5 min read

Writen by Zlatko Delev

Posted on: October 24, 2023

GDPR & PECR in the UK: Common Mistakes & Insights for 2023

Not everyone is adopting the right approach to complying with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). In this blog, we share common pitfalls and real examples from 2023.

In our experience, organisations know they have to comply with GDPR and the PECR (although there’s rather less general awareness about that latter regulation).

Yet despite this knowledge and the importance of getting data protection right, companies still fall prey to some common pitfalls. In each of the following examples, the breach wasn’t intentional. It was a consequence of oversight or of not rectifying longstanding issues. Unfortunately, such lapses aren’t a defense to a data breach which is why, in this post, we’re looking at the most common data protection pitfalls as we approach 2024.

Mistake 1: Neglecting the Need for a GDPR Representative

One of the most common blunders companies make is failing to appoint a GDPR representative when required. As of 2023, businesses based outside the EU but processing the data of EU residents must designate a representative where they don’t have a presence within an EU country in which they trade. This representative acts as a bridge between your company and EU data subjects, ensuring compliance with GDPR, although their role is considerably broader than that.

Find out more about the role of the EU GDPR representative

Real-Life Example: A UK-based e-commerce platform had expanded its operations to target EU customers. However, it overlooked the requirement for a GDPR representative. When a data subject in France requested information about their personal data, the company was in immediate contravention of GDPR (irrespective of how they were actually handling the data) because having a GDPR rep is a legal requirement. They faced penalties for non-compliance.

Mistake 2: Overlooking Consent for Marketing Communications

You’ve probably received countless offers for lists of potential customers. These can seem attractive. One fee enables you to access a long list of potentially tens of thousands of prospects, complete with contact details. Unfortunately, if you want to use a list’s contents, you’ll need to obtain valid consent from each subject.

Without consent, your email will be unsolicited and unsolicited emails breach the PECR, which governs electronic marketing communications, including emails, calls and texts. It’s often an unknowing violation on the part of the company in contravention of the PECR, but it’s a violation nonetheless.

Real-Life Example: A marketing agency in Manchester was keen on increasing its client base. It bought a list of email addresses for a mass email campaign. Yet without obtaining proper consent, they were found in breach of the PECR.

Mistake 3: Inadequate Data Security Measures

We all hear of occasional grand scale data breaches. In reality, however, smaller scale breaches are happening constantly, and are often the result of failing to implement robust physical and digital security measures.

Whether the breach arises from a member of the team leaving a laptop on a train or a hacker accessing poorly protected digital systems, the damage can be immense, not just in terms of the sensitive information released, but the reputational and financial damage that can follow.

Real-Life Example: A healthcare organisation in London experienced a data breach. They were using outdated systems that were no longer supported by the software developer, and their password policy was weak. This opened the door to data theft, with the breach affecting thousands of patients. The result was a substantial GDPR fine and a significant loss of trust.

Trends and Considerations for 2024

As we approach 2024, data protection trends are evolving. Privacy-by-design principles and advanced encryption methods will become even more critical. Additionally, staying updated with evolving regulations and seeking GDPR services from reliable providers will be essential for maintaining compliance.

It sounds arduous, but it doesn’t have to be. With the right approach – and the right data protection partner – businesses can not only protect sensitive information but also build trust with their customers, setting a solid foundation for success in 2024 and beyond.

Explore how our GDPR consultancy services can support you now, get data protection advice or, for questions about your next steps, call +44 1772 217800.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy