Breaching current data protections vs GDPR

With the media attention devoted to the new General Data Protection Regulation, it’s hard to believe that there were already laws in place to safeguard personal data. Back in 1995, EU regulators created the Data Protection Directive (95/46/EC), which was followed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR for short).

Importantly, PECR is a European Union directive, which means that every member state was (and is) obliged to implement their own laws that align with the regulation. But like every other directive, member states can refine the new law to meet the needs of their citizens (as long as the key tenets are retained). As a result, PECR-based regulations are quite different across Europe.

PECR vs GDPR – what’s the difference?

The first thing to note is that PECR regulates all forms of electronic communication to natural persons from legal persons. If you are sending marketing emails (there are different rules for telephone and post) to consumers, you must be able to demonstrate that your business has secured explicit opt-in from the recipients. In some EU countries, B2B marketing emails are exempt from this opt-in requirement; this will change as the regulation is updated again in late 2018 or early 2019.

GDPR is concerned with data processing - rather than just communication with data subjects. Your business must be able to demonstrate a ‘legal basis’ for storing and processing personal data.

To clarify, PECR governs how you communicate, while GDPR is about the personal data you process and store. GDPR does not replace PECR; the regulations are designed to complement each other.

One other important note: breaching PECR laws will attract a maximum fine of ~€565,000 (£500,000 GBP). GDPR offences attract a maximum financial penalty of €20 million or 4% of global turnover, whichever is greater. Data Protection Authorities in every EU member state have a mandate to hand out these fines to any organisation found to have breached either law.

Has GDPR replaced PECR?

Given that GDPR is newer, outlines harsher penalties, and is concerned with natural persons and personal data, it seems logical that this new regulation would completely supersede PECR. But the fact is that GDPR has simply given us more specific guidance around ‘consent’ – PECR is still in force across Europe and more importantly is being updated to bring closer alignment with the GDPR.

Because GDPR and PECR remain in force simultaneously, your business will need to ensure future communications comply with both. PECR remains a directive for now, but the upcoming changes will see it promoted to being a full regulation. Once this happens, PECR will be in force across all EU member states - and there will not be any national variations to the same extent as there are today. Until then you will need to respect the rules and regulations of the member state in which your contacts are based.

One word of caution however. Because PECR is a directive that forms the base of local legislation, it has been implemented slightly differently across Europe, so you must assess your systems and processes in light of these variations. Do not assume that compliance with the central regulation will be sufficient – you have to be sure that you comply with every local variation, or risk prosecution.

Get your affairs in order

The Privacy and Electronic Communications Regulation is now 15 years old – so your business communications and security should already be compliant. But as your GDPR compliance project progresses, it makes sense to review your PECR status at the same time – especially as you will be looking at many of the same factors regarding data retention, security and consent. The updated PECR regulation will come into force within a matter of months, ensuring your preparatory work is not wasted.

Take the first step towards the GDPR compliance by downloading our GDPR Mapping Questionnaire or by contacting us.