Table of Contents
Many businesses know of the UK GDPR, the UK data protection law regime. However, a lot of businesses are unaware of the PECR regime and how its rules apply. However, the rules under both legal regimes are likely to impact most businesses. This article will explain the difference between the UK GDPR and PECR.
What Is the UK GDPR?
The UK General Data Protection Regulation (UK GDPR) is the law governing the use of personal data. These are the rules you need to follow when processing the personal information of individuals. Depending on your business activities and how you use personal data, there are various actions you need to take to comply with the UK GDPR.
Compliance with UK GDPR is mandatory for any business using personal data. The law applies to virtually all businesses, as most businesses collect and use some form of personal data. For example, most businesses collect personal information about customers, suppliers and staff.
There are various UK GDPR compliance documents and procedures that businesses must implement, depending on how they process personal data.
Some examples of legal rules under the UK GDPR include:
- the need to follow strict legal principles when processing personal data, including having a lawful basis for data processing activities;
- issuing privacy policies to individuals whom organisations collect personal data from;
- responding to requests from individuals about their data, including data subject access requests within specific periods;
- having appropriate data security to safeguard personal data;
- ensuring cross-border data flows comply with international data transfer rules; and
- preventing personal data breaches and reporting certain breaches to the UK data protection regulator and affected individuals within specific periods.
What Are the PECR Regulations?
Most businesses know about the rules under the UK GDPR, which regulate the processing of personal data about living individuals.
However, there is less knowledge about the rules under the Privacy and Electronic Communications Regulations (PECR). PECR sets out various rules to safeguard privacy rights regarding electronic communications, which sit alongside the UK GDPR rules.
Compliance with PECR is also mandatory, and PECR prescribes rules on various issues, including:
- rules on marketing texts, emails, faxes and phone calls;
- rules on how organisations can use cookies and other similar technologies; and
- rules on keeping communications services secure and customer privacy regarding traffic and location data, itemised billing, line identification and directory listings.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
When Would a Business Need to Consider Both the UK GDPR and the PECR Rules?
Whilst each set of laws is separate, there are certain circumstances when businesses will need to comply with both.
A key example is where a business engages in ‘direct marketing activities’. Direct marketing means the targeting of advertising to specific individuals. When carrying out direct marketing involving personal data, organisations must consider both the UK GDPR rules and PECR rules.
As an example:
Email Marketing as a ‘Direct Marketing Activity’
Let us suppose you want to send marketing promotional emails to new potential consumer customers who you have not sold to or dealt with before. To do so, you will need to use their names and email addresses (which include personal data).
In this case, both the UK GDPR and PECR rules will apply as follows:
1) You will need to follow the PECR rules when sending our marketing emails. Under PECR, you will need consent to send email marketing communications to individuals. Consent needs to be freely given, specific, informed and unambiguous. The consent must be a very clear form of positive action. For example, you can show consent by ticking a box or sending an email to show the recipient agrees to receive marketing emails. When sending marketing emails, you must also ensure you say who you are and give individuals a clear option to unsubscribe.
2) As you will be processing personal data to send marketing emails, you will need a ‘lawful basis’ to process the data under the UK GDPR rules. You also need to document the lawful basis for processing personal data. Essentially this means you will need to have a valid, lawful reason to use the names and contact details of individuals for email marketing purposes.
Under the UK GDPR rules, individuals also have the right to object to the processing of their personal data. Therefore, if an individual objects to the processing of their data for direct marketing, you must stop processing it accordingly.
As per the example above, there are occasions where there will be an interplay between the UK GDPR and PECR rules. In practice, a lot of businesses need help understanding these rules. If you need support with understanding which UK GDPR and PECR rules your organisation needs to comply with, you should seek legal advice.
What Are the Consequences of Breaching the UK GDPR and the PECR?
These legal rules under the UK GDPR and the PECR are complex, and unfortunately, many businesses get this wrong.
The UK ICO (the data protection regulator) has a range of enforcement powers and can apply various penalties for non-compliance. For example, the penalties include heavy fines and prosecution of businesses breaching the rules. Additionally, breaching the laws can lead to severe reputational damage and loss of trust from customers.
Fines for breaching the UK GDPR can be £17.5 million or 4% of total worldwide annual turnover, whichever is the higher. Breaching PECR is also extremely serious, with fines of up to £500,000. As such, businesses need to ensure that they understand these rules and comply with them.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
The UK GDPR rules give individuals rights in connection with the processing of their personal data. The PECR rules give individuals rights in connection with electronic communications. It is crucial that your organisation understands the differences between both sets of laws and complies with all of the applicable rules under each law.
If you need legal advice on how to ensure your compliance with the UK GDPR and PECR, contact our experienced regulatory and compliance lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.