Intelisense IT and GDPR & PECR
25 May 2018
Purpose
This document represents the issues and risks of GDPR and processes Intelisense IT intend to put in place to ensure we meet the requirements and adhere to the principles set out in the legislation and this document represents Sales and Marketing only.
The highlighted areas are areas that we believe particularly relate to Intelisense IT, Sales and Marketing.
Our conclusions to the legislation and how Intelisense IT Sales and Marketing function intend to conduct themselves is set out in the conclusion section at the end of the document
Background:
The government has confirmed that Brexit will not affect the GDPR start date, or its immediate running. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
GDPR overview
- Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO). Their role will be to ensure the company complies with the obligations under the GDPR. They’ll also be the contact for any data protection queries
- The GDPR will apply to any business that processes the personal data of EU citizens, including those with fewer than 250 employees (contrary to common misunderstanding). Serious breaches (that is, any breach which has an impact on the rights of data subjects) must be reported immediately to the regulator (in the UK this is the Information Commissioner’s Office (ICO)). This should be within 24 hours where possible, but at least within 72 hours
- Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds (for example the individual is no longer a customer so your contract with them no longer gives you a legal right) to keep the data
- Failure to comply will result in harsher penalties. Currently, the ICO can fine up to £500,000 but the GDPR will allow fines of up to €20 million or four per cent of annual turnover, whichever is higher.
GDPR Checklist For Uk Small Businesses
- Know your data. You’ll need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
- Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities will become more difficult under the GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless absolutely necessary.
- Look hard at your security measures and policies. You’ll need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
- Prepare to meet access requests within a one-month timeframe. Subject Access Rights are changing, and under the GDPR, citizens have the right to access all of their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
- Train your employees, and report a serious breach within 72 hours. Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags. It’s also important that everybody involved in your business is aware of a need to report any mistakes to the DPO or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.
- Conduct due-diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You’ll also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach). See ‘How can I check my suppliers are GDPR-compliant?’ further down.
- Create fair processing notices. Under GDPR, you’re required to describe to individuals what you’re doing with their personal data. See ‘Fair processing notices’ below for more information.
- Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data’ (see ‘Is my data sensitive?’ below) you must employ a Data Protection Officer (DPO).
Legitimate Interests
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. (we have then moved to PECR – see below)
- There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy information. Assume this means in general correspondence we not what is meant by legitimate interests)
The Privacy and Electronic Communications Regulations (PECR)..
• Marketing Calls, Emails, Texts And Faxes;
• Cookies (And Similar Technologies);
• Keeping Communications Services Secure; And
• Customer Privacy As Regards Traffic And Location Data, Itemised Billing, Line Identification, And Directory Listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
There are different rules for live calls, automated calls, faxes, and electronic mail (this includes emails or texts).
PECR marketing provisions do not apply to other types of marketing, such as mailshots or online advertising. However, you must always still comply with the Data Protection Act and the GDPR; and if your online advertising uses cookies or similar technologies, the provisions about cookies may apply.
Most of the rules in PECR only apply to unsolicited marketing messages. They do not restrict solicited marketing.
Put simply, a solicited message is one that is actively requested. So if someone specifically asks you to send them some information, you can do so without worrying about PECR (although you must still say who you are, display your number when making calls, and provide a contact address).
An unsolicited message is any message that has not been specifically requested. So even if the customer has ‘opted in’ to receiving marketing from you, it still counts as unsolicited marketing. An opt-in means the customer agrees to future messages (and is likely to mean that the marketing complies with PECR). But this is not the same as someone specifically contacting you to ask for particular information.
This does not make all unsolicited marketing unlawful. You can still send unsolicited marketing messages – as long as you comply with PECR.
What Counts as Consent?
You will often need a person’s consent before you can send them a marketing message. If you do need consent, then – to be valid – consent must be knowingly and freely given, clear and specific. It must cover both your particular organisation and the type of communication you want to use (eg call, automated call, fax, email, text). It must involve some form of very clear positive action – for example, ticking a box, clicking an icon, or sending an email – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about marketing as part of a privacy policy that is hard to find, difficult to understand, or rarely read.
The clearest way to obtain consent is to ask the customer to tick an opt-in box confirming they are happy to receive your marketing calls, faxes, texts or emails.
You should keep clear records of what a person has consented to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.
You should be very careful when relying on consent obtained indirectly (consent originally given to a third party). You must make checks to ensure that the consent is valid and specifically identifies you. Generic consent covering any third party is not enough.
Remember that the customer is entitled to withdraw their consent at any time. You must make it easy for people to withdraw consent, and tell them how.
What is the difference between ‘opt in’ and ‘opt out’?
‘Opt in’ means a person has to take a specific positive step (eg tick a box, send an email, or click a button) to say they want marketing. ‘Opt out’ means a person must take a positive step to refuse or unsubscribe from marketing.
Some organisations provide opt-in boxes that are automatically pre-ticked. However, the GDPR is clear that pre-ticked boxes do not give valid consent.
You must use an ‘affirmative’ method of getting consent. We recommend you use unticked opt-in boxes wherever possible.
Do The Rules Apply To Business-to-business Marketing
Conclusions
- The organisation does not require a DPO
- The personal data held by Intelisense IT is held for legitimate interests and an LIA (legitimate interests assessment) has been conducted as noted below and this LIA has been reviewed by the two Directors of the organisation Andrew Rumney and Amjad Khan.
- The security of the data held will be reviewed by the technical director (Amjad Khan) to ensure that all reasonable precautions have been taken to ensure that personal data is kept securely, safely and for the reason intended.
- We will review our compliance on an annual basis.
- Additionally having carried out an LIA (notes below) and reviewed the PECR documentation on the 22nd of May 2018, Intelisense IT will note and adhere to the following:
- Suppression lists – we will maintain a list of people who ‘opt out’ of our marketing and ensure cross reference their details against any new lists we receive.
- Corporate telephone preference list- we will cross reference any new (or existing) list with this, link here : http://www.tpsonline.org.uk/tps/whatiscorporatetps.html
- Email signatures- we will roll out an “unsubscribe” link in our corporate signatures, we will create mailchimp landing page for this.
- Privacy terms draft up- we will display, clearly and simply our privacy terms, and investigate putting this into all our correspondence including our email signatures
- We understand the we can freely email corporate bodies but employees can opt out
- When procuring any sales and marketing list of potential clients we need to check and implement with the selling organisation the following compliances:
- We don’t use bought-in lists for texts, emails or recorded calls (unless we have proof of opt-in consent within last six months which specifically named us) – this will involve that the seller can verify that the people on the list:
- Gave specific consent to receive marketing from us;
- Were provided with readily accessible, clear and intelligible information about how their contact details would be used (eg privacy notices were easy to find and understand);
- Were offered a clear and genuine choice whether or not to have their details used for marketing purposes;
- Took positive action to indicate their consent (eg ticked a box, clicked a button or subscribed to a service);
- Gave their consent reasonably recently (within the last six months); and
- In the case of texts, emails or automated calls, gave specific consent to receive marketing by those means.
- We screen the names on bought-in lists against our own list of people who say they don’t want our calls (suppression list)
- We have checked that legitimate interests is the most appropriate basis. Yes.
- We understand our responsibility to protect the individual’s interests. Yes.
- ☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision. Yes (this is it using the above references)
- We have identified the relevant legitimate interests. Yes, these are the ability for the organisation sell its products and services to relevant organisations using mainly external sources to identify/funnel the most relevant clients to our sales function for qualification (sometimes these clients may be identified internally). All calls to new/prospective clients will use the approved script which identifies Intelisense IT early in any call and our intentions and include the opportunity for all prospective clients to ‘opt out’.
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result. Yes, a dual telephone call and email to the prospective clients which are pre filtered using external sources.
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests. Yes, as the prospective clients are business clients there may be a reasonable expectation to be called by potential partner organisations and that this is an accepted custom and practice within business and is proportional.
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason. Yes.
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason. Yes.
- If we process children’s data, we take extra care to make sure we protect their interests. N/A
- We have considered safeguards to reduce the impact where possible. Yes, people are able to opt out and we use already filtered lists.
- We have considered whether we can offer an opt out. Yes.
- If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a Data Protection Impact Assessment. Yes, Having reviewed the DPIA guidance we do not believe that this impacts the sales function.
- We keep our LIA under review, and repeat it if circumstances change. Yes, annual review.
- We include information about our legitimate interests in our privacy information. Yes.
