Hello newsrooms, you have just about six months to prepare for sweeping change to data privacy regulations in the European Union. On May 25, 2018, the European Union General Data Protection Regulation (or GDPR) will go into effect. The regulation changes how customer information can be handled by businesses and public sector organizations, and organizations that don’t comply will face heavy fines.
You’re not located in the EU? If people in the EU read your material — which they do — you need to plan for the GDPR. It’s currently not completely clear how these laws may affect organizations outside of the EU, which means every organization that handles customer data needs to think about this. And to help you, I’ve made this little GDPR guide for journalists, with the help of Tim Turner, a data protection consultant based in the UK who is working with organizations to help them get ready.
Tim, the GDPR will affect how personal data can be used. Currently news orgs. collect a lot of personal data about their audiences — can you explain a little bit about what GDPR will mean for news organizations?
Tim Turner: GDPR applies to anyone who uses personal data for professional or official purposes, so news organizations are covered as much as anyone in principle. GDPR is designed to ensure that personal data is used transparently and fairly, with individuals given a strong measure of autonomy and control over how their data is used.
Kramer: This excellent overview of GDPR by Wired UK’s Matt Burgess says there will be some exemptions for journalists, researchers, and anti-doping experts. What are the exemptions? (And why those areas?)
Turner: The exemptions apply to the fundamentals of GDPR where a journalist intends to publish a story and complying in the normal way would prevent a public interest story from being published. There is never an exemption from the requirement to keep data secure, but a journalist would be able to keep the fact that they had obtained and are using the data secretly. They would be able to avoid providing data to the people whose information they are using. It's pretty wide in the UK. There are a variety of exemptions, and most are based on the idea that some interests — journalism, crime investigation, legal proceedings — are more important that individual rights.
Kramer: How do you recommend that newsrooms prepare for this law going into effect? How long would it take the worst-prepared newsroom (i.e. a small digital start-up in a non-tech hub using a custom CMS) to prepare for this?
Turner: Get hold of a good quality guide to the GDPR now. The Irish Data Protection Commissioner has published an excellent one, as have the law firm Bird and Bird. The main principles of GDPR — fairness, data quality, security — are essential to any well-run business. Don't assume that you're exempt and so you don't need to worry. An organisation that doesn't have a proper DP framework is likely to leak data and lose control of it. It's impossible to say how long any organization will take to comply, but it's not an insurmountable task. Much of it is common sense — is our data accurate? Did we obtain it in a reasonable way? Have we taken precautions?
Kramer: Do newsrooms outside of the EU need to think differently about this than newsrooms in the EU?
Turner: Yes — the EU has to demonstrate that it has the capacity and intention to reach beyond the EU's borders. Nobody really knows how this is going to work.
Kramer: Newsrooms tend to use a number of third-party tools, and there are occasional data breaches. (The commenting platform Disqus comes to mind.) Who would be responsible if there's a breach with a tool?
Turner: Third parties providing services are known as "data processors;" unless there is a detailed contract controlling what the processor does, the organization that decided to gather and process the data (known as the data controller) will always be liable.
Kramer: I'm curious about how this will work across country lines. Let's say a U.S. newsroom is in violation. What happens next?
Turner: It depends where the subject is based, and who they complain to. If I live in Germany and the news organization is based in Germany, the complaint is dealt with there. If the news organisation is based in Sweden, the complaint is passed over to Sweden to be dealt with.
Kramer: If you had to offer newsrooms one tip in the coming weeks, what would it be?
Turner: Keep control over your data — look at what data you have, and where you obtained it from. Whatever you've got, understand why you have it, how you intend to use it, and why.