In May 2018 new EU regulations on data protection known as General Data Protection Regulation (GDPR) came into effect, causing businesses to scramble to gain proof of consent from customers amid concerns that mailing lists would be decimated.
The Privacy and Electronic Communications Regulations (PECR) has not been so prominent, but it’s another piece of legislation that needs attention.
PECR complements GDPR and provides more specific protection in electronic communications; in particular, rules concerning marketing emails, text messages and telemarketing calls. While marketers need to manage the processing of personal data under GDPR, PECR covers areas like emarketing, tracking cookies and the privacy of customers using communications networks or services.
GDPR centres on personal data, a fact that led some B2B marketers to believe the law didn’t apply to them. PECR, which relates to email marketing, is currently in review (enforcement is predicted for 2019 but no date is yet confirmed), and there is clear indication that it will be brought in line with GDPR. PECR previously stated that a soft opt-out approach was sufficient for B2B marketing, but this is likely to change with the introduction of the new ePR.
With over 95,000 complaints in its first year and 59,000 data breaches reported in February 2019 alone, GDPR represents a significant challenge in data collection. PECR brings B2B communications under the same scrutiny, meaning businesses must continue to be vigilant across the board.
As a company at the cutting edge of data collection and analytics solutions for airports and car parks, Rezcomm makes secure processing of data a primary concern, and we’re always up-to-date and in compliance with the latest laws. You can read more about the legislation, how it affects your airport, and how we can help, in our blogs:
We summarised these key points last year when the law was coming into force, but as GDPR compliance is an ongoing task and the same principles apply under PECR, let’s go through them again:
Under the new regulations the definition of ‘personal data’ changed. ‘Personal data’ now means any information gathered about an individual even if it isn’t at all personal. This still applies when they can’t be identified by the data, because all data can potentially be used to identify someone when combined with other data. This broad definition includes data such as IP addresses, cookie strings, and device identifiers.
Data collectors are responsible for making it clear that they’re in compliance with data protection laws. It’s also necessary to let people know what you’re going to do with data once it’s collected, and what the rights of the data subject are. To simplify; if a person is giving their data willingly then your business must be willing to make it clear how that data is being processed and what it is going to be used for.
Transparency and clarity is at the core of the GDPR legislation. As well as demonstrating compliance, companies must ensure that the process of giving consent is clear. According to the guidelines the person providing their data must give their consent through, “a statement or clear affirmative action”. In other words they must be made aware of what they’re doing and what the consequences will be, so they can respond in an equally clear way.
Rounding out the trio of key points concerning transparency, let’s look at the crackdown on ambiguous privacy statements. Statements deliberately designed to attract ‘consent’ by obfuscation are now illegal. So if your consent CTA says something like, “If you don’t wish to receive offers from us in the future, please indicate yes by not ticking the box below,” you’re in breach. The reworking of the language used in privacy statements into plain English was an important task for many companies in May 2018.
Despite these new rules regarding transparency there is still some opacity in direct marketing regarding what is defined as ‘legitimate interest’ – an alternative to consent. Legitimate interests are determined based on whether the person submitting the data already has a relationship with the data collector, and whether the interests and rights of the person are overriding. However, this only concerns postal and telephone marketing, and not email marketing.
GDPR stipulates that once a company has gained consent to use a person’s data that company must keep proof of consent. This means that the data collector should be able to show a complete history of an individual’s data, from the moment of consent, if requested by auditors. GDPR also gives consumers the ‘right to be forgotten’ if they request that their data is removed from the system. It is just as much the customer’s right to withdraw consent as it is to give it.
Before GDPR there were no guidelines for profiling and segmentation. This changed in 2018. Under GDPR, those giving their data have the right not to be segmented. While this could create new challenges developing friendly language to make people aware of how their data is going to be used will prevent many from asking to be removed from segmented lists.
In the event of a data breach companies handling data have 72 hours to notify their local data protection authority. This means it is essential to have the technology and resources in place to identify and deal with a data breach. High profile data breaches have become more common in recent years, and increasingly public, highlighting the need for stricter measures when the security of users’ data is compromised.
The bottom line of GDPR is that people now have more rights relating to what happens to their data. This means that companies must erase a person’s data if requested, free of charge.
If protecting customers’ rights isn’t incentive enough for companies to comply with the new law the significant penalties should be – failure to meet the guidelines could result in fines of up to €20 million or 4% of annual worldwide turnover.
PECR and GDPR each reflect a different segment of EU law. While GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, the ePrivacy regulation enshrines Article 7 in relation to a person’s private life. The private sphere of the end-user is protected under the ePrivacy (PECR) regulations, making it a requirement to protect user privacy in every online interaction. Remember, this regulation is designed to complement GDPR, and the rules of GDPR are always applicable as an overriding part of data protection.
The ePR directive takes the broad online retail sector into account in terms of how personal data might be used. Where PECR traditionally allowed for a soft opt-out approach in B2B marketing, now this will apply depending on the classification of an organisation.
DPAS Chief Data Protection Officer Nigel Gooding comments:
The perceived conflict of e-marketing regulations and GDPR is a complex one. In 2017 the UK regulator issued 39 fines, 30 of them were for PECR regulation infringements and just 9 for breaches of the Data Protection Act. One of those was UK Airline Flybe who added marketing information to the footer of a service update notice against the express consent of users. With markets such as AdTech under the spotlight from regulators it is important marketeers and travel operators are able to demonstrate compliance.
Data belonging to these people or their companies (for example self-employed people) is considered to be personal information. Opt-in is required for this group to receive communications.
These organisations do not need to be opted in to receive email marketing communications, but there must be a clear option for them to opt out. However, as all our knowledge about successful campaigns shows us, an opted-in list always generates better engagement and results, so it is best to encourage opt-in from these contacts where possible.
PECR allows for soft opt-in during the negotiation of a sale. However, the new ePR regulation will require that any email communication with these people will be limited to ‘the context of the sale of a product or service’. This means you cannot send marketing messages unrelated to the product or service purchased unless the consumer, sole trader or partnership has actively opted in. Once a contact is no longer classed as a customer, it is important to gain active opt-in if you wish to continue sending email marketing communications to that contact.
If you have any further questions regarding data protection and data collection, the team at Data Privacy Advisory Service will be happy to help.
Rezcomm is always working to ensure that its ecommerce, CRM and BI solutions are in compliance with the latest guidelines. This not only makes our clients feel safe, but their customers as well. If you have any questions about how GDPR could affect your business, and how our solutions could keep you safe, get in touch today.