GDPR in the newsroom

As the General Data Protection Regulation (GDPR) implementation deadline approaches, we asked Will Richmond-Coggan, Head of Data Privacy at Pitmans Law, about the impact of the GDPR on four key tools regularly used in the newsroom: email mailing lists, email systems, comments by readers, and storing information on the cloud. This is what he told us >>

1. Email mailing list platforms (such as like MailChimp)

Is it enough to be GDPR compliant, that people have signed up to our mailing list via this platform?

The important thing is to be certain of what auditable information a publication has about:

a) The date on which consent was given;

b) Whether or not consent has been revoked;

c) What privacy policy was available or provided to the individual on the date consent was given.

This is all information that the email mailing platform should be able to record and provide.

If a publication has all of the information above to hand, then it can be confident that it has the detail it needs in terms of consent and doesn’t need to reobtain consent from the data subject. This means that it can continue to process the data on the same basis, particularly if the email mailing platform provides a mandatory opt out option when emailing individuals.


2. Retention of personal data on email systems

How long can we keep personal data that we have obtained or stored via e-mail?

Anything which is stored or otherwise processed electronically (particularly if searchable or indexed) will be caught under GDPR. Data which has been captured manually, and then uploaded on an electronic system, will also be covered by the regulation.

The same safeguards and precautions apply to these electronic forms of data as with any other form of data under the GDPR. This will include an obligation to know what data you hold and not to retain data for longer than you have a lawful purpose for continuing to store it. If your data is stored in e-mails you might want to think about how you can be confident that what is on there is all relevant and necessary, and that none of it is outdated or inaccurate. Wherever there isn’t a good lawful basis for holding the data, it ought to be deleted – in accordance with your business’s retention policy.


3. Comments left by readers online

Who is responsible for a comment left by a reader featuring the name of someone who wants to be forgotten?

When it comes to comments, a publication can decide to:

  • Moderate all content before it goes up on the comments board;
  • Moderate comments retrospectively; or
  • Have an unmoderated comment sections.

This has a bearing on liability under the Defamation Act 2013, as well as under GDPR.

In any case, the publication must clearly state on its website the extent to which it takes responsibility for the publication of commentary from members of the public.

This way, readers posting comments or those visiting the platform to read the comments, will understand from the information provided (either in the privacy policy or by separate disclaimer), that the publication is not responsible for what is published.

It is recommended that you should add a note saying that you will act on matters that are a breach of your terms of use, if drawn to your attention. The publication may also wish to add a button, so that people can object to particular content that is on your website, or otherwise draw it to your attention..

Even if what was posted was to be caught by the right to be forgotten, the publication will not be liable for infringing that right, if this happens without the publication’s control and if, when it was brought to its attention, the publication took steps to try to moderate or remove the data.


4. Storage of data on the cloud

Does the storage of data on the cloud need to be on EU servers?

The best practical advice would be to ensure that storage of data in the cloud is on EU servers if at all possible.

If for any reason this is not possible, though, a publication will have to clearly state in its privacy policy that this processing takes place outside of the EU. It will also need to take extra steps to be satisfied that it is lawful to make a transfer of data to a third country.

There are two things that a publication will need to ask its cloud service to demonstrate in this connection:

  1. That they will adhere to terms which have the effect of transposing the obligations of the GDPR into the contractual relationship between them and the publication; and 
  2. That they have put in place adequate technological and organisational safeguards to protect the data being transferred – the details of these safeguards will need to be examined carefully.


The GDPR will become fully enforceable throughout the European Union on 25 May 2018. For general official GDPR information click here.


Will and the Data Privacy team at Pitmans are happy to discuss and advise on any individual challenges you might be facing with your GDPR compliance processes. If you would be interested in following this up, please contact Will by e-mail ( or by telephone a 0118 957 0369 / 07881 813468 (and yes, we do have his consent to share that personal data with you!)