GDPR & PECR

The General Data Protection Regulation (GDPR) is a new law that will replace the DPA (Data Protection Act 1998) in the UK in May 2018. It is largely an evolution of the current DPA legislation but increases the rights of individuals considerably.

It is there to protect Personal Data (Data about or relating to a living, identifiable, individual). It relates to a Natural Person, not a legal identity like a company.

GDPR makes it mandatory to adopt a Data Protection-by-Design approach, and the data capture must be fair, lawful and fulfil a condition (refer below).

The Privacy and Electronic Communications Regulations (PECR) will sit alongside the GDPA. There are specific rules on:

  • marketing telephone calls, emails, texts and faxes;
  • cookies (and similar) to track information about people;
  • keeping communications services secure; and
  • customer privacy as regards traffic and location of data, itemised billing, line identification (eg caller id) and directory listings.

Both the GDPA and PECR aim to protect people’s privacy but PECR apply even if the data is not Personal Data – many of the rules protect companies as well as individuals, and the marketing rules apply even if the person being contacted cannot be identified.

It’s important to understand that we must comply with both GDPR and PECR – one concerns the data being held and processed (which includes the reasons why we are holding the data – eg to maintain contact with the person) whilst the other covers how we communicate with the individual.

Conditions which allow the Processing of Personal Data

There are 6 conditions noted in GDPR, fulfilling any one of which will allow the processing of someone’s personal data.

  • Contracts (employment, sales, agreements)
  • Legal Obligation (need to be able to quote a specific law))
  • Vital Interest (immediate risk of death)
  • Official functions / administration of justice / public interest
  • Legitimate Interest
  • Consent

Legitimate Interest

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.

It is being interpreted that organisations can lawfully send direct marketing by post or call people by telephone provided that they have not objected and are not registered with the TPS.

Consent

Consent is “Any freely given specific and informed indication of wishes by which the data subject signifies their agreement to personal data relating to them being processed

To obtain Consent it will be necessary to explain to the individual – the ‘data subject’ – what we are doing with their data.

  • the purpose for processing their data,
  • how their data is to be used,
  • the condition (i.e. legal basis)
  • what their rights are
  • the retention period for the data and
  • the source of the data if obtained from a third party.

Consent has to be ‘Opt In’ – There is no consent unless it is asked for it specifically, and there is no consent unless the person gives it.

Other Considerations

There are 3 further important matters to consider for any type of data processing.

  1. There must be a clear ability to unsubscribe
  2. There will need to be a Suppression list. A list of all the people who have said that not wish to be contacted.
  3. There is a Right to Be Forgotten. The right to have certain or all of the information relating to a person to be forgotten (or removed)
  4. Profiling – the use of automated techniques (using a computer or machine) to “evaluate” certain aspects of the individual. Consent or disclose required for this.

PECR
Privacy and Electronic Communications Regulations 2003 applies to marketing and to those they ‘instigate’ to send marketing material.

What is Electronic Communication?

Any information sent between particular parties over a phone line or internet connection. It includes phone calls, faxes, text messages, video messages, emails and internet messaging.

What is (Direct) Marketing?

The communication (by whatever means) of any advertising or marketing material which is directed to particular, specific individuals.

All advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity campaigning for support or funds.

The marketing must be directed to particular individuals. In practice, all relevant electronic messages (eg calls, faxes, texts and emails) are directed to someone, so they fall within this definition.

Routine customer service messages do not count as direct marketing – correspondence with customers to provide information they need about a current contract or past purchase (eg delivery arrangements, product safety, changes to terms and conditions).

General branding, logos or straplines in messages do not count as marketing. However, if the message includes any significant promotional material means that the message includes marketing material and the rules apply.

Solicited and Unsolicited

Most of the rules in PECR only apply to unsolicited marketing messages. A solicited message is one that is actively requested. So if someone specifically asks to be sent some information, then this does not fall under PECR.

An unsolicited message is any message that has not been ‘specifically requested’. So even if the customer has ‘opted in’ to receiving marketing, it still counts as unsolicited marketing.

The TPS (Telephone Preference Service)

The TPS is the Telephone Preference Service. It is a central register of individuals who have opted out of receiving live marketing calls.

The CTPS

The CTPS is the Corporate TPS. It works in the same way as the TPS, but for companies and other corporate bodies (limited liability partnerships, Scottish partnerships and government bodies).

Summary – GDPR & PECR Communication Rules

 Individuals     Business-to-business 
includes
sole traders and partnerships
  companies and corporate bodies
 
Telephone Calls OK to call provided
Not registered with the TPS
OK to call provided
Not registered with the Corporate TPS
  Or Opt Out Can Opt Out
Email & Texts Specific Consent Required Can email or text Corporates
  Soft Opt-In Good practice to offer opt out
Individual employees can opt out
Mail Can send direct mail provided Name and address obtained fairly Can mail corporate bodies
Can Opt out Individual employees can opt out

Recommended Privacy Statement

Purpose
Winston’s Wish are committed is committed to protecting your privacy. We ensure that all your personal information is held securely and safely. This privacy policy explains how we collect, use and store information, and what that might mean for you.

Who we are and what we do
We are Winston’s Wish, a registered charity (number 1061359) established in 1992 to support bereaved children and their families. We are also registered company, limited by guarantee (number 03329289). Our services are available throughout the UK. We provide help and support to individuals and families through our in-depth therapeutic help to individuals and groups. Our services also include the operation of.an National Helpline, the distribution of publications and periodicals, training and advocacy. We fund these services using our own Fundraising activities.

The data that we process and how we obtained it
Winston’s Wish is a ‘Data Controller’ of the personal data we collect. This data is usually obtained directly from the individual in a number of ways including when they access our services, make a donation, enquire about our activities, consent to receive our communications, undertake training, become a volunteer or purchase our publications.

We are occasionally passed details by third parties and will only process this data if we are sure that the individual has given their consent to the third parties for us to retain and contact them in relation to a specific matter.

The data we record is likely to include the individual’s name, address, telephone number, email, any preferences they have indicated, any donations and transactions they have made with us (e.g. publications they have received or training courses they have attended) and any correspondence we have had with them. We may need to record further sensitive information only for our family service users. In all cases we would ask for the individual’s consent to us recording and processing such data.

Why we record this data and what do we do with it
In many instances we need to record this data to meet our legal obligations (for example we need to record financial transactions to comply with UK tax laws). For our family service users the data we collect is necessary for us to deliver a full and complete service of support.

We also retain the data to provide individuals with information or news about of any of our services or activities, including fundraising activities in which they have expressed they wish to receive. In other cases we retain the individual’s data for purposes related to their consent (see below), or to record their wish not to be contacted by us.

In all cases we will not share any personal data with third parties unless the individual has given us their specific consent to do so or we are required to do so by law.

Where we hold the data
All personal data is processed by our staff in the UK. All our data is stored securely with access restricted to the appropriate authorised personnel and for the purposes specified in the preceding sections of this privacy statement. The data is hosted and maintained on servers within the European Union. No third parties have access to the personal data unless the law allows them to do so. We have a Data Protection policy and procedures in place to oversee the effective and secure processing of all personal data.

How long we keep personal data
In relation to financial transactions and donations we are required under UK tax law to keep basic personal data (name, address, contact details and transactions) for a minimum of 6 years. In relation to other personal data, unless it is agreed otherwise, we would normally retain the data for at least 5 years from initial consent. In respect of specific consent to receive information from us we aim to refresh this consent every 5 years. We will also remind individuals of the opportunity to opt out of receiving any information we send on a regular basis.

Our Fundraising Promise
Winston’s Wish is registered with the Fundraising Regulator. The Fundraising Regulator exists to ensure that organisations raising money from the public to do so honestly and adhere to their code of practice. As members of the scheme, we follow the Code of Fundraising Practice and comply with the key principles embodied in the code.

  • We do all we can to ensure that fundraisers, volunteers and fundraising contractors working with us to raise funds comply with the Code of Fundraising Practice and with this Promise.
  • We comply with the law including those that apply to data protection, health and safety and the environment.
  • We are honest and open
  • We tell the truth and do not exaggerate
  • We do what we say we are going to do
  • We answer all reasonable questions about our fundraising activities and costs.
  • We are clear about who we are, what we do and how your gift is used
  • Where we have a promotional agreement with a commercial company, we make clear how much of the purchase price we receive.
  • We give clear explanation of how you can make a gift and amend a regular commitment.
  • We respect the rights, dignities, and privacy of our supporters and beneficiaries
  • We will not put undue pressure on persons to make a gift if they do not want to give or if they wish to cease giving, we will always respect the person’s decision.
  • If anyone tells us that they do not want us to contact them in any particular way, then we will not do so.
  • We take care not to use any images or words that cause unjustifiable distress or offence.
  • We take care not to cause unreasonable nuisance or disruption.
  • If anyone is unhappy with anything we’ve done whilst fundraising, they can contact us to make a complaint.
  • We have a fundraising complaints procedure, a copy of which is available on request. If we cannot resolve any complaint, we accept the authority of the Fundraising Regulator to make a final adjudication.

Cookie Policy
When anyone visits this website, their IP address, browser and version, operating system and the site they came from are stored in a log file. This information is only used for statistical purposes to help improve this site. Log files do not contain any personal information. We do not use cookies for collecting personal information and we will not collect any information about you except that required for administration of the web server.

Changes to this privacy policy
From time to time, we will make changes to this policy to keep it up to date and relevant. Please make sure you check regularly to see what has changed.

Your rights
If at any point you believe the information we process on you is incorrect you request to see this information and even have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer, Colin Ireland at cireland@winstonswish.org who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

It is your right to request details of the information we hold about you. For details on how to receive a copy of your personal information held by us, please write to:

The Data Controller
Winston’s Wish
17 Royal Crescent
Cheltenham
Gloucestershire
GL50 2PY

Recommended Contact Preferences for Opt In

FOR OCCASIONS WHEN WE REQUIRE PERSONAL CONSENT

Personal Consent
We would like to record your Consent for the specific purposes shown below. This will allow us to record your details so that we can contact you should the need arise, to keep you informed about our news and the work we do, the services that we offer or to let you know how you may get involved and help us. This information will not be shared with or disclosed to third parties and you can unsubscribe at any time by calling us, or writing or emailing us.

Please indicate below which of our services communications you would like to Opt in to:

 Receive all our news and updates, including information on fundraising, events and volunteering
(this option includes all categories below)

Alternatively you may choose to opt into receive information on the specific categories you want from below:

 News, Updates and volunteering opportunities
 Information about our services, publications, associated resources and training courses
 Event, Challenges, Christmas card sales and other Opportunities to raise funds for or donate to WW

Methods of communication
We usually send all our communications by email. Occasionally, if we believe that you may be interested in hearing from us we may contact you by direct mail or telephone, unless you are registered with the Telephone Preference Service. Please indicate below if you prefer not for us to contact you in this way:

 I would prefer not to receive communications by Post
 I would prefer not to receive communications by Mail

SMS / Text Alerts
Very occasionally we may send important SMS (text) messages, for example if there is a television programme or special event that we believe will be of interest. We will not send any marketing concerning our fundraising activities in this way. Please indicate below if you wish to opt into these alerts.

 I would like to receive occasional news alerts by text message