There is not much which sits higher in the priority list of information security professionals today than the GDPR (General Data Protection Regulation). Record high penalties versus sweeping changes in the practice of collecting and processing personal data have led some information security teams to focus on nothing else in the coming 12 months.
Although positive, the pro-activity of some, namely UK airline Flybe and vehicle manufacturer Honda, have found that this form of tunnel vision comes at a price. In an attempt to comply with article five of the GDPR, ensuring that all personal data was accurate. They sent an email to all contacts, subscriber or not, asking them to update their accounts, thus breaching the requirements of the PECR (Privacy and Electronic Communication Regulation).
Wait, What? There is Another Data Protection Regulation?
It is often said that it is the younger child who is showered with all the attention, this is certainly true in the information security world. With all the attention and lime-light shining on the GDPR, many may even wonder what the PECR is.
In 2003, when the GPDR was a mere twinkle in the eye of the European Council, the PECR was enacted in response to the growing levels of electronic marketing communication. It has since been amended four times to keep its relevance in a fast-paced world. You may have noticed some of its amendments when websites responded to its requirements by adding cookie disclaimers or when the TPS (Telephone Preference Service) came into force.
Five Things to Remember
The PECR is already in force and most organisations will be fully aware of its articles, however should it have slipped from focus, here are five things to remember about the PECR:
- There is Overlap but Not Conflict – The PECR and GDPR may appear to have some overlap, yet they have been created to focus in different areas. In the case of the GDPR, the focal point is the collection and processing of personal data. For PECR, the concern is the methods by which marketing communication is made with the data subjects among other things. The regulation covers text, email, fax and phone calls.
- Obey the TPS – The telephone preference service is a list of phone number owners who voluntarily opt-out of marketing calls. Any organisation engaged in telephone marketing and sales need to ensure their contact lists are aligned with the latest version of the TPS and have their own list of opt-outs. Engaging in calls with business numbers is slightly different, it is permitted to contact businesses on the TPS if they have not objected to your calls in the past.
- Always Provide an Unsubscribe Option for Email Communication – Organisations must provide a simple and easy way for contacts to remove themselves from a contact list by way of an unsubscribe link.
- Breaches for Service Providers Must be Reported to the Supervisory Authority Within 24 Hours – Once all the facts regarding the breach have been ascertained, service providers must report a breach must be reported to the supervisory authority (the ICO – Information Commissioner’s Office in the UK) within 24 hours. This is just one third of the 72-hour deadline required by the GDPR.
- Administrative Penalties are Just as Sharp – It is no GDPR, although with a maximum penalty of £500,000, a possible criminal prosecution or forced audits it is not to be ignored.
Three Pedals, Two Feet
In the case of Flybe and Honda, their pursuit of compliance with the GDPR lead them to a position of oversight. There was nothing malicious in their motivations, in fact they could be considered ahead of the curve in their GDPR preparations. What it demonstrates is the supervisory authorities unwavering desire to ensure that the regulations are being adhered to, regardless of the nature of the distraction.
Some time ago when I first learned to drive, I couldn’t quite understand why a human would invent a machine with three pedals considering they only had two feet. It is a perfect analogy for the reality of most things in this world. We often have too much humanly possible to focus on. The result of concentrating on spinning just one plate perfectly will most likely result in others falling through neglect.
Yet, just like learning to drive with three pedals and two feet, the art is in timing and ensuring that the things which need attention at a particular point are given no less and no more than whats required. Today it is the GDPR which needs acceleration, just don’t forget to press the brake every so often to ensure you are in line with the PECR.