At NextSupport, we are dedicated to ensuring lawful and transparent electronic communications. As a leading UK-based AI calling service provider for business process outsourcing (BPO) firms, call centres, and industries such as Healthcare, Real Estate, and E-commerce, we fully comply with the Privacy and Electronic Communications Regulations (PECR) 2003, alongside the UK GDPR and Data Protection Act 2018. Our robust policies and transparent practices ensure that all marketing calls and messages are conducted ethically and legally, building trust with our clients and their customers.
What is PECR?
The Privacy and Electronic Communications Regulations (PECR) 2003 is a UK law that regulates electronic communications, including marketing calls, emails, texts, and faxes. It complements the UK GDPR by setting specific rules for obtaining consent, providing opt-out options, and ensuring transparency in communications. Non-compliance can result in fines of up to £500,000, as enforced by the Information Commissioner’s Office (ICO).
Our Role in Electronic Communications
NextSupport provides AI-driven calling services, which may include marketing calls or messages on behalf of our clients (e.g., lead generation for Real Estate or promotional campaigns for E-commerce). As a data processor, we act on client instructions to ensure all electronic communications comply with PECR, particularly for outbound marketing activities.
Consent for Marketing Communications
We adhere to PECR’s strict rules on marketing communications:
Explicit Consent: For cold calls or messages to individuals, we ensure clients have obtained prior consent from recipients, such as through an opt-in form (e.g., “Tick here to receive marketing calls”).
Soft Opt-In: For existing customers, we apply the soft opt-in rule where applicable, allowing marketing calls if the customer has previously purchased a similar service and was given a clear chance to opt out at the time of purchase.
Corporate Subscribers: For calls to businesses, we comply with PECR by respecting corporate opt-out lists, such as the Corporate Telephone Preference Service (CTPS), ensuring we do not contact businesses that have registered to avoid marketing calls.
Transparency and Identification
We ensure transparency in all electronic communications:
Caller Identification: During marketing calls, we clearly identify ourselves as NextSupport acting on behalf of our client, providing contact details (e.g., “This is NextSupport calling on behalf of [Client Name], reachable at [Client Contact]”).
Purpose of Contact: We state the purpose of the call upfront, such as, “We’re calling to discuss our latest property listings tailored for you.”
AI Disclosure: When using AI agents, we inform callers transparently, with prompts like, “This call is handled by an AI agent for quality purposes.”
Providing Opt-Out Options
We comply with PECR by offering clear and simple opt-out mechanisms:
During Calls: Callers can opt out of future marketing communications at any time, with prompts like, “Press 9 to opt out of future calls.”
Do-Not-Call Lists: We maintain an internal do-not-call list, ensuring individuals who opt out are not contacted again for marketing purposes.
Client Support: We assist clients in managing their own opt-out processes, ensuring compliance with PECR across all campaigns.
Data Security in Communications
We implement robust security measures to protect personal data used in electronic communications, aligning with PECR’s requirements:
Encryption: We use AES-256 encryption for data at rest and TLS 1.3 for data in transit, safeguarding data during communication processes.
Access Controls: Role-based access controls (RBAC) ensure only authorised personnel can access marketing data, with multi-factor authentication (MFA) enforced.
UK-Based Storage: All data is stored on Amazon Web Services (AWS) servers in the UK, specifically in the London region (eu-west-2), ensuring compliance with UK data protection laws.
Audits: We engage CyberSec Solutions for quarterly penetration testing and annual security audits to maintain data integrity.
Record-Keeping and Compliance
We maintain detailed records to demonstrate PECR compliance:
Consent Records: We document how and when consent was obtained, including timestamps and opt-in details, accessible for ICO audits.
Opt-Out Logs: We track all opt-out requests to ensure individuals are not contacted again, aligning with PECR requirements.
Audit Trails: We log all marketing communications, including call scripts and timestamps, for transparency and accountability.
Training and Awareness
We prioritise PECR compliance across our organisation:
Regular Training: All employees receive annual PECR training, covering consent rules, opt-out processes, and ethical marketing practices.
Specialised Training: Our AI development team is trained on ensuring AI-driven communications comply with PECR, including transparency in automated calls.
Client Guidance: We provide clients with PECR compliance guidance, ensuring their marketing campaigns meet legal standards.
Assisting Clients with Compliance
We support our clients in meeting their PECR obligations:
Data Processing Agreements (DPAs): We provide DPAs outlining our responsibilities, ensuring alignment with client instructions.
Consent Management: We assist clients in obtaining and documenting consent, such as providing opt-in scripts for marketing campaigns.
Compliance Reporting: Clients can request our Compliance Report, detailing our PECR adherence, available upon signing an NDA.
Sub-Processors
We use vetted sub-processors that comply with PECR:
AWS: For data storage, AWS ensures secure handling of communication data in the UK.
Twilio: For telephony services, Twilio adheres to PECR through its data protection agreements.
Client Consent: We obtain client consent before engaging sub-processors and ensure they sign DPAs.
Data Breach Notification
In the unlikely event of a data breach affecting electronic communications, we follow PECR procedures:
ICO Notification: We notify the ICO within 72 hours, as required by UK GDPR, which complements PECR.
Client Notification: We inform affected clients promptly, providing details and mitigation steps.
Mitigation: We contain breaches, such as isolating systems, and conduct root cause analysis to prevent recurrence.
Ongoing Compliance Efforts
PECR compliance is a continuous commitment for NextSupport:
Regular Reviews: We review our practices quarterly to align with updates to PECR and ICO guidance.
External Expertise: We engage Compliance Experts Ltd. for independent audits and recommendations.
Technology Upgrades: We enhance our AI systems to improve consent management and opt-out processes, ensuring ongoing compliance.
Frequently Asked Questions (FAQs)
How can I opt out of marketing calls?
During a call, press 9 to opt out, or contact our team at compliance@nextsupport.co.uk via our Contact Us page to be added to our do-not-call list.
How does NextSupport obtain consent for marketing calls?
We ensure clients obtain explicit consent from individuals before initiating marketing calls, or we apply the soft opt-in for existing customers, as per PECR rules.
What happens if I’m on the CTPS but still receive a call?
We respect the CTPS. If you receive a call in error, please contact us at compliance@nextsupport.co.uk, and we’ll investigate immediately.
How does NextSupport ensure AI complies with PECR?
Our AI systems inform callers of automated processing, and we provide opt-out options, ensuring transparency and compliance with PECR.
Can I request details of marketing communications involving my data?
Yes, contact our DPO at dpo@nextsupport.co.uk via our Contact Us page to request details, which we’ll provide within 30 days.
Download Our Compliance Report
For a detailed overview of our PECR compliance measures, download our Compliance Report (available upon request after signing an NDA), including audit summaries and communication logs.
Contact Us
For questions about our PECR compliance, to opt out of marketing communications, or to request documentation, contact:
Data Protection Officer: sales@nextsupport.co.uk
Compliance Team: compliance@nextsupport.co.uk
Additional details are in our Privacy Policy.
Conclusion
NextSupport is committed to upholding the highest standards of electronic communications under PECR, ensuring all marketing calls and messages are lawful, transparent, and respectful of user preferences. Our comprehensive approach provides peace of mind for our clients, allowing them to engage their audiences confidently while we manage their communications with integrity.
Compliance Table
Aspect | Description | NextSupport’s Approach |
|---|---|---|
Consent | Obtain consent for marketing calls. | Ensures explicit consent or soft opt-in, documented for audits. |
Transparency | Identify caller and purpose. | Provides caller ID and AI disclosure, stating purpose upfront. |
Opt-Out Options | Offer clear opt-out mechanisms. | Includes in-call opt-out (e.g., “Press 9”) and do-not-call lists. |
Security | Protect data in communications. | Uses AES-256, TLS 1.3, and AWS UK servers. |
Accountability | Maintain records and comply. | Keeps consent and opt-out logs, conducts audits with Compliance Experts Ltd. |
CTPS Compliance | Respect corporate opt-out lists. | Adheres to the CTPS, avoiding calls to registered businesses. |