GDPR & PECR.

We’ve summarised the important stuff for you below.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It’s the core of Europe’s digital and data privacy legislation.

What is GDPR?

GDPR is a set of rules designed to give more control and transparency over to data subjects over their personal data.   These regulations are designed to modernise the laws and obligations surrounding our personal data, privacy and consent in the new digital age.

Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it (data controllers) are obliged to protect it from misuse and abuse, as well as to respect the fundamental rights of data subjects – or face a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.

Processing data under GDPR

There are six lawful bases for processing data, as outlined in Article 6 of the regulation, at least one of the below must apply in order for personal data to be processed:

  • Consent: Clear and unambiguous consent had to be given for an individual’s personal data to be processed. Explicit consent is required when processing special categories of personal data, such as, data about an individual’s ethnic origin or sexual orientation.

  • Contract: the data is necessary to fulfil your contractual obligations and you cannot comply without processing their personal data.

  • Legal obligation: data needs to be processed for you to comply with a common law or statutory obligation

  • Vital interests: data needs to be processed to protect someone’s life. You can only rely on vital interests for health data.

  • Public task: the processing is necessary in ’the exercise of official authority’.

  • Legitimate interest: the legitimate interest can be your own interests, or the interests of third parties. Legitimate interest is more flexible than the other legal grounds and could potentially cover any data processing for any reasonable purpose. However, the processing must be necessary and must not override an individual’s rights.

Marketing under GDPR

There are two of the six lawful bases that should be used for processing data for marketing purposes.

· Consent; or

· Legitimate Interest

Now whilst you can rely on either of them, you can’t rely on both.  Neither is better than the other but, once you determine your basis, you cannot switch.

PECR

The Privacy and Electronic Communications Regulations (PECR) sit alongside the current Data Protection Act and the GDPR. It gives people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;

  • cookies (and similar technologies);

  • keeping communications services secure; and

  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

Specifically, in relation to an email direct marketing campaign, you wouldn’t be lawfully able to email your offers, without consent under PECR.