GDPR & PECR in the UK: Common Mistakes & Insights for 2023

Not everyone is adopting the right approach to complying with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). In this blog, we share common pitfalls and real examples from 2023.

In our experience, organisations know they have to comply with GDPR and the PECR (although there’s rather less general awareness about that latter regulation).

Yet despite this knowledge and the importance of getting data protection right, companies still fall prey to some common pitfalls. In each of the following examples, the breach wasn’t intentional. It was a consequence of oversight or of not rectifying longstanding issues. Unfortunately, such lapses aren’t a defense to a data breach which is why, in this post, we’re looking at the most common data protection pitfalls as we approach 2024.

Mistake 1: Neglecting the Need for a GDPR Representative

One of the most common blunders companies make is failing to appoint a GDPR representative when required. As of 2023, businesses based outside the EU but processing the data of EU residents must designate a representative where they don’t have a presence within an EU country in which they trade. This representative acts as a bridge between your company and EU data subjects, ensuring compliance with GDPR, although their role is considerably broader than that.

Find out more about the role of the EU GDPR representative

Real-Life Example: A UK-based e-commerce platform had expanded its operations to target EU customers. However, it overlooked the requirement for a GDPR representative. When a data subject in France requested information about their personal data, the company was in immediate contravention of GDPR (irrespective of how they were actually handling the data) because having a GDPR rep is a legal requirement. They faced penalties for non-compliance.

Mistake 2: Overlooking Consent for Marketing Communications

You’ve probably received countless offers for lists of potential customers. These can seem attractive. One fee enables you to access a long list of potentially tens of thousands of prospects, complete with contact details. Unfortunately, if you want to use a list’s contents, you’ll need to obtain valid consent from each subject.

Without consent, your email will be unsolicited and unsolicited emails breach the PECR, which governs electronic marketing communications, including emails, calls and texts. It’s often an unknowing violation on the part of the company in contravention of the PECR, but it’s a violation nonetheless.

Real-Life Example: A marketing agency in Manchester was keen on increasing its client base. It bought a list of email addresses for a mass email campaign. Yet without obtaining proper consent, they were found in breach of the PECR.

Mistake 3: Inadequate Data Security Measures

We all hear of occasional grand scale data breaches. In reality, however, smaller scale breaches are happening constantly, and are often the result of failing to implement robust physical and digital security measures.

Whether the breach arises from a member of the team leaving a laptop on a train or a hacker accessing poorly protected digital systems, the damage can be immense, not just in terms of the sensitive information released, but the reputational and financial damage that can follow.

Real-Life Example: A healthcare organisation in London experienced a data breach. They were using outdated systems that were no longer supported by the software developer, and their password policy was weak. This opened the door to data theft, with the breach affecting thousands of patients. The result was a substantial GDPR fine and a significant loss of trust.

Trends and Considerations for 2024

As we approach 2024, data protection trends are evolving. Privacy-by-design principles and advanced encryption methods will become even more critical. Additionally, staying updated with evolving regulations and seeking GDPR services from reliable providers will be essential for maintaining compliance.

It sounds arduous, but it doesn’t have to be. With the right approach – and the right data protection partner – businesses can not only protect sensitive information but also build trust with their customers, setting a solid foundation for success in 2024 and beyond.

Explore how our GDPR consultancy services can support you now, get data protection advice or, for questions about your next steps, call +44 1772 217800.