GDPR and PECR
The General Data Protection Regulation (GDPR) is a new law that will replace the DPA (Data Protection Act 1998) in the UK in May 2018. It is largely an evolution of the current DPA legislation but increases the rights of individuals considerably.
It is there to protect Personal Data (Data about or relating to a living, identifiable, individual). It relates to a Natural Person, not a legal identity like a company.
GDPR makes it mandatory to adopt a Data Protection-by-Design approach, and the data capture must be fair, lawful and fulfil a condition (refer below).
The Privacy and Electronic Communications Regulations (PECR) will sit alongside the GDPA. There are specific rules on:
- marketing telephone calls, emails, texts and faxes;
- cookies (and similar) to track information about people;
- keeping communications services secure; and
- customer privacy as regards traffic and location of data, itemised billing, line identification (eg caller id) and directory listings.
Both the GDPA and PECR aim to protect people’s privacy but PECR apply even if the data is not Personal Data – many of the rules protect companies as well as individuals, and the marketing rules apply even if the person being contacted cannot be identified.
It’s important to understand that we must comply with both GDPR and PECR – one concerns the data being held and processed (which includes the reasons why we are holding the data – eg to maintain contact with the person) whilst the other covers how we communicate with the individual.
Conditions which allow the Processing of Personal Data
There are 6 conditions noted in GDPR, fulfilling any one of which will allow the processing of someone’s personal data.
- Contracts (employment, sales, agreements)
- Legal Obligation (need to be able to quote a specific law))
- Vital Interest (immediate risk of death)
- Official functions / administration of justice / public interest
- Legitimate Interest
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
It is being interpreted that organisations can lawfully send direct marketing by post or call people by telephone provided that they have not objected and are not registered with the TPS.
Consent is “Any freely given specific and informed indication of wishes by which the data subject signifies their agreement to personal data relating to them being processed”
To obtain Consent it will be necessary to explain to the individual – the ‘data subject’ – what we are doing with their data.
- the purpose for processing their data,
- how their data is to be used,
- the condition (i.e. legal basis)
- what their rights are
- the retention period for the data and
- the source of the data if obtained from a third party.
Consent has to be ‘Opt In’ – There is no consent unless it is asked for it specifically, and there is no consent unless the person gives it.
There are 3 further important matters to consider for any type of data processing.
- There must be a clear ability to unsubscribe
- There will need to be a Suppression list. A list of all the people who have said that not wish to be contacted.
- There is a Right to Be Forgotten. The right to have certain or all of the information relating to a person to be forgotten (or removed)
- Profiling – the use of automated techniques (using a computer or machine) to “evaluate” certain aspects of the individual. Consent or disclose required for this.
Privacy and Electronic Communications Regulations 2003 applies to marketing and to those they ‘instigate’ to send marketing material.
What is Electronic Communication?
Any information sent between particular parties over a phone line or internet connection. It includes phone calls, faxes, text messages, video messages, emails and internet messaging.
What is (Direct) Marketing?
The communication (by whatever means) of any advertising or marketing material which is directed to particular, specific individuals.
All advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity campaigning for support or funds.
The marketing must be directed to particular individuals. In practice, all relevant electronic messages (eg calls, faxes, texts and emails) are directed to someone, so they fall within this definition.
Routine customer service messages do not count as direct marketing – correspondence with customers to provide information they need about a current contract or past purchase (eg delivery arrangements, product safety, changes to terms and conditions).
General branding, logos or straplines in messages do not count as marketing. However, if the message includes any significant promotional material means that the message includes marketing material and the rules apply.
Solicited and Unsolicited
Most of the rules in PECR only apply to unsolicited marketing messages. A solicited message is one that is actively requested. So if someone specifically asks to be sent some information, then this does not fall under PECR.
An unsolicited message is any message that has not been ‘specifically requested’. So even if the customer has ‘opted in’ to receiving marketing, it still counts as unsolicited marketing.
The TPS (Telephone Preference Service)
The TPS is the Telephone Preference Service. It is a central register of individuals who have opted out of receiving live marketing calls.
The CTPS is the Corporate TPS. It works in the same way as the TPS, but for companies and other corporate bodies (limited liability partnerships, Scottish partnerships and government bodies).
Summary – GDPR & PECR Communication Rules
sole traders and partnerships
|companies and corporate bodies|
|Telephone Calls||OK to call provided
Not registered with the TPS
|OK to call provided
Not registered with the Corporate TPS
|Or Opt Out||Can Opt Out|
|Email & Texts||Specific Consent Required||Can email or text Corporates|
|Soft Opt-In||Good practice to offer opt out
Individual employees can opt out
|Can send direct mail provided Name and address obtained fairly||Can mail corporate bodies|
|Can Opt out||Individual employees can opt out|
Our Privacy Statement
Who we are and what we do
We are The Limes Dental Practice. We have been providing the highest quality Gloucester dental care for over 60 years. We offer a full range of restorative, preventive and cosmetic dental treatments.