Directors face £500,000 fines as PECR amendment takes effect

The UK government’s latest amendment to the PECR (Privacy and Electronic Communications Regulations) took effect on 17 December 2018, strengthening the regulator’s disciplinary powers. Under the new rules, directors as well as organisations can be held accountable for fines of up to £500,000.

The PECR cover several areas, including electronic marketing, cookies and the security of public electronic communication services. It also prohibits organisations from sending electronic communications without first gaining recipients’ consent.

Should you be concerned?

Although the amendments appear to be aimed at organisations that brazenly flout the law, IT Governance’s founder and executive chairman, Alan Calder, believes that all directors need to be careful.

“The challenge is not that most legitimate organisations will ‘connive’ to break the PECR. It’s much more likely that their negligence – in not ensuring, for instance, that there’s a genuine legitimate interest and lawful basis for marketing to a number of individuals – will get them into trouble.

“Any sensible company director or marketing manager should satisfy themselves that the organisation has an appropriate privacy notice, a lawful basis for its marketing communications, and appropriate opt-out and other data subject rights provisions.”

The stakes are particularly high for directors, as the ICO (Information Commissioner’s Office) has the power to find them personally accountable for violations. This applies even if their organisation goes into liquidation or they are no longer in a senior position at the company.

This rule is intended to make it harder for those who breach the law to set up a new organisation and carry out similar non-compliant activities.

Stay PECR compliant with GRCI Law – a new sister company of IT Governance

Now that the potential penalties for PECR violations are much stronger, it’s a good idea to conduct an audit to make sure your processes meet the Regulations’ requirements. Organisations that need advice on how to comply should consider our sister company, GRCI Law’s, new PECR Audit service.

Our team of privacy and security experts will help you address the nine key areas of PECR compliance. They begin by asking you in-depth questions to identify your organisation’s areas of risk, vulnerabilities and threat exposure.

With that information, we provide you with recommendations for improvement, and confirm key areas that are already in line with PECR standards. Where possible, information and guidance will be provided where supporting law is not in place.

This service is ideal for organisations that are currently working to the PECR framework but need reassurance and confirmation that their policies, procedures, records, templates and key decisions meet the required standards while fulfilling obligations under the GDPR (General Data Protection Regulation) and Data Protection Act 2018.

Read more about GRCI Law here.