Data protection and marketing are so closely interconnected that no marketing plan involving data can move forward without getting data protection right. GDPR – General Data Protection Regulation – and PECR – Privacy and Electronic Communication Regulations – are regulations concerning data protection that marketers must familiarise themselves with.
The two regulations are complementary, indeed in some respects you could say PECR adds detail, but only in some respects.
The key difference is that GDPR relates to the processing of personal data. PECR relates specifically to marketing by electronic means and covers marketing calls, texts, emails and faxes.
To add complexity, PECR, which is UK specific, will be super-ceded by the EU wide e-Privacy Regulation. Among other areas, the new regulation will apply to WhatsApp, Gmail, Skype, and Facebook Messenger.
GDPR is more specific in some respects but less specific and broader in others. It applies to all aspects involving the processing of personal data, has less detail specific to marketing, but does introduce regulations not currently covered by PECR.
GDPR itself supersedes the Data Protection Act, and the ICO, the UK organisation responsible for regulating data protection and privacy regulations, states: “Nothing in these regulations (PECR) shall relieve a person of his obligations under the Data Protection Act in relation to the processing of personal data.”
For marketers, a key area of interest concerning GDPR relates to the lawful basis for the processing of data. The regulation outlines six such bases, but in most cases, marketers only need to focus on two: consent and legitimate interests.
Consent represents an important change from PECR. Under GDPR, the bar for consent is high. Pre-ticked boxes go, the data subject must be proactive in giving consent, the consent must be unambiguous and freely given, which means it is no longer permissible to make the provision of a service conditional upon a data subject providing consent.
GDPR also requires that when data processing occurs using consent as a lawful basis, then the data must be specific – consent is no longer a catch-all thing. The same principle applies to privacy notices.
GDPR also provides regulation in the area of the right to be forgotten and subject access requests.
Legitimate interest relates to the processing of data when that processing is necessary for the legitimate interests of the data controller or for society, providing such interests are not overridden by the interests, rights or freedoms of the data subject.
In other words, if it can be shown that the processing data is in the legitimate interests of a company, then the processing of that data may be lawful, but this area is a minefield. For one thing, this basis is only lawful if you are processing data in ways a data subject would reasonably expect. For another thing, the processing must be necessary – if there is another way of achieving similar results this may be a better option. For a third thing, you must keep a record of your legitimate interest. There are further considerations too, but these three areas make good starting points for marketers.
The ICO says that direct marketing is a legitimate use of personal information, but adds: “It is important to remember, however, other rules also apply.” It then cites PECR saying, that it “restricts the circumstances in which you can market to people and other organisations by phone, text, email or other electronic means. So when sending electronic marketing messages, remember – you have to comply with both the data protection law and PECR.”
The ICO adds: “We recommend that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.”