Understanding the impact of GDPR & PECR

The General Data Protection Regulation is effective from May 25th 2018.

The following article outlines what steps we have taken to assist you with your responsiblities under the new regulation.

Changes to our legal agreements

  • Updating our terms and conditions to include an addendum which provides clarity around the Data Processor (The Layer) /Controller (Customer) relationship.
  • Updating our privacy policy to provide clarity around the data we collect and for what purposes

Changes to the Layer

  • Customer contact preferences, including opt in methods and dates. This relates to the right to opt-in for marketing purposes (see PECR guides below for B2B marketing) - available now
  • Ability to export out a customer or lead record (this is required for indivduals and sole traders) and relates to the right to data portability and also right to access data via a subject access request (not the different management of individuals/ sole traders and companies/public bodies) - available June 18
  • Assisted support project to ensure your contact lists are GDPR compliant and that you can send out a customer GDPR policy update (contact your account manager to confirm the cost).

Existing Layer features

  • Ability to delete a lead or customer record satisfies the right to erasure, note that if the justification for processing data is legal (which includes HMRC and accounting practices) this may override a user's request for deletion.
  • Marketing module clean unsubscribes function, ensures that the unsubscribe cleanse has to be completed prior to sending out a campaign. There is also a requirement to add the unsubscribe link to email campaigns.
  • Encrypted fields - it's possible to protect sensitive information, using our encrypted fields. It is good practice to use encrypted fields where you are collecting information that should be restricted to certain users and audited for access
  • Access to data - The Layer provides key permissions to restrict access to data to only those users who need to access it (consider restricting access to sales orders, cases, leads and customers etc.) as well as reports and widgets.
  • Exporting data & reporting - Using Layer permissions it's possible to prevent users from subscribing to work stacks (and emailing out customer information), exporting work stacks, data and reports.
  • Case categories - create new case categories to capture the various customer requests under GDPR and PECR such as subject access recquests, and use checklist steps to ensure compliance with all requirements as well as adhering to set SLAs.
  • Try to promote storing of data which is only relevant to the business and avoid creating custom fields which store sensitive individual data unless it is required as part of the contract such as gender, birth dates etc.
  • Data retention - it's possible to review cancelled customers in The Layer and delete their records. You can also view inactive assets to decided based on expiry date, whether the data should be deleted.
  • TPS - We have a chargeable update service for TPS to ensure that your data is checked against the TPS list which is updated monthly.
  • Audit Trail - Our audit trail ensure that access and key actions performed on a customer account can be traced back to a specific Layer user. As each user has a unique login, it's possible to trace actions back to a specific person. 
  • 2FA & AES-256 bit Encryption - The Layer has multiple levels of security to protect data from external threats.
  • White-listing ability to reduce the IP addresses that can access your instanc
  • Password management & timed log out - password changes every 45 days, enforced use of complex passwords, password auditing & proactive login monitoring
  • Data Imports - it's possible to mass update contact preferences via data manager

Please see a table below from the ICO highlighting the legal grounds for justifiying the storing and processing of data and where the indivdual's right is secondary to the justification i.e. health records, criminal records etc. There could be a combination of contract and legal reasons for storing data (HMRC, supplier payment reconcilliation, accounting compliance etc).

Where is our data stored?

In accordance with the GDPR cross border data transfer clause, customer data is securely stored in the EU via our hosting providers, Microsoft and Amazon. This includes redundant sites, disaster recovery and backup systems.

Useful Links

Preparing for the GDPR The ICO website provides a helpful data controller questionaire, the 'more information' options provide clarity on your obligations under the new regulation.

GDPR - 12 step guide  An overview of all the 12 steps required to prepare for GDPR

PECR Guide - This guide is useful for understanding the impact of GDPR on marketing to both B2B companies and Individuals. In a nutshell: It is possible to continue marketing to business customers provdided that you give them the option to opt out and have cleansed your data against an approved list for TPS. No such list exists for SMS or email marketing. N.B. for individuals (including sole traders) they must opt-in to communications, meaning ultimately that you must have evidence of them requesting marketing via a checkbox (not pre-ticked).

Impact on Marketing Activities Checklist  This checklist from the ICO outlines the differences between the management of marketing to individuals and companies.

Guidance for Managing a Data Breach


We have provided all guidance and additional development work relating to GDPR in an attempt to make it easier to become/ maintain compliance. The suggestions above are based on our interpretation of the GDPR and we recommend that you consult with a solicitor or GDPR consultant to ensure that you have met all your obligations effectively.

Author: Michelle Livingstone