Share

4 min read

Writen by Zlatko Delev

Posted on: July 20, 2021

What is the difference between GDPR and PECR

Data protection and marketing are so closely interconnected that no marketing plan involving data can move forward without getting data protection right. GDPR – General Data Protection Regulation – and PECR – Privacy and Electronic Communication Regulations – are regulations concerning data protection that marketers must familiarise themselves with.

The two regulations are complementary, indeed in some respects you could say PECR adds detail, but only in some respects.

The key difference is that GDPR relates to the processing of personal data. PECR relates specifically to marketing by electronic means and covers marketing calls, texts, emails and faxes.

To add complexity, PECR, which is UK specific, will be super-ceded by the EU wide e-Privacy Regulation. Among other areas, the new regulation will apply to WhatsApp, Gmail, Skype, and Facebook Messenger.

GDPR is more specific in some respects but less specific and broader in others. It applies to all aspects involving the processing of personal data, has less detail specific to marketing, but does introduce regulations not currently covered by PECR.

GDPR itself supersedes the Data Protection Act, and the ICO, the UK organisation responsible for regulating data protection and privacy regulations, states: “Nothing in these regulations (PECR) shall relieve a person of his obligations under the Data Protection Act in relation to the processing of personal data.”

For marketers,  a key area of interest concerning GDPR relates to the lawful basis for the processing of data. The regulation outlines six such bases, but in most cases, marketers only need to focus on two: consent and legitimate interests.

Consent represents an important change from PECR. Under GDPR, the bar for consent is high. Pre-ticked boxes go, the data subject must be proactive in giving consent, the consent must be unambiguous and freely given, which means it is no longer permissible to make the provision of a service conditional upon a data subject providing consent.

GDPR also requires that when data processing occurs using consent as a lawful basis, then the data must be specific – consent is no longer a catch-all thing. The same principle applies to privacy notices.

GDPR also provides regulation in the area of the right to be forgotten and subject access requests.

Legitimate interest relates to the processing of data when that processing is necessary for the legitimate interests of the data controller or for society, providing such interests are not overridden by the interests, rights or freedoms of the data subject.

In other words, if it can be shown that the processing data is in the legitimate interests of a company, then the processing of that data may be lawful, but this area is a minefield. For one thing, this basis is only lawful if you are processing data in ways a data subject would reasonably expect. For another thing, the processing must be necessary – if there is another way of achieving similar results this may be a better option. For a third thing, you must keep a record of your legitimate interest. There are further considerations too, but these three areas make good starting points for marketers.

The ICO says that direct marketing is a legitimate use of personal information, but adds: “It is important to remember, however, other rules also apply.” It then cites PECR saying, that it “restricts the circumstances in which you can market to people and other organisations by phone, text, email or other electronic means. So when sending electronic marketing messages, remember – you have to comply with both the data protection law and PECR.”

The ICO adds: “We recommend that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.”

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy