In the INMA Live Chat “GDPR and What It Means in Practice for News Media,” David Stevens, data protection officer at Telenet, gave an overview of General Data Protection Regulation (GDPR) put forward by the European Commission to strengthen and unify data protection for those in the European Union.   

For news media, this means assessing internal protocols and understanding which provisions are already applicable under existing regulations and which are new. GDPR rolls out in May 2018, and news media companies need to be ready. 

“There is a need to start preparing, if you haven’t started yet,” Stevens said. 

Media companies can begin making organisational and material changes to build GDPR compliance. One of the main principles the regulation imposes is the obligation of accountability. The true goal of each organisation is the ability to demonstrate privacy regulation compliance.

Crucial to this is creating a culture of compliance at your company. One way to evaluate your company’s privacy culture is to ask: “Is anyone in your organisation feeling responsible for data protection?” Every one must have an understanding of what privacy is, Stevens says. Training can help ensure a culture of data protection compliance. 

Companies should also create a data protection inventory and design privacy into new products. “Privacy should be taken care of immediately when developing a product,” Stevens says. 

Material changes, such as data breach handling and notice and consent forms are another area media companies must evaluate for compliance. Overall, Stevens says, GDPR requirements vary on the size or operations of each company. 

He shares four tips for GDPR implementation. 

  1. Get informed: “There’s lots of confusion,” Stevens says. Do your research and ask for advice if needed.
  2. Get the right people on board: No matter what size your media company is, this is not the job of one person or department. “It’s very important not to try to do it all by yourself,” he says.
  3. Start now: “We started working on the GDPR two or three years ago,” he says. With 18 or so months left, media companies must start working now.
  4. Focus on the holes in the ship: Stevens says this is about knowing where water is leaking on big ticket issues. “I would not try to focus on existing legacy issues,” he says. 

Stevens was joined by three panelists who shared their experiences with privacy regulations. 

Marte Radmann, head of product for privacy at Schibsted, says users come first in the company’s data strategy. “We try to put our users in front of everything we do,” she says. Schibsted’s legal office, product department, and back-end engineering staff work together to create privacy products for users. The company also emphasizes transparency by showing users what data it has on them. 

Being prepared for data breaches is a top priority at Mediahuis, says Annick Deseure, manager of business and market intelligence. “We’ve made a data code of conduct, which is for the entire company,” she says. The next focus of the company is to better understand how much data leaks through Facebook and advertisers.

Creating a culture of privacy compliance is about staff training, says Laura Tarhonen, privacy officer at Sanoma Media. The company approaches privacy as a new skill that everybody must acquire to work in the media world. 

Each company is different, and the variation of rules across companies and even countries means there is not one model for building GDPR compliance. Local adaptations may mean more changes later, but Stevens says the time to act is now. “I don’t think you still have the luxury of waiting.”

For more insight into how media companies are adjusting their data strategies, join INMA in London for Big Data for Media Week, 20-24 February.

INMA members can access the recorded session for free here.