Directory last updated 19 October 2021

GDPR & PECR GUIDANCE IN A NUTSHELL FOR SPECIALISTINFO USERS

Brief Summary
GDPR is concerned with the storage and processing of personal data including names and email addresses. PECR is concerned with email marketing. An email cannot be sent without storing and processing the personal data concerned and GDPR applies to this aspect of sending emails. GDPR allows storage and processing of personal data under six lawful grounds. For many businesses, the most applicable of the possible grounds is "Legitimate Interests".

The Guidance from the ICO on Legitimate Interests can be found here:
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis

Further useful information can be found at:
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests

The above article, under the heading "Can we use legitimate interests for our marketing activities?" states that Recital 47 of the GDPR says: "...The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

The information at the following link describes the process of completing a Legitimate Interests Assessment ('LIA'):
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice

Other Useful Information
The DMA website includes the following useful links -

GDPR Guidance for Marketers at: dma.org.uk/article/dma-gdpr-guidance-for-marketers?

GDPR for Marketers: The essentials at: dma.org.uk/uploads/misc/5aabd9a90feff-gdpr-essentials-for-marketers

Direct Marketing
With regard to direct marketing, the above article states on page 18 that: "During a parliamentary debate, the DMA advocated that a business' legitimate interests were recognised alongside the customer's right to privacy. Communicating to prospects and customers is the essential lifeblood of commercial success so direct marketing is recognised specifically in the text as a legitimate interest in Recital 47. "Marketers have always been able to rely on the legitimate interests condition as an alternative to consent under Data Protection Act 1998 ('DP 98'), in cases where the Privacy and Electronic Communications Regulations (PECR) - which preceded DP 98 - wasn't applicable. However, this legal basis was not stated as explicitly in DP 98 as it is in the GDPR.

"Legitimate interests is one of six legal grounds in the new law that allows the processing of personal data. All of these legal bases are equally valid. The specific information needed for valid consent are rigorous, which can make it problematic to use for direct marketing activities. The DMA expects legitimate interests to be a widely used lawful basis for processing, particularly given the high level of flexibility given to organisations in explaining and documenting their rationale for processing activity.

"The GDPR says: 'The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest' (see Recital 47 of the GDPR text for further information).

"In addition, the GDPR says that processing is lawful if it is: 'Necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child' (see Article 6.1(f) of the GDPR text for further information)' ".

Marketing Emails
SpecialistInfo only provides email addresses (on request) to customers that are in healthcare related organisations. Such customers may be interested in the guidance from the ICO on sending work related marketing emails which can be found at this link: ico.org.uk/for-the-public/online/spam-emails/ The above article states: "If you [the recipient of a marketing email] receive a marketing email that you don't want from an identifiable and legitimate UK based organisation that you know and trust, you should first use the 'unsubscribe' link provided on the email. The organisation should then stop sending you marketing emails. Legitimate, well-known companies will offer opt-outs, and in many cases things can be resolved quickly without us [the ICO] getting involved".

It also states that: "If you work for a corporate body (that is a company, Scottish partnership, limited liability partnership or government body), organisations are allowed to send marketing emails to your work email address without your consent".

Fines
The Information Commissioner has commented on fines in an article on ico.org.uk/about-the-ico/news-and-events/news-and-blogs/

In the article, the Commissioner states that: "This law is not about fines. It is about putting the consumer and citizen first.... Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.... It's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm..... The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick...... Issuing fines has always been and will continue to be, a last resort. In 2016/2017, we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned." The ICO policy is stated to be one of proportionality and it has never issued the maximum fine of £500,000.

Privacy Notices
Information you must display in your privacy notice includes:

  • Name of organisation
  • DPO contact details, where applicable
  • Whether the data will be used for direct marketing
  • Categories of personal data
  • Purposes of the processing
  • Categories of recipients of the data (who will get to see it)
  • What legal ground the organisation is relying on
  • Third parties the data will be shared with (this might be specifically named third parties or sectors - the ICO will publish formal guidance
  • Countries outside the EU where personal data might be stored or processed
  • How long the personal data will be kept
  • Inform people of their rights and how they would exercise them
  • A reminder that people can withdraw consent
  • Inform people that they can complain to the ICO
  • Information about automated decision-making, including profiling

This information must be displayed at a minimum in "clear and plain language" and must be relevant to the audience (see Article 12 of the GDPR text for further information).