For many communication professionals, the EU’s General Data Protection Regulation (GDPR) is still a bit of a mystery and thus a minefield of potential problems. What kinds of data are you allowed to collect and store, and how can you use it? We sat down with two experts to get a better sense of it all.

For this article, we crowd-sourced questions from more than 15 different online communities of communication professionals on LinkedIn, Twitter and Facebook. We picked out the five questions that seemed to touch on the broadest themes and the specific problems, communicators have trouble with again and again.

To help us answer them, we are thankful to be joined by two international GDPR experts:

• Felix Wittern is a partner at the highly awarded European law firm Fieldfisher. As a specialist in IT and privacy law, he advices international clients, acts as a data protection officer and finds solutions in negotiations with regulators.
• Terry Sweeney is the GDPR, Privacy and Security expert at Edelman Intelligence, a global research and analytics agency that is part of the Edelman group. He also leads their Center of Excellence, Research Operations, in Rochester, New York.

AMEC: As an agency or in-house comms team, what kinds of data and lists are you allowed to make yourself and store without collecting consent from everyone on the list? Is it GDPR-compliant to e.g. harvest reporters’ contact information from email signatures and store them in a spreadsheet? Or to make a list of politicians / opinion leaders who have spoken publicly on certain issues?

Felix: You will often be able to argue for legitimate interest (and will therefore not necessarily need to collect consent in many cases) regarding persons who are in the public interest (e.g. politicians) or who may even want to be contacted (e.g. journalists). However, collecting publicly available contact data requires informing the affected data subjects (even politicians or reporters) comprehensibly about the intended processing activities. Having said this, it can be GDPR compliant to harvest reporters’ or politicians’ contact data if you comply with transparency obligations.

Terry: GDPR doesn’t stop businesses from gathering sales leads or from tracking networks of influencers or building networks and lists, it simply provides us with guidelines to ensure we are treating someone’s data as we would want our data treated.   With GDPR and other privacy and protection legislation we have an obligation to keep records about where a contact in our network came from, how the information was compiled, when and where it was collected and how and what business cases, we use it for. It also ensures that any personal or sensitive data we collect is owned by the individual and there are rights associated with that.

We encourage many of our teams include an opt out email as part of their email signature especially those that work with members of the press so if a member of the press emails with their contact details they can opt out of being part of any list that might result. Information that is in the public domain (what politicians have said or what an opinion leader has spoken about) is something that is tracked and monitored but it’s what information we collect, what we do with it and how we use it that requires a higher degree of thinking. The legislation doesn’t prohibit you from making a list – it simply provides you with guidelines to use when making and using them.

AMEC: What legal requirements are there regarding consent when it comes to using Machine Learning-models to make predictions about a group of individuals? For instance, can a school use data such as attendance, grades and residence to predict which students are more likely to drop out? Or can a company use data about customers to predict a likely purchase?

Terry: I am not a legal expert on the subject of consent under GDPR so I can’t speak to the legality of the situation. I can say that in a practical business situation this seems like a plausible use of information if there is a legitimate business need and use case. Subjects in a school would likely benefit from programs specifically targeted to them after being identified “at risk” based on machine learning. Those patterns could be compiled using anonymous or pseudonymized data and then applied to current student profiles. I would assume parents could opt their children out of any program if they so choose to. And that they would have the right to have any personal or sensitive information removed from that data. I believe the same goes for a business about customers. That being said, the “perception” that you are using data incorrectly is often times what makes for a higher risk situation than actually using the data.

For a company to use data about customers to predict a likely purchase, if you are transparent and offer an easy way for customers to opt out of sharing data with you as you are required to do with GDPR then yes, you can use the data for these types of endeavours but again, you need to consider the level of reputational risk to the brand/company if you are seen to be using legal data in a way that seems overly predictive.

Felix: AI – or machine learning models – may only be used for constitutionally legitimate purposes, must be made transparent and comprehensible, avoid discrimination, and adhere to the principle of data minimisation. Inter alia, anyone using systems involving AI needs to clearly communicate responsibility and ensure lawful processing as well as data subjects’ rights. Against this background, the processing of student data in order to predict which students are better or worse would be considered critical, as AI must not give rise to potential discrimination. However, a company might use AI to evaluate purchases − provided that it is transparent about this practice and data protection rights are respected.

AMEC: How does GDPR apply for EU citizens living outside the EU? Is it best to follow GDPR guidelines wherever you are in the world?

Felix: Whether or not the GDPR applies is not determined by the citizenship of the individual. Instead, the rules for determining when the GDPR applies are as follows: If the entity collecting the data is established in the EEA, then the GDPR will apply. If the entity collecting the data is not​ established in the EEA, then the GDPR applies only if (a) ​that entity is providing goods and services to individuals who are in the EEA; or (b) that entity is monitoring the behaviour of (i.e. tracking) individuals who are in the EEA. On this basis, an EU citizen who e.g. works for a Chinese employer in China would not benefit from GDPR rights. By contrast, a Chinese citizen working for an EU employer in the EU will benefit from GDPR rights.

As a result, it is not required to follow GDPR guidelines wherever you are in the world. However, GDPR has been serving as a paradigm for other non-European legislative privacy initiatives around the world (e.g. Brazil) which is why it may often be preferable to adhere to the GDPR standard.

Terry: GDPR applies any time you are dealing with EU citizens regardless of where they are located. We’ve adopted the GDPR framework globally and used it as the basis for our company wide data privacy and protection policies. The policy covers GDPR and beyond. It’s a great best practice to think through what you are being asked to do and we encourage our teams to fill out a DPIA form or work through the basic DPIA framework for any project that involves data. Whether it be personal information, sensitive information or otherwise. It really doesn’t hurt to consider the relevant data privacy and protection implications no matter who is involved, EU citizen or not. CCPA and other consumer data protection legislation is on the rise globally so in the long run personal and sensitive data knows no geographical boundaries, so we do need to treat it all with respect.

AMEC: What is the correct GDPR-compliant way for an agency or an in-house comms team to handle retaining information of past competition winners?

Terry: I am not sure how to answer this one. I would assume that any data you collected on past competition winners would have an expiration date or would have a reasonable timeframe for use (associated with that competition and not beyond). It’s not acceptable to take that information and use it for purposes other than the competition without expressed consent from the competition user. We use data in the context of what the original ask was and any attempt to use it for any other purpose is prohibited without expressed consent of the individual involved.

Felix: If you limit data processing to the conduction of the competition the company will have to delete the data as soon as the purpose is achieved, i.e. the competition is over, and the prize has been issued. In order to be able to use the contact data of the participants for advertising and communication purposes after the competition, express and freely given consent is required.

AMEC: If an agency builds a list of target influencers for e.g. a social media campaign, in what way and under which circumstances is it okay to share that compiled data with the client or other partners?

Felix: If an agency intends to pass on personal data of target influencers to third party partners, it should ensure that this sharing is covered by the data protection information it will have to provide to the targets in the course of the collection of the data.

Terry: Influencers and double opted-in networks of influencers, who have agreed to be part of a network, are typically the best used in these circumstances. These are networks of online/social media influencers that have expressly consented to participating in these types of activities and are in some way compensated for doing so. Those influencers have explicitly agreed to be a part of campaigns that are of interest to them and can reasonably be contacted to participate.

First step in building any list with intent to transfer information to the client would be to fill out the DPIA form and ensure that both parties have talked through and agreed the terms and conditions of any agreement. From there we would look at what’s required on a case by case basis to determine what the level of risk is and what level of information is required for the project. Ensuring that data privacy and protection is front and centre in any sharing/transfer of data collected.

This article was produced as part of AMEC Measurement Month 2019.

Article featured image credit: Dennis van der Heijden on Flickr