GDPR and PECR GUIDANCE IN A NUTSHELL FOR SPECIALISTINFO USERS

A number of our customers, subscribers and registrants have enquired about the General Data Protection Regulations ('GDPR') that are to be introduced on 25 May 2018. This document aims to provide the relevant information required, including links to information provided by the Information Commissioner's Office ('ICO') and the Direct Marketing Association ('DMA').

The Privacy and Electronic Communications Regulations ('PECR') apply to marketing emails and remain in force unchanged on 25 May 2018 as they have been since 2003 (and last amended in 2016).

Brief Summary

GDPR is concerned with the storage and processing of personal data including names and email addresses. PECR is concerned with email marketing. An email cannot be sent without storing and processing the personal data concerned and GDPR applies to this aspect of sending emails. GDPR allows storage and processing of personal data under six lawful grounds. For many businesses, the most applicable of the possible grounds is "Legitimate Interests".

The Guidance from the ICO on Legitimate Interests can be found here:
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/

Further useful information can be found at:
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/

The above article, under the heading "Can we use legitimate interests for our marketing activities?" states that Recital 47 of the GDPR says:
"...The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

The information at the following link describes the process of completing a Legitimate Interests Assessment ('LIA'):
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

Other Useful Information

The DMA website includes the following useful links:
GDPR Guidance for Marketers at:
dma.org.uk/article/dma-gdpr-guidance-for-marketers?utm_source=Adestra&utm_medium=email&utm_term=&utm_content=Learn%20more&utm_campaign=%20Responsible%20round%20up%204%2F04%2F18

GDPR for Marketers: The essentials at:
dma.org.uk/uploads/misc/5aabd9a90feff-gdpr-essentials-for-marketers----an-introduction-to-the-gdpr_5aabd9a90fe17.pdf

Direct Marketing

With regard to direct marketing, the above article states on page 18 that:
"During a parliamentary debate, the DMA advocated that a business' legitimate interests were recognised alongside the customer's right to privacy. Communicating to prospects and customers is the essential lifeblood of commercial success so direct marketing is recognised specifically in the text as a legitimate interest in Recital 47.
"Marketers have always been able to rely on the legitimate interests condition as an alternative to consent under Data Protection Act 1998 ('DP 98'), in cases where the Privacy and Electronic Communications Regulations (PECR) - which preceded DP 98 - wasn't applicable. However, this legal basis was not stated as explicitly in DP 98 as it is in the GDPR.

"Legitimate interests is one of six legal grounds in the new law that allows the processing of personal data. All of these legal bases are equally valid. The specific information needed for valid consent are rigorous, which can make it problematic to use for direct marketing activities. The DMA expects legitimate interests to be a widely used lawful basis for processing, particularly given the high level of flexibility given to organisations in explaining and documenting their rationale for processing activity.

"The GDPR says: 'The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest' (see Recital 47 of the GDPR text for further information).

"In addition, the GDPR says that processing is lawful if it is: 'Necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child' (see Article 6.1(f) of the GDPR text for further information)'   ".

Marketing Emails

SpecialistInfo only provides email addresses (on request) to customers that are in healthcare related organisations. Such customers may be interested in the guidance from the ICO on sending work related marketing emails which can be found at this link:
ico.org.uk/for-the-public/online/spam-emails/
The above article states:
"If you [the recipient of a marketing email] receive a marketing email that you don't want from an identifiable and legitimate UK based organisation that you know and trust, you should first use the 'unsubscribe' link provided on the email. The organisation should then stop sending you marketing emails. Legitimate, well-known companies will offer opt-outs, and in many cases things can be resolved quickly without us [the ICO] getting involved".

It also states that:
"If you work for a corporate body (that is a company, Scottish partnership, limited liability partnership or government body), organisations are allowed to send marketing emails to your work email address without your consent".

Fines

The Information Commissioner has commented on fines in the article below.
iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/
In the article, the Commissioner states that:
"This law is not about fines. It is about putting the consumer and citizen first....
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point....
It's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm.....
The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick......
Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned."

The ICO policy is stated to be one of proportionality and it has never issued the maximum fine of £500,000.

Privacy Notices

Information you must display in your privacy notice includes:
  • Name of organisation
  • DPO contact details, where applicable
  • Whether the data will be used for direct marketing
  • Categories of personal data
  • Purposes of the processing
  • Categories of recipients of the data (who will get to see it)
  • What legal ground the organisation is relying on
  • Third parties the data will be shared with (this might be specifically named third parties or sectors - the ICO will publish formal guidance
  • Countries outside the EU where personal data might be stored or processed
  • How long the personal data will be kept
  • Inform people of their rights and how they would exercise them
  • A reminder that people can withdraw consent
  • Inform people that they can complain to the ICO
  • Information about automated decision-making, including profiling

This information must be displayed at a minimum in "clear and plain language" and must be relevant to the audience (see Article 12 of the GDPR text for further information).

If you would like to discuss this further with us, please contact Hugh Whiteside on 01423 562003
SpecialistInfo, 19 East Parade, Harrogate HG1 5LF, United Kingdom
SpecialistInfo.com
Spacer


SEARCH FOR Medical Abbreviations - see above or Help->Useful Info


Third Party Advertisement

Adverts by Google