GDPR in Media. Regulations Complicate Campaign Planning and Execution

graphic: Doofy Design/CC0/Pixabay.com

According to the SAS survey "GDPR: The right to remain private," GDPR has most impacted the business landscape for social media and retail companies. Users and clients in these industries most often request deletion or stop the use of their data for marketing purposes.

Companies most affected by GDPR:

• social media - 43%
• retail - 41%
• insurance - 35%
• energy suppliers - 34%

The insurance sector faces particular challenges. Agents gather sensitive information not only about income and family situation but also about lifestyle and habits. If this data is lost, the organization and its clients face serious consequences. A third party with such details could use them for blackmail, targeting both the data owner and the agent. In such cases, companies must notify the Personal Data Protection Office and the affected individuals within 72 hours.


- Interpreting the new GDPR data protection rules is also challenging for online marketing organizations. The law requires internet portals to disclose all entities to whom they transfer user data, explains Dr. Paweł Mielniczek, data protection expert at ODO 24. - Furthermore, EU regulations empower users to decide whether they agree to be tracked for advertising purposes. These rules have made campaign planning and execution considerably more difficult.

"Most Polish news portals and online stores have adopted consent mechanisms designed in a way that makes it hard to refuse consent," according to information from the Panoptykon Foundation. Unfortunately, this approach, which forces or assumes consent, does not comply with current regulations. According to Recital 32 of the GDPR preamble: Consent should be given by a clear, affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data, for example, in the form of a written (including electronic) or oral statement.

- After GDPR implementation, businesses often rushed to establish new data policies. Unfortunately, many of these policies do not fully align with the intentions of the European Parliament, concludes Dr. Paweł Mielniczek, data protection expert at ODO 24. - It`s worth revisiting them, perhaps with a specialized external firm, to avoid unpleasant consequences like high fines.

GDPR and Press Releases

Do the new regulations require journalist consent to send press releases? Experts suggest two legal grounds: consent and the legitimate interest of the data controller. One may wonder which is safer.

- It seems that consent is currently the safer option, says Michał Sztąberek, president of iSecure, in an interview with infoWire.pl. - Press releases may often be considered commercial information sent electronically, and the Law on Electronic Service Provision requires consent in such cases.

What if we requested permission to send press releases but received no response? Unfortunately, silence indicates no consent.

Sometimes, a company decides to share its journalist database with a PR agency so that the agency can send press releases to editors. In such cases, it is best if the data controller (company) signs a data processing agreement with the processor (agency).

Report "GDPR: The right to remain private"

source: SAS