From 25 May 2018, General Data Protection Regulation, or GDPR, will be enforced by regulators across Europe. This need-to-know GDPR guide explains what this will mean for UK newsrooms, b2b media, and freelance journalists
Media organisations collect a lot of personal data about their audiences. The way this information is handled will undergo its biggest change in two decades, as the new European General Data Protection Regulation will bring the UK’s legislation up to speed.
Jon Baines, data protection adviser at London law firm Mishcon de Reya, says GDPR is more of an evolution of current data protection laws, than a revolution. "The UK's current Data Protection Act dates from 1998," he says, "so in many ways was out of date. But the basic principles of fairness, transparency, accuracy, purpose-limitation, or security, are unchanged for GDPR."
While GDPR applies across Europe, it is up to each member state how to legislate for specific exemptions for journalism. "News organisations, at least when they are practising journalism, as opposed to, for instance, when they are acting as an employer, will continue to have quite a wide exemption from most of the obligations, but they will not be exempt from the requirement to have appropriate security measures in place to prevent data breach," says Baines.
This includes solid cybersecurity, staff training, and contingency plans on how to respond to an information leak or a personal data breach if it occurs, to minimise the damage.
In addition, the media will generally be able to claim an exemption if the personal data they are handling is held 'with a view' to publication, if they believe that publication would be in the public interest and if complying would be incompatible with journalism. "This is potentially very broad," explains Baines, "and has generally been interpreted by the Information Commissioner and the courts as being so".
The aim of GDPR is to prevent a personal data breach which could lead to a potential maximum fine by the Information Commissioner's Office of €20m or 4 per cent of global annual turnover, whichever is higher.
"It is important to note, however, that the Commissioner has made clear that huge fines are not likely to be levied often, and that any fine has to be proportionate, which means the severity of the breach must be taken into account, but also the size and means of the organisation involved," says Baines.
He adds that news organisations should also be aware that there will continue to be a criminal offence of knowingly or recklessly obtaining or disclosing personal data from a data controller without its consent. This could cover obtaining information about someone by deception (blagging), hacking, exploiting poor security, or unauthorised leaks. "Although there is a public interest defence to this offence, there isn't a specific defence just for journalists or journalism," he concludes.
According to Baines, freelance journalists are likely to be data controllers, as they will be deciding how and why personal data will be handled. They will still be able to claim the broad exemption for journalism. This doesn't mean, however, that they are exempt from having security measures in place.
But what about b2b publishers, who generally hold publicly available information on their readership, such as work email, job title or office address? According to GDPR, these are still identifying details. "However,” Baines explains, “one of the key principles under GDPR is that personal data should be treated fairly and that revolves around what people's reasonable expectations are. It may be that someone has different expectations about how their work information is treated compared to similar information in a more private context."
It is very unlikely that, in general, the media will need to get consent to process personal data as the wide exemption for journalism applies. One circumstance in which the media might need to get consent, however, is when they are sending out electronic marketing, for example, events ticket sales. "This is a separate but related law, the Privacy and Electronic Communications Regulations 2003," says Baines, "which means that you cannot send unsolicited electronic marketing to individuals without their consent, unless you already have a customer relationship with them." He adds that GDPR has brought a sharper focus on these regulations, because it increases the potential sanctions for a breach of them.
In addition, personal data gathered for one purpose should not, as a general rule, be used for another, so the media shouldn't use contact details for marketing purposes when those details were originally gathered for the purposes of a story.
1. A lot of what journalists do is subject to an exemption, but you need to be mindful of the limits of the exemption.
2. Always make sure you have appropriate security in place when handling personal data: full disk encryption on devices, locked cupboards, diligent checking of emails to make sure they're not sent to the wrong person etc..
3. GDPR is an opportunity for those who really understand it to stand out from the crowd, so seize it.
Update: This article has been updated to clarify the extent of the Privacy and Electronic Communications Regulations 2003.
If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).
Sign up to receive job alerts of your choice by email, or manage your subscription
Featured recruiter: click to view its vacancies
Investigative journalism publication seeks editor to lead reporting on AI, Big Tech and influence operations with experience in these areas and creative ideas about how to to report on them
Subscribe to our newsletter for latest news, tips, jobs and more
End that deadline stress today and find help in our freelance directory
Cargo Force stuns the world: free 10kg shipping to India in celebration of ICC Trophy victory – offer ongoing until Sunday, 16 March!
Our 35th Newsrewired conference will be held 13 May 2025, News UK, London.
Reporters who have worked under Putin, Erdogan and the Taliban share what they have learned about how autocrats consolidate power and how communities can fight back against the erosion of democratic freedom
Leaders from The Times, Sky News and Reuters reveal why chasing fewer but more engaged readers - and embracing AI as a creative tool rather than a threat - is proving more profitable than old-school mass reach strategies
A TikTok master with 100m views, a paywall pioneer with 3,000 subscribers, and a community visionary backed by local businesses share their strategies for making independent journalism pay beyond ads
Slovakia's Dennik N broke three years of subscriber stagnation with an innovative anniversary campaign, while The New Statesman transformed podcasts from a side project into a powerful growth engine – both offering valuable lessons for media companies hitting plateaus