PECR

Privacy and Electronic Communications Regulations

What are the PECR?

The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) are a UK law that implements the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.

The PECR are affected by the GDPR (General Data Protection Regulation)’s rules on consent, so organisations need to ensure they comply with both laws if they send electronic marketing messages, use cookies or provide electronic communications services to the public.

Since Brexit, there are two versions of the GDPR that UK organizations might need to comply with:

· The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
· The EU GDPR, which continues to apply to the processing of EU residents’ personal data.

What are the regulations of PECR?

PECR governs the access of corporate organizations based in the UK and the EU to customer information. These laws also apply to businesses that are currently functioning in the United Kingdom.
Even if a corporation is not situated in the UK or EU, it must follow the data protection regulations outlined in GDPR Article 3 when communicating with persons in the UK and EU.

What do the PECR cover?

The PECR apply to:

What are the penalties for not complying with the PECR?

The ICO has the power to take action against organizations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit, and the imposition of monetary penalties of up to £500,000.

How DPOsphere can help you comply?

Understand your level of PECR compliance with our independent PECR Audit service, which assesses:

Organization-wide awareness of the PECR;
How risks are managed and the accompanying documentation;
 Staff training
Your ISMS (information security management system), including testing and frameworks;
The security procedures in place, such as access limitation;
Handling of data subjects’ rights and privacy notices
Data transfer mechanisms and third-party processors
Your breach response processes.