Action point 3.8

Does Privacy and Electronic Communications Regulations (PECR) 2003 apply?

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR.  PECR gives individuals specific privacy rights in relation to electronic communications.  PECR applies to a law firm if it:

  • Conducts marketing by phone, email, fax or text;
  • Uses cookies on its website.

PECR will be applicable to the Law Firm where it conducts direct electronic marketing to individual subscribers (‘individual customers, including sole traders), also referred to as Business to Consumer.  This will impact on your decision-making around your legal basis for processing personal data in relation to marketing activities.

The ICO is responsible for enforcing PECR and they have several ways in which they can act to change the behaviour of anyone who breaches PECR, they include:

  • Criminal prosecution;
  • Non-criminal enforcement; and
  • Audit

The ICO can also issue fines up to £500,000.  In a recent (August 2018) report from the Commissioner’s office, nuisance calls and texts are the biggest concern.  During the month of August 2018, the ICO had 103 cases under investigation and had issued 14 third-party information notices to try and identify companies making nuisance calls.

PECR is currently under review, an updated ePrivacy Regulation is expected by 2020.  More information can be found on the ICO’s website, click the link here.

Action point 3.9

Where are the personal data and/or special categories of personal data stored?

When mapping your organisation’s personal data and special categories of personal data, record where the data is physically located. Consider if it is stored:

  • within client files in an open plan office in unlocked cabinets;
  • on an encrypted server, with restricted access;
  • only stored in the client management system on the server;
  • In a cloud-based system, with servers in the United States;
  • Within individual employee email accounts;
  • On individuals’ desktop PCs/Laptops that are not backed up;
  • On backup tapes stored remotely;
  • On unencrypted USB memory sticks.
  • On a data processor’s database / system.

The above list is not exhaustive; however, it should highlight that personal data can be stored in multiple locations.  There are a number of reasons that it is useful to understand the location of data:

  • if the organisation receives a data subject access request from a current employee, knowing where the data is stored will assist the organisation in understanding the scope of the searches that will be needed and the time that will be involved in managing the request;
  • in order to be transparent and accountable, organisations need to present individuals with privacy notices that clearly indicate where data is stored (in particular if it is outside the EEA) and to reassure individuals that data is secure.

It is important for an organisation to have identified and record where the data is stored in relation to the processing activity.

Action point 3.10

What is the volume (number of records) that you process (this is useful in the event of a breach of personal data)?

Action point 3.11

Who has access to the personal data?

Consider what personal data is available to staff internally, where you may have to share data externally (e.g. HMRC) and where third-party data sharing takes place to deliver services (e.g. cloud providers, external payroll providers, external experts, other law firms etc).

A need-to-know approach is usually a healthy start-point when reviewing access. It is for instance, highly unlikely that a trainee solicitor would need to know the pension details of other members of staff.

Action point 3.12

What are the retention periods for each of processing activity?

  • Is the organisation subject to any specific legal, regulatory, or other requirements that impose specific time limits on the retention of personal and special categories of data?
  • Where is the retention period documented?
  • What procedures are in place to review the retention of personal and special categories of personal data and its ongoing relevance?

Article 5.1e of the Regulation states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitat...