May would have been a busy month for family businesses as directors and managers fine-tuned their Data Protection Policies, contacted suppliers to seek assurances of their compliance with any data being processed by them and reviewed the extent to which they had consent for holding customer data.
Now the deadline for compliance has passed and the post-GDPR compliance deadline celebrations have faded, we turn to consider what steps need to be taken to ensure future compliance.
First, it is sensible to check that you comply with the Privacy and Electronic Communications Regulations (PECR).
Such was the attention paid to GDPR that it is easy to forget that other legislation needs to be taken into consideration. In particular, the PECR need to be borne in mind by businesses involved in direct marketing by electronic means. To engage in direct electronic marketing, you are required to have consent if marketing to “individual subscribers” – living individuals who are a party to a contract with a provider of public electronic communications. An individual with a home email address would be an individual subscriber and so communicating with him for the purposes of direct marketing would be covered by PECR. That individual at his place of work with a work email address would be a corporate subscriber and so communicating with him for the purposes of direct marketing would not be prohibited by PECR.
The regulations prevent unsolicited communications by electronic means to individual subscribers unless you have consent. The exceptions are where the contact details of the recipient of the electronic mail have been obtained in the course of a sale or negotiation of a sale of a product or service to that recipient or the direct marketing is in respect of similar products and services and the recipient has been given a simple means of refusing the use of contact details for the purposes of direct marketing. Normally, what is recommended to fulfil the obligation to give the recipient a simple means of refusing the use of his contact details is to provide an option at the foot of the email to unsubscribe. If you have been doing this routinely, you can carry on doing so. If you have not provided an unsubscribe option in the past, you need to consider the legality of sending the electronic communication.
PECR does not seek to restrict solicited marketing but only unsolicited marketing.
I should say a word about “consent”. This is defined in the underlying Directive as “any freely given and informed indication of [a person’s] wishes by which the data subject signifies his agreement to personal data relating it to him being processed”.
Determining the extent to which an indication of wishes might be said to be freely given and informed can be difficult.
Assuming, however, that you are compliant not just with GDPR but also PECR then the question which asked is what steps do you now need to take in order to ensure compliance?
You may think you are compliant but it may be worth checking this. The Information Commissioner’s Office has toolkits for data controllers and data processors. These can be found at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
You may also wish to contemplate future likely changes to your business and the possible impact of those changes on the way you hold data, the way you use it and the purpose for which you hold it. Are you contemplating introducing new software or changing suppliers? Do you need to think about a privacy impact assessment?
Additionally, you need to establish a process for reviewing that you are complying with the data principles set out in Article 5 (produced as a footnote for convenience). Your good work pre-25 May 2018 will quickly become obsolete. Things change. The identity and contact details of customers changes.
Will responsibility for future compliance remain with the same group of people who worked to secure compliance pre-25 May? Do you need to provide for succession? Are you confident that there is a process for ensuring that those responsible are kept informed of changes to the business so they can assess the impact of those changes?
And finally… training. What are your training plans for the coming year?
David Ogilvy, partner and head of Employment Law at Turcan Connell