GDPR and PECR GUIDANCE
A number of our customers, subscribers and registrants have enquired about the General Data Protection Regulations (‘GDPR’) that are to be introduced on 25 May 2018. This document aims to provide the relevant information required, including links to information provided by the Information Commissioner’s Office (‘ICO’) and the Direct Marketing Association (‘DMA’).
The Privacy and Electronic Communications Regulations (‘PECR’) apply to marketing emails and remain in force unchanged on 25 May 2018 as they have been since 2003 (and last amended in 2016).
GDPR is concerned with the storage and processing of personal data including names and email addresses. PECR is concerned with email marketing. An email cannot be sent without storing and processing the personal data concerned and GDPR applies to this aspect of sending emails. GDPR allows storage and processing of personal data under six lawful grounds. For many businesses, the most applicable of the possible grounds is “Legitimate Interests”.
The Guidance from the ICO on Legitimate Interests can be found here:
Further useful information can be found at:
The above article, under the heading “Can we use legitimate interests for our marketing activities?” states that Recital 47 of the GDPR says:
“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
The information at the following link describes the process of completing a Legitimate Interests Assessment (‘LIA’):
Other Useful Information
The DMA website includes the following useful links:
GDPR Guidance for Marketers at:
GDPR for Marketers: The essentials at:
With regard to direct marketing, the above article states on page 18 that:
“During a parliamentary debate, the DMA advocated that a business’ legitimate interests were recognised alongside the customer’s right to privacy. Communicating to prospects and customers is the essential lifeblood of commercial success so direct marketing is recognised specifically in the text as a legitimate interest in Recital 47.
“Marketers have always been able to rely on the legitimate interests condition as an alternative to consent under Data Protection Act 1998 (‘DP 98’), in cases where the Privacy and Electronic Communications Regulations (PECR) – which preceded DP 98 – wasn’t applicable. However, this legal basis was not stated as explicitly in DP 98 as it is in the GDPR.
“Legitimate interests is one of six legal grounds in the new law that allows the processing of personal data. All of these legal bases are equally valid. The specific information needed for valid consent are rigorous, which can make it problematic to use for direct marketing activities. The DMA expects legitimate interests to be a widely used lawful basis for processing, particularly given the high level of flexibility given to organisations in explaining and documenting their rationale for processing activity.
“The GDPR says: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’ (see Recital 47 of the GDPR text for further information).
“In addition, the GDPR says that processing is lawful if it is: ‘Necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child’ (see Article 6.1(f) of the GDPR text for further information)’ “.
Brandon & Robertson Associates Ltd only provides email addresses to clients if they are requested and they are in healthcare related organisations. Such clients may be interested in the guidance from the ICO on sending work related marketing emails which can be found at this link:
The above article states:
“If you [the recipient of a marketing email] receive a marketing email that you don’t want from an identifiable and legitimate UK based organisation that you know and trust, you should first use the ‘unsubscribe’ link provided on the email. The organisation should then stop sending you marketing emails. Legitimate, well-known companies will offer opt-outs, and in many cases things can be resolved quickly without the ICO getting involved”.
It also states that:
“If you work for a corporate body (that is a company, Scottish partnership, limited liability partnership or government body), organisations are allowed to send marketing emails to your work email address without your consent”.
With regard to fines, on page 17 of this article,
it states that:
“The Information Commissioner has told the DMA that the GDPR is not about seeking to issue as many fines as possible. For them, GDPR and its implementation is about putting the consumer and citizen first. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. The ICO policy has always been one of proportionality: it would much rather educate an organisation and see it correct bad practice before even talking about fines. Even with its current enforcement powers, the ICO has never issued the maximum fine of £500,000.
The size of the organisation, the impact of the breach and whether or not sufficient policies and procedures are in place to justify action/ accountability will all be taken into account”.
Information you must display in your privacy notice includes:
- Name of organisation
- DPO contact details, where applicable
- Whether the data will be used for direct marketing
- Categories of personal data
- Purposes of the processing
- Categories of recipients of the data (who will get to see it)
- What legal ground the organisation is relying on
- Third parties the data will be shared with (this might be specifically named third parties or sectors – the ICO will publish formal guidance
- Countries outside the EU where personal data might be stored or processed
- How long the personal data will be kept
- Inform people of their rights and how they would exercise them
- A reminder that people can withdraw consent
- Inform people that they can complain to the ICO
- Information about automated decision-making, including profiling
This information must be displayed at a minimum in “clear and plain language” and must be relevant to the audience (see Article 12 of the GDPR text for further information).