The UK government has unveiled a series of amendments to the Privacy and Electronic Communications Regulations (PECR) to ensure the UK’s legal framework for data protection functions correctly after the UK leaves the EU and to prepare for the prospect of a No Deal Brexit. It is crucial that companies are attuned to these amendments, which come into effect on Exit Day possibly 31 October 2019, to ensure that they do not fall foul of data protection rules and avoid potentially hefty fines.
What is the PECR?
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’. This will need to meet the GDPR standard of consent to ensure it is valid. This involves a clear affirmative action, such as an opt-in to receive such communications.
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’.
There is an exemption within PECR called the Soft Opt-in, which states that you do not require consent where:
- You have obtained contact details in the course of a sale;
- You are only marketing your own similar products and services; and
- You provided a simple opportunity to opt out of the marketing when you first collected the contact details.
What is the Scope of PECR?
The GDPR governs the data you use for email marketing, whilst the PECR defines the required permission to send email marketing. There is naturally much overlap between the GDPR and PECR as both aim to protect people’s privacy and therefore compliance with one shall help compliance with the other.
How is the UK Government Preparing ?
To ensure that the UK legal framework for data protection functions correctly after the UK leaves the EU, the government is preparing a series of amendments. The first set of amendments, PECR Amendments No 1, will come into effect on the day the UK leaves the EU, and will:
- Extend the GDPR standards to certain data processing activities outside the scope of EU law;
- Make amendments to international transfers of personal data, institutions and member states; and
- Formally amend the definition of consent in the PECR to mirror the GDPR definition.
What about US Transfers
The Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. It enables US organisations to more easily access personal data from entities based in the EU and protected by EU privacy laws.
This will provide some commercial and legal certainty for UK businesses in a “No Deal” scenario and UK data subjects will continue to have access to the redress mechanisms afforded by the Privacy Shield.
How Should I Prepare my Organisation