Wednesday 29 Nov 2017
Data Protection and GDPR Statement
PRgloo is both a processor and a controller of data.
Data Processor: When customers add contacts into their PRgloo platform, and proactively mark these contacts as ‘media’ as opposed to ‘Media Private’ or some other available tag, then PRgloo’s research team are provided with visibility of these contacts (name, email, organisation, mobile, phone number, job title) to research and validate for inclusion in our central contacts database called Gloo Influencers. In this way we are a processor of data on behalf of the customer.
PRgloo is also a Data Controller sourcing and updating personal data on journalists and government officials for use by our customers. This is made available within the module called ‘Gloo Influencers’.
The purpose of Data Processing by PRgloo is to provide customers with personal data on Journalists from the UK, EU and globally so that targeted communications can be sent to them in line with the wishes of the data subjects- namely that they be sent targeted news so that they can perform their professional functions. The data processed from our customers is available for the exclusive use of our customers.
We comply with the following GDPR principles:
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. PRgloo uses “(f) Legitimate interests”
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
There are three elements to the legitimate interests basis.
PRgloo and Necessary Processing
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.
In order to supply journalists with information with which to write stories, it is necessary to store contact information (name, email, phone number) along with details of what they are interested in receiving (from social media, their job title, their author profile page on their publication website etc).
PRgloo and the Lawful Principle
PRgloo and Fairness Principle
Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
PRgloo deals only with journalists and only processes information made publicly available by the journalist for this purpose. A typical example would be storing the data held on the ‘contact us’ page of the publication website or information made available on the contact’s twitter handle (often in the form of “got a story – email me today”). The data is only made available to communication professionals who aim to send news to these individuals as expected by the journalists.
PRgloo and the Transparency Principle
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important - as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’. You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.
In PRgloo every email communication with the journalist comes with a link to the customer’s privacy and GDPR policy plus a link to unsubscribe with one click. Each customer has the ability to respond to a subject access request to show all the data currently stored on each individual data subject. PRgloo also publishes their GDPR statement and provides the ability for a contact to have their details permanently removed.
Q: Does PRgloo have an effective process to identify, report, manage and resolve any personal data breaches?
A: Yes we have an internal process to identify, report and resolve personal data breaches of that data which we control and that data which we process.
Q: Does PRgloo have a process to routinely and securely dispose of personal data that is no longer required in line with agreed timescales?
A: Yes. We do this for data we control (journalist, customer and sales leads) and data which we process (journalist data from the customer).
Q. Does PRgloo have a process in place to meet the GDPR reporting timeframe for breaches?
A. All breaches are reported to the affected parities within 2 hours of discovery and to the ICO within 72 hours
Q. At the end of the contract what will happen to the data processed by PRgloo?
A. PRgloo does not hold processed data and this is due to the special way in which we use the data. When a customer logs an interaction with a journalist who is not in our contact database, they can choose to submit that person for addition into our contact database. At this point, PRgloo becomes a processor of that data. Once received, PRgloo's researchers will then go and find all publicly verifiable information about this person. Whatever they find, they then add to the central contact database (for which PRgloo is the data controller). Any non verifiable personal data stays within the customer's section of PRgloo and they are then responsible for it's upkeep and the customer is then the data controller. At the end of the contract the customer can then download all their data.
Q. Does PRgloo have a process for obtaining consent and processing data?
A. We comply with article 9(2)(e) Conditions for special categories of data where – “Processing relates to personal data manifestly made public by the data subject” in order to establish consent and therefore the lawfulness of the processing. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the Gloo Influencers database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency without having to obtain consent from the data subjects in advance.
Q; Does PRgloo make sure data is kept in a simple format which is easy to understand by the general public in the event the data is requested via a subject access request?
A. Yes. Within the platform you can click a 'Subject Access Request' button which exports a word document outlining all the customer's interaction with this contact together with all the data held on this contact by PRgloo and the customer combined.