GDPR for PR Agencies: How to Handle Media Contacts, Client Data, and Press Coverage Compliantly
PR agencies are in a peculiar position under GDPR. You exist to communicate — to get names, stories, and messages in front of journalists, editors, and the public. But every journalist contact database, every influencer relationship, every spokesperson profile, and every customer case study is built on personal data. And personal data means GDPR obligations.
This guide is for PR agency owners, account managers, and in-house PR leads who need practical answers, not a 40-page legal treatise.
Why PR Agencies Process Significant Personal Data
Before getting into compliance specifics, it's worth mapping the personal data that flows through a typical PR agency. Most agencies handle all of the following:
- Journalist and editor contact databases — names, email addresses, phone numbers, publication beats, personal interests, and social media handles
- Influencer contact lists — often including engagement metrics, audience demographics, and sometimes location and financial data (fees, payment details)
- Client customer data — testimonials, case study subjects, and spokespeople whose stories you're telling
- Spokesperson information — biographies, personal histories, contact details, sometimes health or family information used in human interest narratives
- Third-party personal data used in crisis communications — data about complainants, affected individuals, or whistleblowers
- Social media monitoring data — individual posts, sentiment data, sometimes tied to identifiable accounts
- PR metrics involving individuals — engagement rates, coverage analysis including named journalists and commentators
Each category carries distinct GDPR obligations. Getting this wrong exposes your agency and your clients to regulatory action.
Lawful Basis for Maintaining Journalist Databases
This is the most contested area of GDPR for PR agencies, and it's worth spending time on.
PR agencies have historically maintained journalist databases — either proprietary lists or subscriptions to commercial services like Cision or Meltwater — containing personal contact details. The instinct is to claim legitimate interest as the lawful basis. But legitimate interest is not a free pass.
Under Article 6(1)(f) of GDPR, legitimate interest requires a three-part test:
- Purpose test — Is there a legitimate interest being pursued?
- Necessity test — Is processing the data necessary to achieve that interest?
- Balancing test — Do the interests of the data controller override the fundamental rights of the data subject?
For journalist databases, the purpose and necessity tests are relatively straightforward — maintaining press contacts is a legitimate business purpose, and processing contact data is necessary to do so. The balancing test is where things get complicated.
Journalists, as public figures in their professional capacity, have a reduced expectation of privacy regarding their professional contact information. Their work email, publication, and beat are essentially public information. The ICO and other European data protection authorities have generally (though not unanimously) accepted legitimate interest for professional B2B contact data where the processing aligns with the individual's professional role.
The limits: Legitimate interest does not cover:
- Personal email addresses or personal mobile numbers not shared in a professional context
- Detailed personal profiles that go beyond professional role (personal interests, family details)
- Any automated profiling or scoring of journalists
- Retaining data on journalists who have explicitly asked to be removed from your lists
Best practice: Conduct and document a Legitimate Interest Assessment (LIA) for your journalist database. Keep it updated. Include the right to object in any communications with journalists.
The Media Exemption Under GDPR — and Its Limits
Article 85 of GDPR allows EU member states to provide exemptions for "journalistic purposes" and "academic, artistic or literary expression." These exemptions exist to protect press freedom. But they apply to publishers and journalists — not to PR agencies acting on behalf of clients.
The media exemption does not give PR agencies a blanket licence to ignore GDPR. Your agency is not a news organisation. You are a commercial organisation processing personal data for commercial purposes. The exemption does not apply to you.
Where the exemption matters is when you're helping a client who is a publisher or media organisation. In that context, understand that your client may be operating under different rules — but your own processing as an agency is still fully subject to GDPR.
Media Monitoring Tools as Data Processors
When you subscribe to Meltwater, Cision, Mention, Brandwatch, or similar media monitoring tools, those providers are acting as data processors on your behalf. Under GDPR Article 28, you are required to have a Data Processing Agreement (DPA) in place with each of them.
Most of these tools include DPA provisions in their standard terms or make them available on request. Your obligations:
- Review and sign DPAs with every media monitoring tool you use
- Understand the data flows — where is data stored? Is it transferred outside the EEA?
- Assess adequacy — if data is transferred to the US or other third countries, is there a valid transfer mechanism (Standard Contractual Clauses, adequacy decision)?
- Data retention — do the tools retain data beyond your needs? What is their deletion process?
The major platforms (Meltwater, Cision) typically have EEA data hosting options and established SCCs for international transfers. Smaller tools may require more due diligence.
Practical step: Build a vendor register that lists every tool your agency uses, its role (processor or sub-processor), DPA status, and data transfer mechanism. Review it quarterly.
Outreach Tools and PECR Rules for Journalist Cold Email
This is where many PR agencies unknowingly create compliance risk.
In the UK and across the EU, PECR (Privacy and Electronic Communications Regulations, and its EU equivalent the ePrivacy Directive) governs commercial electronic communications. The key question: does sending a press release to a journalist you haven't previously dealt with require consent?
The generally accepted position, endorsed by the ICO, is that emailing journalists in their professional capacity about stories relevant to their beat is not a marketing communication subject to PECR's consent requirements — provided:
- The communication is genuinely newsworthy (not a promotional flyer dressed as a press release)
- You're contacting them at their work email address in their professional capacity
- You're not sending to personal email addresses
- You provide a clear and easy opt-out
Tools like Mailchimp, HubSpot, or dedicated PR outreach platforms (Prowly, Prezly, Muck Rack) used for press release distribution must still be covered by DPAs, and you should ensure unsubscribe mechanisms are functioning properly.
The risk: Batch-blasting generic press releases to purchased journalist lists using aggressive outreach automation starts to look less like press relations and more like spam marketing — at which point PECR consent requirements become relevant.
Customer Testimonials and Case Studies: Consent Requirements
When a client asks you to produce a case study featuring one of their customers, you are almost certainly processing personal data — the customer's name, company, role, and story.
The lawful basis here is consent — and it needs to be:
- Freely given — the customer must genuinely choose to participate
- Specific — they must understand exactly how their data will be used (named case study, press coverage, website, social media, etc.)
- Informed — they must know who controls the data and how to withdraw consent
- Unambiguous — they must actively agree, not simply fail to object
Produce a simple case study consent form for every case study your agency produces. It should specify:
- The client company's name (data controller)
- How the content will be used (blog post, press release, website, conference presentation, etc.)
- Whether they'll be named or quoted
- How to withdraw consent and what happens to published content if they do
When consent is withdrawn: You cannot retroactively unpublish content that is already in the public domain. However, you should stop distributing the material and should remove it from websites and downloadable assets where reasonably practicable.
Influencer Marketing Data Handling
Influencer campaigns involve processing significant amounts of personal data — and not always the influencer's.
Influencer data: Contact details, engagement metrics, audience demographics, fee structures, and correspondence are all personal data. Lawful basis is typically legitimate interest (managing a commercial relationship) or contract (where a formal agreement exists). Store this data securely, don't share it unnecessarily, and honour deletion requests from influencers who end their relationship with your agency.
Audience data: If you're running influencer campaigns that involve tracking audience engagement — pixel-based attribution, retargeting, UTM analysis — you're likely processing personal data about individuals who haven't consented to your agency's involvement. Ensure:
- Any tracking pixels used in influencer content have a valid consent mechanism
- You understand the data flow from influencer platforms to your analytics stack
- Your client's privacy policy covers influencer-driven data collection
Micro-influencers and public figures: Individuals with smaller followings may have stronger privacy expectations than celebrities. Don't assume someone with 50,000 followers has consented to being profiled.
Crisis Communications and Third-Party Personal Data
Crisis comms is where personal data risks can escalate rapidly.
When managing a crisis on behalf of a client, you may handle:
- Personal data about complainants, customers, or affected individuals
- Information about employees involved in incidents
- Medical or financial data if the crisis involves a product recall or financial failure
- Personal data about whistleblowers or sources
Principles for crisis communications:
- Minimum necessary data — only process the personal data that is strictly necessary to manage the crisis response
- Separate data streams — keep crisis communications data separate from general client data; access should be restricted to the team members who need it
- No external sharing without authority — don't share individual personal data with journalists, even if it would help your client's narrative, without the individual's consent or a clear lawful basis
- Brief retention — agree with the client upfront how long crisis data will be retained and have a secure deletion process
If a crisis involves a data breach affecting individuals' personal data, remember that your client may have a 72-hour notification obligation to the relevant supervisory authority under GDPR Article 33. Your role is to support — not obstruct — that notification.
Social Media Monitoring and Personal Data
Social media monitoring tools aggregate and process content that individuals have posted publicly. But "publicly posted" does not mean "consented to processing by PR agencies."
When you monitor social media for:
- Brand mentions
- Competitor analysis
- Journalist and influencer identification
- Sentiment tracking
...you are processing personal data. The lawful basis is typically legitimate interest, but this requires careful scoping.
Key compliance points:
- Don't store more than necessary — if you're tracking sentiment, you don't need to retain individually identifying posts indefinitely
- Aggregated outputs — where possible, produce aggregated reports rather than storing individual-level data
- Private account content — never attempt to access, scrape, or process content from private or protected accounts
- Special category data — be careful with content that reveals health, political opinions, religion, or sexuality. This is special category data under GDPR Article 9 and requires explicit consent or another specific exemption to process lawfully
PR Metrics Involving Individual Engagement Data
When you report on campaign performance, you may be processing personal data about named individuals — a journalist who wrote a feature, a commentator who mentioned your client, an individual who shared a press release.
Coverage reports that simply list publications and URLs typically don't involve significant personal data risk. But engagement reports that track individual behaviour — which journalists opened your email, who clicked through, social follower analysis — involve personal data and require the same lawful basis analysis.
For journalist open and click tracking in press release emails: be cautious. Many journalists consider undisclosed tracking pixels to be an invasion of privacy. The ICO's guidance on electronic tracking is clear that tracking individuals without their knowledge raises transparency concerns. Consider disabling open tracking for press emails, or disclosing it clearly.
PR Agency GDPR Compliance Checklist
Work through this checklist to assess your agency's current position:
Lawful Basis and Policies
- [ ] Written Legitimate Interest Assessment (LIA) for journalist and contact databases
- [ ] Privacy policy for the agency's own website
- [ ] Client-facing privacy notices for case study and testimonial subjects
- [ ] Data Processing Agreements signed with all technology vendors
Data Management
- [ ] Register of Processing Activities (ROPA) covering all data processing activities
- [ ] Data retention schedule — how long do you keep journalist contacts, case study data, campaign data?
- [ ] Process for handling data subject access requests (DSARs) within one month
- [ ] Process for honouring deletion requests from journalists and contacts
Outreach and Communications
- [ ] Unsubscribe mechanism in all press release and outreach emails
- [ ] Opt-out requests actioned within business days and suppression list maintained
- [ ] Outreach tools covered by DPAs
Case Studies and Testimonials
- [ ] Written consent obtained from every named case study subject
- [ ] Consent forms specify exact use cases
- [ ] Process in place for handling consent withdrawals
Vendors and Sub-processors
- [ ] Vendor register listing all tools and their roles (processor/controller)
- [ ] DPA status confirmed for each vendor
- [ ] International data transfer mechanisms documented
Crisis Communications
- [ ] Protocol for restricting access to crisis-related personal data
- [ ] Data retention policy for crisis communications material
- [ ] Understanding of client's breach notification obligations
Getting Your Agency Compliant
Privacy compliance for PR agencies isn't just about protecting your clients — it protects your agency's own reputation and reduces the risk of supervisory authority investigations. The ICO has become increasingly active in the marketing and communications sector.
The best starting point is understanding what your agency's digital footprint actually looks like. What trackers are running on your agency website? What data processors are active? What data are you inadvertently collecting?
Run a free scan at https://app.custodia-privacy.com/scan to get a plain-English report on your website's privacy posture — no signup required, results in 60 seconds.
This post provides general information about GDPR compliance for PR agencies. It does not constitute legal advice. For advice tailored to your specific circumstances, consult a qualified data protection professional or your relevant supervisory authority.
Top comments (0)