20 Dec 2018 | Cyber Security, GDPR

Directors face up to £500,000 fines as PECR amendment comes into force.

Howard Freeman

Howard Freeman

The UK government’s amendment to the PECR (Privacy and Electronic Communications Regulations) came into effect on 17th December 2018, with an increase in the maximum fine violations to £500,000.

The PECR cover several areas, including electronic marketing, cookies and the security of public electronic communication services. It also prohibits organisations from sending electronic communications without first gaining recipients’ consent.

This change in the law also means that bosses of nuisance call companies will be personally liable if their business breaks the law and could face fines of up to £500,000.

Under the new rules the Information Commissioner’s Office can hold bosses directly responsible. Previously the data protection regulator could only fine the company, which allowed bosses to escape paying out by declaring bankruptcy and starting up again under a new company name. Let’s talk about electronic marketing activities.

Does this affect me?

If you are a director of a company that is engaged in electronic marketing then yes, it does. However, the amendments appear to be aimed at organisations that simply ignore the law and are quite happy to carry out mass marketing campaigns without consent but we believe that all directors need to be careful.

We understand that most directors do not set out with the intention of breaking the PECR regulations but may do so inadvertently. Directors must assure themselves that they have a suitable privacy policy in place, an appropriate opt-out option and that the lawful basis for sending to marketing communications is justified and that all rights and freedoms of the recipient individuals have been properly considered.

The stakes are particularly high for directors, as the ICO (Information Commissioner’s Office) has the power to find them personally accountable for violations as with the nuisance calls law changes. This applies even if their organisation goes into liquidation or they are no longer in a senior position within the business.

Now that the penalties for PECR violations are likely to be much stronger, we strongly recommend that you conduct an audit to make sure your processes meet the requirements of the Regulation. Our team can help you with compliance to the PECR and help you ensure that your processes do not put you at risk from the ICO. We can provide guidance and assurance that your current practices are compliant whilst fulfilling obligations under the GDPR (General Data Protection Regulation) and Data Protection Act 2018.

The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.


Can we help?