Countries around the globe are implementing stricter regulations and larger fines in order to protect the rights of the individuals whose data is being collected. As a data privacy specialist in the UK, I often hear this question from customers and prospects: “How do we remain compliant as we expand into new regions?”
It can be difficult to sift through privacy regulations and know which aspects are most relevant to your business. If you’re operating in the UK or looking to expand into this territory, you need to understand three key privacy laws.
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018 (DPA18)
- The Privacy and Electronic Communication Regulations 2003 (PECR)
Because non-compliance penalties can be costly, it’s important to become familiar with the components of each law and what they mean for your business.
The EU’s GDPR is the global standard for data privacy. The UK equivalent, UK GDPR, was enacted in 2018. It requires any organization operating in the UK to have a lawful basis for processing personal data.
There are six ways to meet the lawful basis requirement:
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interest
The UK GDPR states that all lawful bases are equally valid, meaning that no one lawful basis takes precedence over another. The UK GDPR outlines the requirements that need to be met in order to rely on a particular lawful basis.
For example, under the UK GDPR all marketing activities must rely on either “consent” or “legitimate interest.” You can send electronic mail or make live direct marketing calls to businesses with a legitimate interest in your offer, product, or service.
Data Protection Act 2018
Another key regulation in the UK is the Data Protection Act 2018 (DPA18 or DPA 2018), which also applies to the processing of personal data. The DPA18 sits alongside the UK GDPR and provides separate and specific rules for the following three data protection regimes:
- A general processing regime to support and supplement the UK GDPR
- A separate regime for law enforcement authorities
- A separate regime for the three intelligence services
The DPA18 also outlines the function and powers of the Information Commissioner’s Office (ICO), which is the UK’s data protection authority.
The Privacy and Electronic Communications Regulations (PECR)
Next, is the Privacy and Electronic Communications Regulations (PECR), which outlines specific privacy rights for the people (or “subscribers”) whose data is being collected and potentially used in electronic communications.
Although the rules vary depending on the marketing channel being used, they apply equally based on the type of subscriber, either corporate or individual.
Corporate subscribers are considered part of a corporate body, with a separate legal status. The ICO B2B Guidance defines the following as corporate subscribers:
- Corporation soles
- Limited liability partnerships
- Scottish partnerships
- Some government bodies
- Any other entity that is a legal person distinct from its members
However, not all businesses are classified as corporate subscribers under PECR. Some are actually considered individual subscribers, including:
- Sole traders
- Certain types of partnerships (e.g., non-limited liability partnerships or other types of English, Welsh and Northern Irish partnerships)
- Other unincorporated bodies of individuals
Once you determine the subscriber type for the people you’re collecting data on, it’s important to understand the regulations in place for each marketing channel.
Electronic Messaging (Text and Email) under PECR
Under PECR, marketing to individual subscribers via email or text message channels requires consent. However, there is a B2B exemption for electronic mail messages sent to corporate subscribers.
In general, B2B marketing targets corporate subscribers, but organizations should take steps to ensure that they are not marketing to individual subscribers, including sole traders and some partnerships, under this exemption.
Telephone Marketing under PECR
Live direct marketing calls in the UK fall within the scope of PECR. It places three main conditions around making live direct marketing calls:
- You must identify who is calling. You must display your phone number when making a live direct marketing call and provide your company name. If requested, you are also obliged to provide your contact details.
- You must not call a business who has previously objected to your calls. You should maintain an in-house suppression file or similar system.
- You cannot call any number registered on the UK’s central opt-out registry. It’s important to have a plan for incorporating do-not-call lists into your database.
In the UK, the central opt-out registry is maintained by the Telephone Preference Service (TPS). There’s a separate register for corporate subscribers, the Corporate Telephone Preference Service (CTPS). Businesses will usually register with either the TPS or CTPS based on whether they are classified as a corporate subscriber or an individual subscriber. Therefore, it is recommended to screen against both the TPS and CTPS lists.
Automated calls are made by an automated system and typically play a recorded message. Consent is required to make legitimate automated calls. This consent must meet the standard required under the GDPR.
For compliant automated calls, your business must:
- Identify who is calling
- Display your phone number
- Provide the company name and contact details to the recipient
There are a number of technology solutions to help automate many of these processes for your business.
How ZoomInfo Supports Your Privacy Compliance
ZoomInfo’s platform contains a number of features to support our customers without compromising data privacy.
Article 14 Notifications
ZoomInfo delivers an Article 14 compliant data collection notice to all addressable contacts in our database. This gives our customers confidence that their data has been collected in a transparent manner. You can check when this notice was delivered within the ZoomInfo platform.
Built-in Do Not Call Suppression
ZoomInfo incorporates multiple do not call lists into our platform’s compliance features. To help our customers meet their compliance requirements, the do not call suppression feature is enabled by default in the UK and Ireland. This means that any phone number registered with either the TPS or CTPS will not be displayed on the contact’s record by default.
Dedicated Privacy Team
ZoomInfo is proud to have a dedicated privacy team, including staff based in the UK. Our privacy sales support team members are happy to help customers understand the regulatory landscape and point them toward guidance from regulators and other industry bodies.
We’ve recently revamped our privacy center to make the process of updating or removing personal data from our platform easier than ever. Additionally, we’ve listed all of our privacy practices, certifications, and frequently asked questions. To see how we compare to the competition, our privacy practices are outlined in our TrustPage.
Note: The above article is for informational purposes only. ZoomInfo is not qualified to provide legal advice of any kind, and is not an authority on the interpretation of US or international laws, rules, or regulations. To understand how the GDPR, EU marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.