Ideas from the team

Category

How Will Changes to PECR Impact Your Organisation?

You can’t have missed that changes are coming to data protection on 25th May 2018 when GDPR (the General Data Protection Regulation) comes into effect. We recently published a blog post exploring what impact GDPR will have on the arts and why you might want to consider ‘legitimate interest’ as a legal basis for processing customer data. But GDPR isn’t the only data protection regulation up for changes in May. Alongside GDPR, changes in PECR (the Privacy in Electronic Communications Regulation) are expected to come into effect.

So how can you make sense of these changes? Probably the best way to make nuanced and helpful decisions about how you’ll carry out lawful data processing is to look at GDPR and PECR as separate but entwined entities.

While GDPR governs most data processing engaged in by arts organisations, PECR only governs electronic communications with your customers and donors. We’ve taken a close look at the PECR regulation changes and below share our take on how they can be interpreted by arts organisations.

Of course, this blog post is only our take on PECR and GDPR and is not intended as legal advice or comprehensive guidance. We strongly recommend taking your own legal advice in deciding how to comply with the new data protection regulations.

Exactly what is covered under PECR?

The Privacy in Electronic Communication Regulation covers direct marketing communications made via electronic means targeted to particular individuals. This includes email, text messaging and some cookies. Telephone communications are covered when calling is automated. It doesn’t include post or most telephone communications.

What changes are coming to PECR?

The current PECR requires general consent to electronic communication. In May, the definition of consent may tighten to require a greater degree of granularity and do away with some ambiguity around how affirmative that consent must be. But the exception PECR carves out for marketing “similar products” probably won’t change.

What is the “similar products” exception?

Under this exception, companies can market “similar products” to customers without affirmative consent if they allow the customer to opt out at the point of purchase and in each subsequent electronic communication. Practically speaking, you can accomplish this with an opt-out tick box at point of sale and unsubscribe options in subsequent emails.

The ICO has issued guidance on what “similar products” are and are not. The ICO provides the example of a grocery store which has sold you flour and is then allowed to market to you about other food products such as fruit. If we were to translate this into a performing arts context, it could mean that you’re allowed to market to a ticket buyer about any other ticket purchase at your company.

However, the ICO has given guidance that communications about philanthropy may not be included because they don’t consider donations a product nor do they consider donors customers. Unfortunately, the guidance from the ICO has not explained how to respectfully manage relationships that organisations have with individuals who may be defined as customer, member or donor often simultaneously.

When do you need consent to email?

If you don’t want to email about donations or non-similar products you’re potentially covered under the “similar products” exemption which means you might not be obligated to acquire affirmative consent and can employ an opt-out and unsubscribe strategy.

However, many arts organisations are charities who rely on donations and many desire to share data with partner organisations. In these cases, or in the case you would prefer to rely on consent-based emailing, you may want to look at the new PECR consent requirements.

Additionally, sharing emails with a third party is also unlikely to be exempt from consent as the third party doesn’t have a contractual customer relationship with the purchaser.

What are the consent requirements under PECR?

In May, PECR consent requirements will likely come in line with GDPR definitions. The ICO says, “Consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action.”

There has been considerable debate about the definition of the word “specific” and whether that means an organisation is required to offer a multitude of granular consent options. To help arts organisations understand this requirement in their own context, Arts Council England is offering guidance. Helpfully, they recommend a practical approach:

“Whilst clear consent to each activity would be ideal, practically speaking this could be counterproductive as a long list of activities could be either ignored or not properly engaged with. Organisations may take the approach of listing three to five (or perhaps even fewer) activities and use broader terms such as ‘fundraising’ and ‘our other activities’, with examples (such as inviting you to events, alerting you to campaigns, and creating a profile of your preferences and your capacity to give) which are described in much more detail in a linked privacy policy which is clearly signposted.”

What are the limitations of PECR?

Don’t forget that the majority of your data processes such as segmenting, reporting and non-electronic communications are not covered under PECR but under GDPR. As such, they’re potentially covered under the ‘legitimate interest’ basis for processing, rather than ‘consent.’

What other business considerations should you make?

In general, we hope that arts organisations look at their own business practices and realise that they’re currently communicating respectfully with their customers and donors. We believe that the vast majority of arts organisations aren’t engaged in problematic business practices or violating the rights of their customers and donors. In fact, our users are devoted to building mutually advantageous and long-lasting relationships with their customers.

For this reason, it’s obviously important to become aware of and prepared for the upcoming changes in the regulations. However, the approach shouldn’t be putting respectful and lawful business models in jeopardy. It’s up to each individual organisation to find the proper approach to data privacy without adversely impacting effective and lawful communication with your customers and donors.

5 steps your business can take

In our last blog post on GDPR we recommended 5 steps your organisation can take to prepare:

  1. Create a data protection working group for a joined up approach across your organisation including representatives from development, marketing, leadership and a lawyer or board member.
  2. Carry out a data audit to identify the data you’re keeping on individuals (customers, employees, students, etc.) across the organisation and in what manner it is being processed.   
  3. Determine which legal basis you’ll use for each of the ways you’ve identified data is being processed.
  4. Make and document a plan to demonstrate that you’ve considered data protection across the organisation and made considered choices about your approach.
  5. Create or update a public privacy policy. For more information on this, see the ICO’s guidance.

Our next steps

We’ll be publishing further guidance and advice, and providing resources to help you prepare for data protection changes. Stay updated with the latest on the blog and the Support Centre where we’ll be publishing all our updates. In the meantime, if you want to talk through data protection regulations with us, get in touch with the Spektrix Support team.

Related reading

> GDPR: Consent Isn’t the Only Answer

Note that this article is not intended to construe legal advice or offer comprehensive guidance.