GDPR guide for dummies – Master B2B GDPR & PECR for Business 2021

GDPR

What is GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation introduced in 2018 to ensure a consistent level of data protection throughout the EEA, therefore allowing for the easier cross-border flow of information whilst maintaining an adequate level of protection for data subjects (that’s you and I).

The Data Protection Act 2018 is the United Kingdom’s interpretation of this regulation. Whilst allowing the relative ease of data transfer in Europe, what does that mean for the average person or the ‘data subject’?

The GDPR sets out requirements for companies and organisations on how they handle your data and what they can and can’t do with that data.

What is PECR?

Elements of PECR are woven into the fabric of GDPR, especially concerning ‘cookies’ and electronic marketing. The PECR (Privacy and Electronic Communications Regulations 2003) is the UK law derived from the EU’s E-Privacy Directive 2002.

Before I go any further, the difference between a ‘directive’ and a ‘regulation’ is that a directive from the EU will require member states to write a law on a specific topic (allowing for member states to interpret the law slightly differently, meaning there is hardly any consistency across the Union) whilst a regulation is a set of rules that member states have to adopt which is where you get the consistency from. The E-Privacy directive is soon to be replaced by the e-privacy regulation shortly (although no date has been given) so keep your eyes peeled for that!

Other than cookies and electronic marketing the PECR covers security of electronic communication services and also the privacy of customers using communications networks.

How do GDPR and PECR affect companies and their marketing?

So how do these two laws affect marketing, and in particular Business to Business marketing?

The first point to consider, if you are marketing to businesses that are set up as either a ‘Sole Trader’ or a ‘Partnership’ then the marketing rules are stricter and you must treat them in the same way you would an individual. If the business you are marketing to is a Ltd company or a corporate entity then the rules are slightly softer. There is then a further distinction between methods of communication used to ‘market’ your service.

(Spoiler alert – consent isn’t necessarily required for all forms of marketing). 

For the likes of mailing, as a business, you are only required to offer an opt-out option to data subjects or employees (if you are targeting a specific person within an organization). If you are mailing to a corporate entity then there is no requirement to offer an opt-out but may be seen as best practise to offer this. 

To understand truly how GDPR and PECR affect your business and your marketing strategy, the best thing you can do is speak to someone as each business will have its own unique strategy and unique risk appetite. The marketing space shouldn’t be seen as a one size fits all approach!

When does GDPR and PECR apply?

Marketing covers (rather broadly) not only the sale of products and services but also the promotion of aims and ideals. PECR will then come in to force if you are communicating this over electronic means (so telephone, email, text, fax). Marketing is, in my opinion, one of the riskiest activities for the business under the GDPR. Whilst Cyber attacks and security breaches are the front page news stories with companies being fined up to 4%turnover, marketing fines are handed out far more frequently due to non-compliance however the fine amount is significantly lower and varies on the scale and context of the breach. A list of fines can be found on the ICO’s website so do check that out if you want to understand the enforcement action taken to date, in a more ‘real-world’ context.

What is consent?

For business or organizations to process personal information they require a legal basis to do so. There are 6 legal basis’, of which consent is one. There is a high bar to hit when using consent as a legal basis, it must be freely given to be valid and must be as easy for the data subject to withdraw as it is to give. It must also be clear and transparent (the customer needs to know exactly what they are signing up for) and require positive confirmation (i.e. ‘tick this box to receive marketing’ rather than ‘tick this box to not receive marketing’).

There are various ways to manage consent but it isn’t necessarily as straight forward as you may think and in some instances not always an appropriate legal basis.

My question to you – is consent really appropriate in what you are doing?

Why is GDPR and PECR important?

From a data subject standpoint, the GDPR and PECR hold businesses to account and make the world of data a little more transparent and approachable for all. From a company perspective, they are incredibly important given the risk of non-compliance could land you with a hefty fine!

Some common terms explained

  • PII – Personally Identifiable Information

  • Data Processing/Processing – Any action performed upon data

  • Data Subject – A living human being

  • Data Processor – an organisation that processes personal data

  • Legal Basis – Your legal reason to be processing that piece of information

  • DPA – Data Protection Act OR Data Protection Authority

  • DPO – Data Protection Officer

  • DPIA – Data Protection Impact Assessment

  • ICO – Information Commissioners Office (UK regulator)

  • B2B – Business to Business Marketing

Alexander Beckett
Alexander BeckettInformation Risk Management Consultant
Information Risk Professional, working in Data Privacy, Cyber Incident Management and Supplier and Third Party Assurance, CIPP/e qualified.