What is GDPR / PECR & DPA?
Acronym Explanations
Business Data Prospects is an award winning organisation that achieved national recognition for our Business Data and associated Marketing Campaigns.
Here we take a more in-depth look at the above acronyms and provide an explanation for the main areas that cover Business to Business Data and especially B2B Email Data Regulations here in the UK, across the EU and worldwide.
The Data Protection Act and GDPR Explained
This document sets out the basic principles of the Data Protection Act (DPA) to aid in understanding the new legal framework in the EU, and the General Data Protection Regulation (GDPR Policy) which has applied in the UK since 25 May 2018. The purpose of this document is to provide clients with a manageable, comprehensive explanation of the Data Protection laws and what BDP Agency (“We”) require from you as a client and as a data processor.
Important Points To Note
Whilst much of the new General Data Protection Regulation is already in place and agreed upon, there is still some consultation to be decided within the European Union. The new laws were enforced in their entirely on 25th May 2018 and Brexit had no effect on these new laws being implemented.
We are still waiting for a decision on whether this will effect the Privacy & Communications Regulations, the latest update being brought into effect on 9th January 2019, any further updates will be provided once in place.
Latest Guidance
What to expect and when… here is the latest guidance from the Information Commissioners Office (ICO).
Glossary
DM = Direct Marketing
DPA = Data Protection Act 1998
EEA = European Economic Area
EU = European Union
GDPR = General Data Protection Regulation
ICO = Information Commissioner’s Office
PECR = Privacy and Electronic Communications Regulations
Data Controller = the entity that determines the purposes, conditions and manner in which the data will be processed
Data Processor = the entity obtaining, recording or holding the information or data or carrying out any operation(s) on the information or data.
Basic Principles of The Data Protection Act
Schedule 1 to the Data Protection Act lists the data protection principles. In summary, personal data should be:
Processed fairly and lawfully and should satisfy at least one condition for processing.
Obtained only for one or more specified and lawful purposes.
Adequate, relevant and not excessive in relation to the purpose(s) it is fulfilling.
Kept Accurate and up-to-date
Shall not be kept for longer than is necessary for that purpose(s).
Processed in accordance with the rights of data subjects under this Act.
Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or damage to personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects.
The GDPR differs to the DPA in that there is now an explicit requirement for transparency and accountability. This means it is an organisations own responsibility to be able to demonstrate that they comply with the above principles.
Please see our GDPR Accountability Policy for more information on how we comply with the principles.
Article 5 of The General Data Protection Regulation
Article 5 of the GDPR privacy laws now requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR privacy laws in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Information Commissioners Office (ICO)
The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. More than 400,000 organisations are currently registered, and BDP Agency requests that all our clients to register to comply with this law.
You can register here – It is a quick and easy online submission and in most cases the costs involved are minimal.
The ICO have also provided a data protection self-assessment tool to help assess your compliance with the DPA and to find out anything you need to do. This is a really useful tool that can be used in the approach to May 2018.
Electronic Communications Regulations (PECR)
The PECR sit alongside the DPA and give people specific privacy rights in relation to electronic communications. There are specific rules on marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:
market by phone, email, text or fax;
use cookies or a similar technology on your website; or
compile a telephone directory (or a similar public directory)
More information on PECR is available here to ensure that you have sufficient and effective policies and procedures in place, and to explain more about audits.
Facts, Not Fear
GDPR Policy in a Positive Light
BDP Agency aim to provide you with our genuine advice on all things in relation to the new laws surrounding Business to Business Data Protection.
We are struggling to find information on the internet that is not loaded with fear and can sometimes be extremely confusing. BDP will endeavour to always provide you with reference documents from official channels to support our advice.
Here at BDP, in the run up to the implementation of a GDPR Policy, we were struggling to find information on the internet that was not loaded with fear, uncertainty and doubt (FUD) with the intention of frightening you about everything or anything to do with the General Data Protection Regulation (GDPR).
Many companies took this opportunity to to provide plenty of fear based articles that state everything from how you are sticking your head in the sand…. to….how they are going to lock you up and throw away the key… to…countdown clocks to the chilling date in May 2018.
In our opinion, this was an unpleasant practice and we were receiving daily calls from our clients and prospects, absolutely petrified of their next marketing move. Make no mistake, these companies are looking to make a profit from terrifying their prospects into purchasing something from them to protect your business against this fear, uncertainty and doubt.
Hopefully we have provided some insight here that is based on facts, not fear to set the record straight. There are some genuinely excellent companies out there that provide training and documentation for you and it is our aim to provide you with as much information and advice, together with a collection of resources and all this for free too.
Our GDPR Policy Promise to Our Clients
- BDP Agency will keep you up-to-date on relevant information as this is released to us
- BDP Agency will dedicate time to research GDPR information in relation to B2B Data
- BDP Agency will provide you with reference documents from official channels to support advice
- BDP Agency will endeavour to explain GDPR changes in plain English, and not use jargon
- BDP Agency will provide our clients with GDPR guidance information in a positive light
- BDP Agency will never create fear or scare you about GDPR
- BDP Agency will never charge our clients for GDPR directive information as many of our competitors do
- BDP Agency will provide GDPR information without requiring you to sign up with your email
- BDP Agency will provide GDPR information without requiring you to complete any forms
General Data Protection Regulation (GDPR) came into effect on 25th May 2018.