UK PECR compliance audit quick check 🇬🇧
Average score: 6.7
Get instant feedback on your UK PECR compliance with our free PECR audit tool.
Check your compliance with the UK’s direct marketing and communications law “PECR”. This law covers direct marketing channels including email, SMS and phone. It also provides rules on your use of cookies and tracking technologies such as Google Analytics or Facebook Pixel.
This tool will help you make a basic assessment of your current compliance level. By completing this quick audit you will be able to identify some areas where you may need to change your current policies and procedures. Please be aware that this will only provide a surface level awareness of your current compliance issues. A full audit requires a more thorough assessment. You can contact our team directly to request a full audit.
Section 1 of 5
10 question quick check
Answer the questions below. Choose the best fit answer for your organisation.
Short on time?
Get PECR compliance tips including step by step information on how to fix the issues above on our email list. You’ll also get important updates about data privacy law and occasional special offers. Unsubscribe at any time.
Section 2 of 5
Understanding your results
Score 10: Well done. You have a good level of compliance and/or are privacy conscious.
Score 7-9: Good work. But there are probably some areas where more work is required. Make sure you address any issues raised. Read the explanations in Step 3 to help determine what action you need to take.
Score 0-6: Don’t panic. We’ve seen this many times, companies focused on growth can end up forgetting about those pesky data laws. Be aware that right now you are at risk of legal action which may result in an investigation and/or a financial penalty. But this is easily fixed, and you probably won’t need any lawyers unless your data use is complex. Read below to learn more about each issue. You can also join our email list which will keep you up to date when the law changes.
Section 3 of 5
Some points to review
Corporate subscribers vs individual subscribers
PECR has some differences in the rules for direct marketing to b2c customers vs b2b customers. In many situations marketing to b2b customers is easier than to b2c customers. However it’s not as simple as determining the context to be b2b, or asking for a company name or work email when you collect the data. The exemptions, which make marketing to b2b customers easier only apply to certain types of company within the UK. Sole traders for example who may be on your mailing list for b2b purposes must have b2c rules applied to them.
Because it’s not straightforward you must determine a process for splitting your list by individual and corporate subscribers if you wish to make use of any of the exemptions allowed under PECR.
Tagging your data subjects
If you are sending direct marketing to people it’s best to be crystal clear on what legal basis you are relying on. This is especially important if you are relying on legal bases other than consent such as the soft-opt-in under PECR.
By tagging your contacts clearly within your databases you can make sure that the right communications go to the right people under the right legal basis every time and avoid mistakes that have put brands like AMEX and WeBuyAnyCar in hot water.
Email marketing
PECR sets rules around who you can send electronic marketing communications like email to. If you are sending any marketing by email you should make sure you are fully aware of the rules and should continually review that your processes comply. There are also rules that cover how you should handle requests to opt-out of marketing communications. At a minimum you should have a clear unsubscribe link included in every marketing email that you send.
Marketing by phone
PECR sets rules on who you can market to by phone. Simply collecting or finding a phone number is not enough to begin marketing to that contact. You either must gather explicit consent or rely on another legal basis such as legitimate interests. If you choose the latter you will also need to check the number against the TPS and/or CTPS lists. Failing to do so could put you at risk of a fine up to £500,000.
Cookie policy
PECR sets rules on the use of cookies and other tracking technologies which include things like Google Analytics and Facebook Pixel. If you use any of these technologies on your website or app you must be aware of the rules. In most cases you will need consent to set cookies, this will require a consent mechanism. A simple notice is no longer sufficient, unless your cookies qualify for exemptions – (most cookies do not). You can check out some of the most common cookie banner mistakes in this article.
Training
Sales and marketing staff perform tasks which are covered by the PECR rules everyday, such as contacting prospects/customers, sending out direct marketing campaigns and using digital tracking technologies like cookies on websites and apps. PECR investigations can result in you being obliged to delete data that was not correctly acquired or processed, which could see your marketing list wiped out overnight. Fines for non-compliance can reach up to £500,000.
Therefore it’s a clever decision to invest in some training for your team. Our PECR and ePrivacy for Marketers course covers everything you need to know and no prior knowledge of GDPR is required.
Section 4 of 5
The problem with poor compliance
Fines
Non-compliance with data privacy laws like PECR can be costly. Under PECR, a fine can be issued of up to £500,000 for non-compliance.
Investigations
There’s no greater buzzkill than a regulatory authority like the ICO turning up to your door to audit your processes, or in response to complaints.
Ethical challenges
Respecting the right of your customers and employees to privacy is the right thing to do. We can learn how to use data responsibly whilst still getting results.
Criminal liability
It’s not just the company as a legal entity that can get into trouble. Individuals within the company can find themselves personally liable to be prosecuted for negligence under the Data Protection Act whether they committed the offence themselves, or they were negligent in a supervisory role.
Reputation damage
It’s hard for customers and prospective employees to trust your brand when the first thing they find about you in Google is news about your latest data breach. And if you end up moving on to a new role, you’ll need to be prepared for some awkward interview questions.
Losing out on investment
Investors can include data privacy law compliance as part of their due-dil, or as a bargaining chip. After all, how much is your business really worth if the customers on your database aren’t even legally contactable?
Failing supplier due-dil
Established brands include data privacy law compliance as part of their procurement due-dil. If you can’t complete the paperwork, they can’t be your customer.
Data deletion orders
If you are caught for non-compliance you may be ordered to delete data which was not properly acquired or processed. Similarly, applying data protection law retrospectively may oblige you to delete valuable data such as customer databases.
Section 5 of 5
Fixing your compliance issues
DIY
Take control of your own data privacy programme by training your team online. Implement what you learn straight away and use our templates to help keep you on the right track.
Outsource
Keep the focus on your growth, we’ll sort the data compliance. Work directly with our data privacy experts. Get proactive support and expert guidance at a considerable discount to hiring in-house talent or lawyers by the hour.
Get email updates from us about data privacy law
We’ll keep you up-to-date with some of the things you need to know to stay on the right side of the law. You’ll also get invites to contribute to our campaigns and events.