The Privacy and Electronic Communications Regulations (PECR) provide protection to people receiving electronic communications from organisations. They were most recently updated in December 2018 to, amongst other things, introduce director liability for serious breaches of the rules. The fines aren’t as scary as the GDPR but they’re still eye-wateringly high at £500,000.
They apply to organisations that:
- markets to individuals or companies via telephone, email, text or fax;
- is a public communications or network provider; and/or
- directory providers.
Please note that the PECR apply even when no "personally identifiable information" is being processed.
What do I need to do?
You’ll need to get familiar with the PECR and then review all your electronic communications activity to ensure you’re operating compliantly. Or you can appoint an expert to help by commissioning a PECR Audit.
You’ll need to look at where training, process or system changes can help you achieve and maintain compliance.
For example, you must not make unsolicited live calls to anyone who has has previously opted out of them, or make any calls to any number registered with any TPS, unless you have their specific consent.
Are you aware of the Telephone Preference Service (TPS) and also the Corporate Telephone Preference Service (CTPS)?
If you make such calls, what processes do you have in place to ensure you meet these requirements? How do you check the effectiveness of these measures? The PECR also sets out rules around sending emails, texts and faxes (if anyone sends those anymore!)
When the GDPR arrived, so many business believed they needed consent for all email marketing activity, but that’s not strictly true. Please make sure you read and properly understand the Regulations before making any drastic changes in your business. The best place to start is the ICO’s Guide to the PECR.
GDPR and consent
The PECR and GDPR are intended to work alongside each other, and the GDPR is not intended to stray into anything already covered under the PECR. Importantly, the GDPR provides an updated definition of consent. So, in all areas where the PECR require you obtain consent, it must meet the strict requirements of lawful consent under the GDPR.
Then there’s Cookies to think about too. You now need to obtain GDPR levels of consent for all cookies that are not “strictly essential” – this includes Google Analytics cookies! This will be game changing for most digital businesses, and it’s not necessarily an easy business problem to solve.
Still need help?
Smarter Data Protection are specialists in data protection and compliance. We are ISO and IBITGQ accredited and provide concise, accurate guidance that you can implement straight away to protect your business.
We are passionate about privacy and make your compliance process simple and transparent.
If you need help handling a subject access request, GDPR compliance or any aspect of data protection get in touch.
Protect your business. Protect your data. Choose Smarter Data Protection.