The Information Commissioner’s Office (ICO) has been granted additional powers to hold company director’s directly responsible for breaches of the Privacy and Electronic Communications Regulations (PECR).
Entering into force in December 2018, the Privacy and Electronic Communications (Amendment) Regulations 2018 widen the scope of penalties that can be imposed by the ICO. It will allow the ICO to impose fines of up to £500,000 to a company’s directors.
Background
The PECR functions alongside the Data Protection Act and the General Data Protection Regulations (GDPR). It aims to recognise and respond to the widespread use of the internet and digital mobile networks, covering several areas including:
- Electronic marketing, including calls, texts and emails;
- Use of cookies and similar technology that track use of websites and similar electronic services;
- Security of public electronic communication services; and
- Privacy of customers using communications networks, services and directories (for example, caller ID).
The fundamental aim of the PECR is to prohibit a company from ‘transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing, unless that individual has given their prior consent to receive such communications’.
Having been amended on five occasions, the PECRs most recent legislative amendment arrives at a time where the Financial Conduct Authority (FCA) recorded that the UK’s adult population received approximately 2.7 billion unsolicited calls, texts and emails in the last 12 months.
What will change?
Under the new rules, the ICO has discretion in deciding whether it wishes to impose fines on a company, its directors, or both. This will address potential issues where a company is fined by the ICO and it fails to pay such fine, or enters into liquidation.
In some circumstances it has been observed that upon receiving a fine, a company will voluntarily enter into liquidation and will later re-open using a different company name - a practice coined as ‘phoenixing’. By imposing a fine upon a director in this instance, the ICO hopes that this outcome will be avoided and that fines will be paid.
How should companies address the amendments?
Companies (with an emphasis on its directors) should be aware of what steps their business is taking in relation to both direct and electronic marketing, and how this will impact consumers.
Companies should also be aware of the wider framework of regulations that are in place in addition to the Data Protection Act and GDPR.
Beverley Flynn