<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Five Things to Remember About the PECR

Topics: Regulation, GDPR, Communication, Breach, PECR

Posted: 20 April 2017

Five Things PECR GDPR

There is not much which sits higher in the priority list of information security professionals today than the GDPR (General Data Protection Regulation). Record high penalties versus sweeping changes in the practice of collecting and processing personal data have led some information security teams to focus on nothing else in the coming 12 months.

Although positive, the pro-activity of some, namely UK airline Flybe and vehicle manufacturer Honda, have found that this form of tunnel vision comes at a price. In an attempt to comply with article five of the GDPR, ensuring that all personal data was accurate. They sent an email to all contacts, subscriber or not, asking them to update their accounts, thus breaching the requirements of the PECR (Privacy and Electronic Communication Regulation).


Wait, What? There is Another Data Protection Regulation?

It is often said that it is the younger child who is showered with all the attention, this is certainly true in the information security world. With all the attention and lime-light shining on the GDPR, many may even wonder what the PECR is.

In 2003, when the GPDR was a mere twinkle in the eye of the European Council, the PECR was enacted in response to the growing levels of electronic marketing communication. It has since been amended four times to keep its relevance in a fast-paced world. You may have noticed some of its amendments when websites responded to its requirements by adding cookie disclaimers or when the TPS (Telephone Preference Service) came into force.


Five Things to Remember

The PECR is already in force and most organisations will be fully aware of its articles, however should it have slipped from focus, here are five things to remember about the PECR:

  • There is Overlap but Not ConflictThe PECR and GDPR may appear to have some overlap, yet they have been created to focus in different areas. In the case of the GDPR, the focal point is the collection and processing of personal data. For PECR, the concern is the methods by which marketing communication is made with the data subjects among other things. The regulation covers text, email, fax and phone calls.
  • Obey the TPS – The telephone preference service is a list of phone number owners who voluntarily opt-out of marketing calls. Any organisation engaged in telephone marketing and sales need to ensure their contact lists are aligned with the latest version of the TPS and have their own list of opt-outs. Engaging in calls with business numbers is slightly different, it is permitted to contact businesses on the TPS if they have not objected to your calls in the past.
  • Always Provide an Unsubscribe Option for Email Communication – Organisations must provide a simple and easy way for contacts to remove themselves from a contact list by way of an unsubscribe link.
  • Breaches for Service Providers Must be Reported to the Supervisory Authority Within 24 HoursOnce all the facts regarding the breach have been ascertained, service providers must report a breach must be reported to the supervisory authority (the ICO – Information Commissioner’s Office in the UK) within 24 hours. This is just one third of the 72-hour deadline required by the GDPR.
  • Administrative Penalties are Just as Sharp – It is no GDPR, although with a maximum penalty of £500,000, a possible criminal prosecution or forced audits it is not to be ignored.


Three Pedals, Two Feet

In the case of Flybe and Honda, their pursuit of compliance with the GDPR lead them to a position of oversight. There was nothing malicious in their motivations, in fact they could be considered ahead of the curve in their GDPR preparations. What it demonstrates is the supervisory authorities unwavering desire to ensure that the regulations are being adhered to, regardless of the nature of the distraction.

Some time ago when I first learned to drive, I couldn’t quite understand why a human would invent a machine with three pedals considering they only had two feet. It is a perfect analogy for the reality of most things in this world. We often have too much humanly possible to focus on. The result of concentrating on spinning just one plate perfectly will most likely result in others falling through neglect.

Yet, just like learning to drive with three pedals and two feet, the art is in timing and ensuring that the things which need attention at a particular point are given no less and no more than whats required. Today it is the GDPR which needs acceleration, just don’t forget to press the brake every so often to ensure you are in line with the PECR.

GDPR Data Protection Legitimate Interests and planning your Strategy

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts