As a business tool e-commerce is, in many markets, indispensable. So too is the use of personal data – often relating to customers – which can be a powerful resource when it comes to marketing and understanding your customers’ wants and needs.
Privacy and Electronic Communications Regulations
In the UK, the Privacy and Electronic Communications Regulations set out a variety of marketing rules which apply if you are sending marketing and advertising materials by electronic means (such as email). Crucially, specific consent will often be needed in order to send unsolicited direct marketing to individuals. A common approach is to use opt-in tick boxes when obtaining customers’ information. Furthermore, all recipients of a marketing campaign should be given a straightforward way of opting out of receiving any further marketing emails. It is also important to keep in mind that “marketing” does not necessarily mean “selling”. Indeed, even a non-profit organisation sending emails campaigning for support will be “marketing” for the purposes of the PECR.
The Privacy and Electronic Communications Regulations were due to be replaced on 25 May 2018 by the so-called ePrivacy Regulation. The ePrivacy Regulation was due to come into force alongside the GDPR (see below) and was thus designed to work hand-in-hand with it, unlike the PECR (at least in theory, although some commentators disagree). At present, however, while the GDPR is in force, the ePrivacy Regulation is still being debated at the EU level and no firm date for its implementation is currently known. The PECR will thus continue to apply, but it is worth keeping in mind that the standard of consent required is now that much stricter, thanks to the GDPR (and should now be “unambiguous”).
Data Protection - The GDPR and The Data Protection Act 2018
The use of personal data by businesses and other organisations is regulated by the EU General Data Protection Regulation, aka the GDPR. There are a range of requirements when it comes to processing personal data. You must ensure that it’s used lawfully, fairly, and in a transparent manner, and for specified purposes (which you cannot go beyond without a lawful basis to do so, e.g. consent). It is also important to keep the information accurate and up-to-date, and you should not keep it for any longer than absolutely necessary. The rights of individuals (“data subjects”) are paramount. Individuals must be kept informed about your collection and use of their personal data, and about their legal rights relating to it. Key rights under the GDPR include the right of access (i.e. to find out what data you have and what you are doing with it), the right to rectification, the right to erasure (aka the “right to be forgotten”), and rights to restrict and/or object to personal data processing.
Whether information is stored electronically or otherwise, it’s crucial that you are mindful of security risks, such as potential hacking attempts or even the case of leaving a memory stick or physical documents on the train, as you have an obligation to ensure that any personal data you process is kept secure. Furthermore, you’re not allowed to transfer this data outside the European Economic Area (EEA) without adequate protection.
Some businesses handling personal data may be additionally required to pay a Data Protection Fee to the Information Commissioner’s Office. This replaces the previous registration requirement. To find out whether you need to register, take this online self-assessment provided by the ICO.
Alongside the GDPR is the new Data Protection Act 2018. Until the UK leaves the EU in 2019, for many businesses, the Data Protection Act 2018 will be of limited relevance since its primary role is to transpose the provisions of the GDPR into UK law post-Brexit. This is not its only function, however, and it contains additional provisions over and above the GDPR covering areas such as immigration, criminal law enforcement, national security, and the duties of the ICO. For the moment, however, your focus for data protection compliance should remain the GDPR in most cases.