How does GDPR affect my media lists?
Back to articles

How does GDPR affect my media lists?

The hot topic in marcomms right now has to be GDPR. While you’re probably already getting your head around what you need to do with data belonging to customers and prospects, if your role includes PR, whether as a client, inhouse provider or agency, you should also be thinking about how GDPR could impact the data you hold on journalists.

Here are the key points to think about...

Do you have to prove consent to make your media lists GDPR compliant?

While consent is one factor that allows the processing of personal data, it’s not the only one – in fact there are six, and data processing only needs to fulfil one of these:

(a) Consent of the data subject

(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

(c) Processing is necessary for compliance with a legal obligation

(d) Processing is necessary to protect the vital interests of a data subject or another person

(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

(f ) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

According to the Information Commissioner’s Office (ICO), ‘legitimate interests’ is the most flexible basis for data processing, and the most comfortable fit for a B2B marketing department. In a nutshell, provided that you can demonstrate that your organisation's seeking to meet the interests of the individual and that it doesn’t infringe on their rights and freedoms, you can collect and process their data.

The general consensus in the PR industry at present is that media lists fall into the bracket of ‘legitimate interests’ – as processing journalists’ personal data is central to what a PR agency or inhouse team does in order to serve them with relevant information. You can read more about that here to decide if you agree.

The Chartered Institute of Public Relations (CIPR) is advising its members as follows:

“It may be the case that public relations activity, where the processing of personal data belonging to a journalist is necessary, will be covered by the legal obligation condition (c) public interest (e) or the legitimate interests of the data controller condition (f). However, the CIPR strongly advises that you review the grounds for processing any personal data, including journalists. It may be that you need to seek consent when in doubt.”

Members of the CIPR can download the full Introduction to the General Data Protection Regulation (GDPR) at


Play safe and make sure that media relations are targeted

Bear in mind that scattergun emails containing press releases promoting product-led campaigns, sent either from agencies or inhouse teams, could be classified as unsolicited marketing. Here, there’s a definite risk of straying away from supplying information or a ‘service’.

With much still to be learnt about how GDPR will work in practice, it’s not wise to run the risk of causing a journalist to complain – the simplest way to avoid this is to make sure that what you send them is likely to be of genuine interest. Use common sense PR ethics. And, if a journalist asks to be unsubscribed from a list, make sure you follow through. That means deleting them from your list entirely.


The goalposts have moved for clients

Have you ever asked a PR agency to share the distribution list they’ve used for a press release with you? If so, you most likely received a response that it’s not their policy to share their contacts with clients. PRs spend a significant amount on media database subscriptions and invest time building up relationships with journalists, which they guard jealously as their own intellectual property – something that they don’t want to give away.

GDPR adds an interesting new slant to this bone of contention: the data a PR agency holds about a journalist, for instance in a downloaded media list, is in fact the property of the journalist. Compliance with GDPR means that your agency now has a legal obligation (as well as a strong preference) not to pass on information about journalists to customers, partners, or other parties unless it has the journalist’s express consent.

In the scenario where a client asks their PR agency to disclose who has received (or opened) a press release, the agency is now duty bound to limit feedback to very vague details such as: “It’s gone to seven journalists in such-and-such a sector.”

So don’t ask your agency to share names, email addresses, or telephone numbers – complying would put them and you in breach of GDPR. Of course, in the situation where a journalist has requested to be connected, for example to do an interview, consent has been given to share their details and there’s no problem.


Follow best practice and store journalists’ data securely

Even if you decide that your organisation is happy with the ‘legitimate interest’ as opposed to ‘consent’ basis for holding journalists’ data, you must make all the systems on which journalists’ data are collected, processed, or stored as secure as possible.

If your lists are held within a media database, then this is their responsibility, but as soon as you download or create your own lists, you need to follow the correct protocols. Your organisation should have developed its own policies. When applied to media lists, these are likely to include actions such as:

  • Deleting old, out-of-date lists
  • Password protecting documents
  • Training staff on how to handle data
  • Consolidating data into a CRM eg. HubSpot (read on for more on that)

There are more handy tips here.


Consider an ‘inbound PR’ approach

Perhaps you don’t have a media database subscription and you routinely compile your own lists from scratch. We’d recommend considering a platform like HubSpot, which offers a free CRM. If you don’t already have a marketing automation platform, you can look at a paid option that will help you to structure your content marketing and lead generation at the same time.

Using a good CRM system that has done the legwork on GDPR for you already means that your data should be secure. If you use the CRM function of a marketing automation platform for media relations, you can also exploit your website’s online newsroom or blog content to draw journalists in (‘inbound PR’)and give them the option to opt-in to receive more relevant information in the future. This creates ‘living’ lists and will mean that any new additions have confirmed direct that your content’s of interest to them. It’s a belt-and-braces win-win!

> Download our guide to CRM-powered marketing <