Don’t neglect the PECR when addressing your GDPR compliance requirements

With all the attention that’s been paid to the GDPR (General Data Protection Regulation) over the past two years, organisations are neglecting other data protection laws, according to figures released by the ICO (Information Commissioner’s Office).

It issued 17 fines between January and September this year for breaches of the UK’s PECR (Privacy and Electronic Communications Regulations), which outline the way organisations carry out electronic marketing and data processing.

PECR violations are less costly than those associated with the GDPR – with the ICO’s fines totalling £980,000 – but these are still significant penalties for avoidable incidents.

Remember, the PECR aren’t tied to complex and potentially expensive measures to prevent data breaches; they’re mostly associated with good practice on consent and personal data processing.

What are the PECR?

The PECR cover several areas, including electronic marketing, cookies and the security of public electronic communication services. They also prohibit organisations from sending electronic communications without first gaining recipients’ consent.

Many of the ICO’s penalties relate to breaches of the PECR’s consent requirements. In particular, organisations are often sending marketing emails to people based on a list of email addresses that had been obtained for a different purpose.

The GDPR complicates PECR compliance

Part of the problem with PECR compliance is that, unlike the GDPR, the requirements apply even if organisations aren’t processing personal data – for example, when the person being contacted can’t be identified based on the information the organisation has on file.

It appears that many organisations are basing their understanding of what’s legal on the GDPR’s requirements, falling foul of the PECR in the process.

Another problem is that organisations are breaching the PECR for activities intended to ensure GDPR compliance.

For example, the British airline firm Flybe was fined £70,000 in 2017 for PECR violations after it sent more than 3.3 million marketing emails to people who had opted out of receiving them.

Flybe said it had sent the emails in order to update its records to ensure they complied with the GDPR.

The emails advised people to amend out-of-date personal information and update their marketing preferences. However, the ICO said Flybe should have obtained people’s consent before sending the emails.

“Sending emails to determine whether people want to receive marketing, without the right consent, is still marketing, and it is against the law,” said Steve Eckersley, head of enforcement at the ICO.

“In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them.”

Directors can be punished

The latest amendment to the PECR, which took effect in December 2018, ruled that directors as well as organisations can be held accountable for violations.

The rule, which is enforceable with a £500,000 fine and a four-year ban from forming or managing an organisation, is intended to make it harder for those who breach the law to set up a new organisation and carry out similar unlawful activities.

Although the amendments appear to be aimed at organisations that brazenly flout the law, all directors need to be careful.

IT Governance’s founder and executive chairman, Alan Calder, adds:

“The challenge is not that most legitimate organisations will ‘connive’ to break the PECR. It’s much more likely that their negligence – in not ensuring, for instance, that there’s a genuine legitimate interest and lawful basis for marketing to a number of individuals – will get them into trouble.

“Any sensible company director or marketing manager should satisfy themselves that the organisation has an appropriate privacy notice, a lawful basis for its marketing communications, and appropriate opt-out and other data subject rights provisions.”

Want to know whether you’re PECR compliant?

If you’re concerned that your organisation violates the PECR, you should assess your practices as soon as possible.

You don’t need a legal expert to get started. Instead, you can turn to our PECR Audit service, in which our team of privacy and security professionals review your practices to identify areas of risk, vulnerabilities and threat exposure.

With that information, we provide you with recommendations for improvement, and confirm key areas that are already in line with PECR standards.

Find out more