GDPR Policy

What is GDPR / PECR & DPA?

Acronym Explanations

Business Data Prospects is an award-winning organisation that achieved national recognition for our Business Data and associated Marketing Campaigns.

Here we take a more in-depth look at the above acronyms and explain the main areas covering Business to Business Data and especially B2B Email Data Regulations in the UK, across the EU and worldwide.

The Data Protection Act and GDPR Explained

This document sets out the basic principles of the Data Protection Act (DPA) to aid in understanding the new legal framework in the EU and the General Data Protection Regulation (GDPR Policy), which has been applied in the UK since 25 May 2018. 

The purpose of this document is to provide clients with a manageable, comprehensive explanation of the Data Protection laws and what BDP Agency (“We”) require from you as a client and as a data processor.

Important Points To Note

Whilst much of the new General Data Protection Regulation is already in place and agreed upon, there is still some consultation to be decided within the European Union. However, who enforced the new laws in their entirety on 25th May 2018, and Brexit did not affect these new laws being implemented.

We are still waiting for a decision on whether this will affect the Privacy & Communications Regulations, the latest update being brought into effect on 9th January 2019. Who will provide any further updates once in place?
Latest Guidance

What to expect and when… here is the latest guidance from the Information Commissioners Office (ICO).
Glossary

DM = Direct Marketing

DPA = Data Protection Act 1998

EEA = European Economic Area

EU = European Union

GDPR = General Data Protection Regulation

ICO = Information Commissioner’s Office

PECR = Privacy and Electronic Communications Regulations

Data Controller = the entity that determines the purposes, conditions and manner in which who will process the data

Data Processor = the entity obtaining, recording or holding the information or data or carrying out any operation(s) on the information or data.

Basic Principles of The Data Protection Act

Schedule 1 to the Data Protection Act lists the data protection principles. In summary, personal data should be:

Processed fairly and lawfully and should satisfy at least one condition for processing.
Obtained only for one or more specified and lawful purposes.
Adequate, relevant and not excessive to the purpose(s) it is fulfilling.
Kept Accurate and up-to-date
Shall not be kept for longer than is necessary for that purpose(s).
Processed following the rights of data subjects under this Act.
Who shall take appropriate measures against unauthorised or unlawful processing of personal data and accidental loss or damage to personal data?
Who shall not transfer personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects?

The GDPR differs from the DPA in that there is now an explicit requirement for transparency and accountability. This means it is the organisation’s own responsibility to demonstrate that they comply with the above principles.

Please see our GDPR Accountability Policy for more information on how we comply with the principles.

Article 5 of The General Data Protection Regulation

Article 5 of the GDPR privacy laws now require that personal data shall be:

(a) processed lawfully, fairly and transparently about individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; who must take every reasonable step to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; who may store personal data for longer periods insofar as who will process the personal data solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR privacy laws to safeguard the rights and freedoms of individuals;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that.

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Information Commissioners Office (ICO)

The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) to process personal information to register with the ICO unless they are exempt. More than 400,000 organisations are currently registered, and BDP Agency requests that all our clients register to comply with this law.

Facts, Not Fear

GDPR Policy in a Positive Light

BDP Agency aims to provide you with our genuine advice about the new laws surrounding Business to Business Data Protection.

We struggle to find information on the internet that is not loaded with fear and can sometimes be extremely confusing. However, BDP will always provide you with reference documents from official channels to support our advice.

Here at BDP, in the run-up to the implementation of a GDPR Policy, we were struggling to find information on the internet that did not load with fear, uncertainty and doubt (FUD) to frighten you about everything or anything to do with the General Data Protection Regulation (GDPR).

Many companies took this opportunity to provide plenty of fear-based articles stating everything from how you are sticking your head in the sand…. To….how they are going to lock you up and throw away the key……countdown clocks to the chilling date in May 2018.

In our opinion, this was an unpleasant practice, and we were receiving daily calls from our clients and prospects, absolutely petrified of their next marketing move.

Please make no mistake; these companies are looking to profit from terrifying their prospects into purchasing something from them to protect your business against this fear, uncertainty and doubt.

Hopefully, we have provided some insight based on facts, not fear to set the record straight. There are some genuinely excellent companies out there that provide training and documentation for you, and we aim to provide you with as much information and advice, together with a collection of resources and all this for free too.

Our GDPR Policy Promise to Our Clients – BDP Agency will:

• Keep you up-to-date on relevant information as this is released to us
• Dedicate time to research GDPR information with B2B Data
• Provide you with reference documents from official channels to support advice
• Endeavour to explain GDPR changes in plain English and not use jargon
• Provide our clients with GDPR guidance information in a positive light
• Never create fear or scare you about GDPR
• Never charge our clients for GDPR directive information as many of our competitors do
• Provide GDPR information without requiring you to sign up with your email
• Will provide GDPR information without requiring you to complete any forms

You can register here – It is a quick and easy online submission, and the costs involved are minimal in most cases.

The ICO has also provided a data protection self-assessment tool to help assess your compliance with the DPA and find out anything you need to do. This is a handy tool that those who can use in the approach to May 2018.
Electronic Communications Regulations (PECR)

The PECR sit alongside the DPA and give people specific privacy rights about electronic communications. For example, there are specific rules on marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings.

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:

market by phone, email, text or fax;
use cookies or similar technology on your website; or
compile a telephone directory (or a similar public directory)

More information on PECR is available here to ensure that you have sufficient and effective policies and procedures in place and to explain more about audits.

General Data Protection Regulation (GDPR) came into effect on 25^th May 2018.