Prominent and GDPR

apple coffee computer 459653

Everyone is talking about how the new General Data Protection Regulation (GDPR) will affect them come 25th May. Helen Rudd, MD of Prominent has been working hard to make sure we are compliant. Here, she tells us what we have been doing here at Prominent to get ready for the deadline.


GDPR might be complicated but in theory, it’s quite simple. It’s about storing and sharing data, and contacting people without their consent. The data we have and use here at Prominent is for legitimate business use – it might be for a case study, details of someone in the media with whom we want to gain coverage for a client, or perhaps someone who has signed up to receive a regular e-newsletter. We aren’t going to be spamming people or selling on their data.

However, even though we are a small business, we need our GDPR policies to be tight to ensure we can continue to operate without disruption to our clients.

We wanted to be completely transparent with everyone about how we look after, care and respect data.  This blog post should serve that commitment.

The ICO’s newly updated Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now has been invaluable in putting together our plans for post-25th May.

1. Awareness

According to the ICO you should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

As a small business it has been relatively easy for us to get up-to-speed with GDPR.  We’re all aware and updated our staff handbook to include a section on GDPR.  We will be holding a series of ‘sharing is caring’ training sessions on GDPR ahead of 25/05 to re-inforce how it affects staff on a day to day basis.

2. Information you hold

According to the ICO, you should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

I have undertaken an information audit confirming what data we hold and where it comes from.  We have been in touch with suppliers such as EventBrite and PR Max and asked for written guidance on the steps they have taken to be GDPR compliant, so we are confident that, in using their services, we are also compliant.

We are also undertaking a spring clean of the data we hold to get rid of data we no longer need.  

We have started communicating with those on databases to ask them to ‘opt in’ to continue to receive marketing information from us and our clients.

3. Communicating privacy information

According to the ICO, you should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

We have updated our privacy policy using CIPR and ICO guidance and have amended our email signatures so that they contain a privacy statement.

4. Individuals’ rights

According to the ICO, you should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

We are currently updating our policy on holding data on individuals including case studies, competition winners, current and ex-members of staff and speculative CVs. Going forwards all communication with individuals which may include using personal information will include written consent for storing or sharing details – only for legitimate business use.

5. Subject access requests

According to the ICO you should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

We’re adding in a section in our privacy policy about our procedures for dealing with requests.  As a small firm, we’re confident we can respond to requests within a month.  

6. Lawful basis for processing data

According to the ICO you should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

All processing of data will be for legitimate business reasons only. Our policy will include a section on this.

7. Consent

According to the ICO you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

In the run-up to 25/05 we are contacting all of our databases asking those who haven’t already to physically ‘opt in’ to continue receiving updates from us and our clients. From 25/05 if someone hasn’t proactively ticked to receive, they won’t. Going forwards, new e-newsletter sign up forms will:

  1. Have an opt-in box 
  2. Specify methods of communication (eg by email, text, phone, recorded call, post)  
  3. Ask for consent to pass details to third parties for marketing and name, or clearly describe those third parties  

We will then record when and how we got consent, and exactly what it covers.

As we use a journalist database provider, we have gained written confirmation from them that everyone on their system has proactively opted in to be contacted. All press releases being issued from Prominent now include a statement confirming where their details came from and the option to opt out.

8. Children

According to the ICO you should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

We already have procedures in place to obtain parental permission, as appropriate, for the use of children’s personal data such as name and school.  We always get permissions if we are working with schools, for example, on PR campaigns and schools also have strict permissions in place to get parental permission via their own media and social media policies.  

9. Data breaches

According to the ICO you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

This is now covered in the Prominent staff handbook.

10. Data Protection by Design and Data Protection Impact Assessments

According to the ICO you should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation. All staff will be required to read these.

11. Data Protection Officers

According to the ICO you should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

As a small business we do not formally have to designate a DPO.  As owner and founder Prominent, I’ve designated compliance responsibility to myself.

12. International

According to the ICO if your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

This doesn’t apply to us as we don’t operate in more than one EU member state, but we will document and confirm this in our privacy notice.


Share this article:share on twitter share on facebook