GDPR & PECR Guidance

A number of our clients, subscribers and registrants have enquired about the General Data Protection Regulations (‘GDPR’) that are to be introduced on 25 May 2018. This document aims to provide the relevant information required, including links to information provided by the Information Commissioner’s Office (‘ICO’) and the Direct Marketing Association (‘DMA’).

The Privacy and Electronic Communications Regulations (‘PECR’) apply to marketing emails and remain in force unchanged on 25 May 2018 as they have been since 2003 (and last amended in 2016 and 2025).

Brief Summary

GDPR is concerned with the storage and processing of personal data including names and email addresses. PECR is concerned with email marketing. An email cannot be sent without storing and processing the personal data concerned and GDPR applies to this aspect of sending emails. GDPR allows storage and processing of personal data under six lawful grounds. For many businesses, the most applicable of the possible grounds is “Legitimate Interests”.

The Guidance from the ICO on Legitimate Interests can be found here:
https://icosearch.ico.org.uk/s/search.html?collection=ico%7Esp-search&query=legitimate+interest&profile=_default

We rely on and adhere to the ICO regulations concerning the establishment of legitimate interests governing our marketing activities. The information at the following link describes the process of completing a Legitimate Interests Assessment (‘LIA’):

https://icosearch.ico.org.uk/s/search.html?collection=ico%7Esp-search&query=legitimate+interest+assessment+&profile=_default

Other Useful Information

The DMA website includes the following useful links:
www.dma.org.uk

Direct Marketing

“Legitimate interests is one of six legal grounds in the new law that allows the processing of personal data. All of these legal bases are equally valid. The specific information needed for valid consent are rigorous, which can make it problematic to use for direct marketing activities. The DMA expects legitimate interests to be a widely used lawful basis for processing, particularly given the high level of flexibility given to organisations in explaining and documenting their rationale for processing activity.

“In addition, the GDPR says that processing is lawful if it is: ‘Necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child’ (see Article 6.1(f) of the GDPR text for further information)’   “.

Marketing Emails

Brandon & Robertson Associates Ltd only provides email addresses to clients if they are requested and they are in related organisations. Such clients may be interested in the guidance from the ICO on sending work related marketing emails which can be found at:-

https://icosearch.ico.org.uk/s/search.html?collection=ico%7Esp-search&query=spam+&profile=_default

Privacy Notices

Information available on our privacy policy refers to privacy notices which must include:

  • Name of organisation
  • DPO contact details, where applicable
  • Whether the data will be used for direct marketing
  • Categories of personal data
  • Purposes of the processing
  • Categories of recipients of the data (who will get to see it)
  • What legal ground the organisation is relying on
  • Third parties the data will be shared with (this might be specifically named third parties or sectors – the ICO will publish formal guidance
  • Countries outside the EU where personal data might be stored or processed
  • How long the personal data will be kept
  • Inform people of their rights and how they would exercise them
  • A reminder that people can withdraw consent
  • Inform people that they can complain to the ICO
  • Information about automated decision-making, including profiling