• Member Login
  • Contact
  • Resources

Lost your password?

  • English English English en
  • العربية العربية Arabic ar
  • Indonesia Indonesia Indonesian id
  • Melayu Melayu Malay ms
  • Български Български Bulgarian bg
  • hrvatski hrvatski Croatian hr
  • Čeština Čeština Czech cs
  • Dansk Dansk Danish da
  • Suomi Suomi Finnish fi
  • Français Français French fr
  • Deutsch Deutsch German de
  • Ελληνικά Ελληνικά Greek el
  • हिन्दी हिन्दी Hindi hi
  • Italiano Italiano Italian it
  • 简体中文 简体中文 Chinese (Simplified) zh-hans
  • Norsk bokmål Norsk bokmål Norwegian Bokmål no
  • Română Română Romanian ro
  • Русский Русский Russian ru
  • српски српски Serbian sr
  • Slovenčina Slovenčina Slovak sk
  • Slovenščina Slovenščina Slovenian sl
  • Español Español Spanish es
  • Svenska Svenska Swedish sv
  • Tagalog Filipino Tagalog Filipino Tagalog Filipino tgl
  • Tamil Tamil Tamil ta
  • ไทย ไทย Thai th
  • Türkçe Türkçe Turkish tr
  • اردو اردو Urdu ur
  • Tiếng Việt Tiếng Việt Vietnamese vi
  • 日本語 日本語 Japanese ja
AMEC
Search Search

International association for the measurement and evaluation of communication

  • Education
    • AMEC Online College
      • AMEC Training Opportunities
      • AMEC Academic Scholarship (SAREC)
      • AMEC Certificate in Measurement & Evaluation
        • FAQs – AMEC Certificate Course
        • AMEC Certificate Alumni
        • Student Testimonials
        • AMEC IEF Tutorial Course
        • Diploma – Coming 2025
      • AMEC Foundation in Measurement & Evaluation
        • FAQ’s – AMEC Foundation Course
      • AMEC Academic Advisory Group
      • AMEC Student of the Year Awards
      • AMEC Academics and Educators Special Interest Group (SIG)
  • Resources
    • Integrated Evaluation Framework (IEF)
      • AMEC IEF Tutorial
    • Barcelona Principles 3.0
    • Measurement Maturity Mapper – M3
    • Say No to AVEs
    • GDQ Data Quality Excellence Pledge
    • MEL Manual for Public Communications
    • Videos
    • Case Studies
    • AMEC Innovation Hub Series
    • 2023 AMEC Agency White Paper
    • AMEC Planning Resources
    • Measurement Methodology
    • 2023 AMEC APAC Market Insights Paper
    • AMEC Measurement Month
    • Find a Speaker
  • Events
    • Events Calendar
      • Events & Webinars
      • Chatham House Rules
    • Measurement Month
      • 2024 Events
      • 2023 Events
      • 2022 Events
      • All Events
    • Summits
      • All Summits
      • 2025 Global Summit – Vienna
      • 2024 Global Summit – Sofia
      • 2023 Global Summit – Miami
      • 2023 Regional Summit – Jakarta
      • 2022 Global Summit – Vienna
      • 2021 Global Summit – Virtual
      • 2020 Global Summit – Virtual
      • 2019 Global Summit – Prague
      • 2018 Global Summit – Barcelona
      • 2017 Global Summit – Bangkok
    • 2025 AMEC Global Communication Effectiveness Awards
      • 2025 Awards
      • 2024 Awards Winners
      • 2024 Awards
      • 2023 Awards Winners
      • 2023 Awards
      • 2022 Awards Winners
      • 2022 Awards
      • 2021 Awards Winners
      • 2021 Awards
      • Past Award Winners
      • Don Bartholomew Award Winners
  • About
    • Who We Are
      • About AMEC
      • AMEC Board of Directors
      • AMEC Special Interest Groups
      • Partners & Alliances
      • AMEC Don Bartholomew Award Winners
    • Chapters
      • Asia Pacific Chapter
      • European Chapter
      • Latin America Chapter
      • Middle East and Africa Chapter
      • North American Chapter
  • Insights
  • Membership
    • Join AMEC
      • AMEC Special Interest Groups
      • AMEC Global Chapters
      • Membership Categories
      • Member News Sign-Up
    • Membership Directory
      • See all Members
    • AMEC Board Elections
      • AMEC AGM 2024
      • AMEC Elections 2024
      • AMEC Elections 2023 Results
      • AMEC AGM 2022
      • AMEC Elections 2022 Results
      • AMEC AGM 2021
      • AMEC Elections 2021 Results
      • AMEC AGM 2020
      • AMEC Elections 2020 Results
      • AMEC Elections 2019 Results
    • Exclusive for Members
      • Member News Sign-Up
      • AMEC General Webinars (members only on-demand)
      • AMEC NFP SIG “Ask the Experts” Series
      • All Measurement Month Events
      • AMEC Agency Toolkit Series
      • AMEC North America Chapter “Ask the Experts” Series
      • AMEC European Chapter – Hints and Tips
      • AMEC Global Membership Survey
  • Resources
  • Menu Menu

Tackling GDPR compliance when handling data for communication

You are here: Home » News » Tackling GDPR compliance when handling data for communication

Tackling GDPR compliance when handling data for communication

2nd December 2019/in News, Special Interest Groups Jesper Andersen/by Julie Wilkinson

For many communication professionals, the EU’s General Data Protection Regulation (GDPR) is still a bit of a mystery and thus a minefield of potential problems. What kinds of data are you allowed to collect and store, and how can you use it? We sat down with two experts to get a better sense of it all.

For this article, we crowd-sourced questions from more than 15 different online communities of communication professionals on LinkedIn, Twitter and Facebook. We picked out the five questions that seemed to touch on the broadest themes and the specific problems, communicators have trouble with again and again.

To help us answer them, we are thankful to be joined by two international GDPR experts:

  • Felix Wittern is a partner at the highly awarded European law firm Fieldfisher. As a specialist in IT and privacy law, he advices international clients, acts as a data protection officer and finds solutions in negotiations with regulators.
  • Terry Sweeney is the GDPR, Privacy and Security expert at Edelman Intelligence, a global research and analytics agency that is part of the Edelman group. He also leads their Center of Excellence, Research Operations, in Rochester, New York.

AMEC: As an agency or in-house comms team, what kinds of data and lists are you allowed to make yourself and store without collecting consent from everyone on the list? Is it GDPR-compliant to e.g. harvest reporters’ contact information from email signatures and store them in a spreadsheet? Or to make a list of politicians / opinion leaders who have spoken publicly on certain issues?

Felix: You will often be able to argue for legitimate interest (and will therefore not necessarily need to collect consent in many cases) regarding persons who are in the public interest (e.g. politicians) or who may even want to be contacted (e.g. journalists). However, collecting publicly available contact data requires informing the affected data subjects (even politicians or reporters) comprehensibly about the intended processing activities. Having said this, it can be GDPR compliant to harvest reporters’ or politicians’ contact data if you comply with transparency obligations.

Terry: GDPR doesn’t stop businesses from gathering sales leads or from tracking networks of influencers or building networks and lists, it simply provides us with guidelines to ensure we are treating someone’s data as we would want our data treated.   With GDPR and other privacy and protection legislation we have an obligation to keep records about where a contact in our network came from, how the information was compiled, when and where it was collected and how and what business cases, we use it for. It also ensures that any personal or sensitive data we collect is owned by the individual and there are rights associated with that.

We encourage many of our teams include an opt out email as part of their email signature especially those that work with members of the press so if a member of the press emails with their contact details they can opt out of being part of any list that might result. Information that is in the public domain (what politicians have said or what an opinion leader has spoken about) is something that is tracked and monitored but it’s what information we collect, what we do with it and how we use it that requires a higher degree of thinking. The legislation doesn’t prohibit you from making a list – it simply provides you with guidelines to use when making and using them.

AMEC: What legal requirements are there regarding consent when it comes to using Machine Learning-models to make predictions about a group of individuals? For instance, can a school use data such as attendance, grades and residence to predict which students are more likely to drop out? Or can a company use data about customers to predict a likely purchase?

Terry: I am not a legal expert on the subject of consent under GDPR so I can’t speak to the legality of the situation. I can say that in a practical business situation this seems like a plausible use of information if there is a legitimate business need and use case. Subjects in a school would likely benefit from programs specifically targeted to them after being identified “at risk” based on machine learning. Those patterns could be compiled using anonymous or pseudonymized data and then applied to current student profiles. I would assume parents could opt their children out of any program if they so choose to. And that they would have the right to have any personal or sensitive information removed from that data. I believe the same goes for a business about customers. That being said, the “perception” that you are using data incorrectly is often times what makes for a higher risk situation than actually using the data.

For a company to use data about customers to predict a likely purchase, if you are transparent and offer an easy way for customers to opt out of sharing data with you as you are required to do with GDPR then yes, you can use the data for these types of endeavours but again, you need to consider the level of reputational risk to the brand/company if you are seen to be using legal data in a way that seems overly predictive.

Felix: AI – or machine learning models – may only be used for constitutionally legitimate purposes, must be made transparent and comprehensible, avoid discrimination, and adhere to the principle of data minimisation. Inter alia, anyone using systems involving AI needs to clearly communicate responsibility and ensure lawful processing as well as data subjects’ rights. Against this background, the processing of student data in order to predict which students are better or worse would be considered critical, as AI must not give rise to potential discrimination. However, a company might use AI to evaluate purchases − provided that it is transparent about this practice and data protection rights are respected.

AMEC: How does GDPR apply for EU citizens living outside the EU? Is it best to follow GDPR guidelines wherever you are in the world?

Felix: Whether or not the GDPR applies is not determined by the citizenship of the individual. Instead, the rules for determining when the GDPR applies are as follows: If the entity collecting the data is established in the EEA, then the GDPR will apply. If the entity collecting the data is not​ established in the EEA, then the GDPR applies only if (a) ​that entity is providing goods and services to individuals who are in the EEA; or (b) that entity is monitoring the behaviour of (i.e. tracking) individuals who are in the EEA. On this basis, an EU citizen who e.g. works for a Chinese employer in China would not benefit from GDPR rights. By contrast, a Chinese citizen working for an EU employer in the EU will benefit from GDPR rights.

As a result, it is not required to follow GDPR guidelines wherever you are in the world. However, GDPR has been serving as a paradigm for other non-European legislative privacy initiatives around the world (e.g. Brazil) which is why it may often be preferable to adhere to the GDPR standard.

Terry: GDPR applies any time you are dealing with EU citizens regardless of where they are located. We’ve adopted the GDPR framework globally and used it as the basis for our company wide data privacy and protection policies. The policy covers GDPR and beyond. It’s a great best practice to think through what you are being asked to do and we encourage our teams to fill out a DPIA form or work through the basic DPIA framework for any project that involves data. Whether it be personal information, sensitive information or otherwise. It really doesn’t hurt to consider the relevant data privacy and protection implications no matter who is involved, EU citizen or not. CCPA and other consumer data protection legislation is on the rise globally so in the long run personal and sensitive data knows no geographical boundaries, so we do need to treat it all with respect.

AMEC: What is the correct GDPR-compliant way for an agency or an in-house comms team to handle retaining information of past competition winners?

Terry: I am not sure how to answer this one. I would assume that any data you collected on past competition winners would have an expiration date or would have a reasonable timeframe for use (associated with that competition and not beyond). It’s not acceptable to take that information and use it for purposes other than the competition without expressed consent from the competition user. We use data in the context of what the original ask was and any attempt to use it for any other purpose is prohibited without expressed consent of the individual involved.

Felix: If you limit data processing to the conduction of the competition the company will have to delete the data as soon as the purpose is achieved, i.e. the competition is over, and the prize has been issued. In order to be able to use the contact data of the participants for advertising and communication purposes after the competition, express and freely given consent is required.

AMEC: If an agency builds a list of target influencers for e.g. a social media campaign, in what way and under which circumstances is it okay to share that compiled data with the client or other partners?

Felix: If an agency intends to pass on personal data of target influencers to third party partners, it should ensure that this sharing is covered by the data protection information it will have to provide to the targets in the course of the collection of the data.

Terry: Influencers and double opted-in networks of influencers, who have agreed to be part of a network, are typically the best used in these circumstances. These are networks of online/social media influencers that have expressly consented to participating in these types of activities and are in some way compensated for doing so. Those influencers have explicitly agreed to be a part of campaigns that are of interest to them and can reasonably be contacted to participate.

First step in building any list with intent to transfer information to the client would be to fill out the DPIA form and ensure that both parties have talked through and agreed the terms and conditions of any agreement. From there we would look at what’s required on a case by case basis to determine what the level of risk is and what level of information is required for the project. Ensuring that data privacy and protection is front and centre in any sharing/transfer of data collected.

This article was produced as part of AMEC Measurement Month 2019.

Article featured image credit: Dennis van der Heijden on Flickr

Tags: AMEC Members, AMECagencies, AMECMM, AMECorg, Blog, GDPR, Measurement Month
Share this entry
  • Share on Facebook
  • Share on X
  • Share on LinkedIn
  • Share by Mail
https://amecorg.com/wp-content/uploads/2019/12/GDPR-featured-image.jpg 596 842 Julie Wilkinson https://amecorg.com/wp-content/uploads/2019/09/Large-amec-logo-master-1024x232.png Julie Wilkinson2019-12-02 15:00:132019-12-02 15:00:13Tackling GDPR compliance when handling data for communication

News and Spotlights

News

Pledge Support for the Global Data Quality Intiative

10th March 2025

News

The Power Trio: How Sales, Finance, and Marketing Rescue PR from the ROI Dilemma

12th February 2025

See more News Stories
View Measurement Month Events
Visit the AMEC Resource Centre
Amec News

Keep up to date with the latest news and trends



By clicking Submit, you have read and agreed to receive emails from AMEC. You can find more in our Privacy Policy.

Connect with AMEC

Quick Resources

  • M3- Measurement Maturity Mapper
  • Integrated Evaluation Framework
  • GDQ Data Quality Excellence Pledge
  • PR’s Guide to Measurement
  • Events Calendar
  • Measurement Month
  • Speakers Bureau
  • Resources

Member Areas

  • AMEC Global Membership Survey
  • Membership Directory
  • Exclusive for Members
  • Privacy Policy Terms and Conditions
  • Sitemap
  • Resources
Copyright © 2025 AMEC. All Rights Reserved. All Trademarks Acknowledged. - Website by Blaze Concepts
Link to: What Henry V can teach us Link to: What Henry V can teach us What Henry V can teach us Link to: Colour coded post it notes and a wall, is all you need to get started with the AMEC Framework Link to: Colour coded post it notes and a wall, is all you need to get started with the AMEC Framework Colour coded post it notes and a wall, is all you need to get started with the...
Scroll to top Scroll to top Scroll to top