication of the material would be in the public interest.
Law Society Gazette news editor Michael Cross warned that the exemption does not give a “free pass” to journalists, adding: “The line ‘with a view to publication’ could be interpreted as allowing data subjects control over material that we don’t publish. The act also requires the Information Commissioner’s Office to keep an eye on media organisations’ compliance.”
In addition, there continues to be demand from some MPs and pressure groups for the media to be restricted further, despite the UK already being ranked 40th on the Reporters without Borders World Press Freedom Index.
The other way GDPR will impact journalists is in the way it applies to how organisations – represented by public relations (PR) professionals – process journalists’ personal data. Unlike journalists, the PR community must comply with GDPR in full. Therefore the way they process journalist personal data needs to comply with the new rules.
A great deal is said about ‘consent’ in GDPR – the apparent requirement for organisations to get permission from people before they process their data. Consent simply does not work in the fast-paced, information hungry world of journalism. While it may on the face of it be a solution to irrelevant pitches, requiring consent for PRs to contact journalists could be just as annoying for journalists and would be damaging restriction on access to the media, as I have written before.
But consent is in fact just one of six ‘grounds for processing’ organisations can use under GDPR.
What fits the bill for PR is something called ‘legitimate interests’. What this means is that PRs have a legitimate, fair reason to process data in order to do their job. The ICO has provided specific guidance on legitimate interests and recommends organisations do a three-part test to check it is suitable – I have done a sample ‘legitimate interests assessment’ for media relations which demonstrates how this works.
Use of legitimate interests means that consent is not required but there is a requirement for transparency. Organisations using legitimate interests must make it clear what sort of data they have, where they get it from and what they do with it – and make it easy for people to opt-out. The crux of this is a clear privacy policy that explains all of these things. All other aspects of GDPR, like the need to ensure personal data is kept secure, have to be complied with.
What this means in a nutshell is that PRs will continue to process your data, but the law will motivate them to do so better. This will include keeping data more up-to-date and secure. In addition, the rules (and the potential of an ICO investigation) should put pressure on PR professionals to be more targeted in their pitches, which has got to be a good thing.
It may take time for the hysteria of GDPR to settle down. For a while some PR professionals may ask you to ‘opt in’ to their lists – entirely unnecessarily. The threat to the exclusions from data protection rules that journalists require in order to do their jobs will hopefully fade. On the whole your data will be looked after better and you should continue to be able to investigate those at the centre of your stories unhindered by GDPR.
Many thanks to input from Law Society Gazette news editor Michael Cross for input in this post.