The key piece of legislation covering Data Protection is the Data Protection Act 1998. Data Protection is regulated by the Information Commissioner’s Office (ICO). All firms that handle personal data need register with the ICO, and to renew it as required. In practice, almost every firm controls or processes personal data of some kind, and thus needs to ensure it complies with its Data Protection obligations regarding controlling and processing data.
You can read more about data protection on the ICO’s website or by downloading our free guide below.
The Privacy and Electronic Communications Regulations 2003 (PECR) apply to emails, faxes, text messages, video messages, messages with photographs, cookies and telephone communications (including both live calls and automated voice calls). Compliance with PECR can be complicated and there is often a great deal confusion regarding ‘consent’ and ‘opt-ins’.
You can read more about PECR on the ICO’s website or by downloading our free guide below.
The ICO can fine firms up to £500,000 for breaches of PECR. There is no longer a requirement for the ICO to prove that the messages cause ‘substantial damage or substantial distress.
The PECR have had a significant impact on the way companies manage personal data. Now companies from all business sectors now have until the end of 2017 to prepare for the introduction of another significant piece of European Union legislation – the General Data Protection Regulation (GDPR). Failure to comply with the Regulation could result in significant fines – likely to be the higher than €1 million or 2% of global turnover.
The implications of the GDPR are significant and companies are advised to start preparing for its introduction now, and to seek advice from a professional, rather than waiting until the last minute.
The provisions of the Regulation include:
· The need for companies who have more than 250 employees and/or who process the data of more than 5000 ‘data subjects’ in any 12 month period to appoint a Data Protection Officer
· The need for all companies to have a Data Protection governance committee
· A requirement for companies to notify their national data protection regulator and the affected data subjects within 24 hours of a significant breach
· Companies thus need to have incident management plans in place that can be activated should a breach occur
· A Privacy Impact Assessment – the impact on individuals’ privacy must be considered when new products/services are introduced, or when new ways of handling personal data are adopted
We’re experts in data protection and PECR compliance which is why we’re trusted by thousands of firms to assist them with their compliance. We create bespoke compliance management systems. From simple compliance documentation and manuals for small firms through to automated software and comprehensive data management and compliance systems for larger firms. Our solutions are practical based, facilitate compliance and add value to firms. We even offer a complete outsourced compliance service for data protection and electronic marketing which includes unlimited TPS checking.
Our team consists of ex-regulators, legal practitioners and industry professionals. Speak to one of our experts today for confidential and no obligation advice.