14 January 2019

The Privacy and Electronic Communications Regulations (PECR) sit alongside the GDPR and DPA to enforce strict rules concerning the protection of electronic communications.

 

Any organisation that sends electronic marketing communications via phone, fax, email or text, uses web cookies, or provides communications services to the public falls under the PECR’s scope, and must be aware of its information security requirements.

 

What are the PECR?

 

The Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR, are designed to improve the privacy and security of electronic communications across the UK.

Introduced in response to the EU e-privacy Directive (Directive 2002/58/EC), the PECR have been updated several times, most recently in December 2018. All organisations are subject to PECR restrictions on marketing communications, web cookies and location data. The PECR also introduce additional obligations for service and network providers to maintain robust cyber security and prevent breaches.

 

PECR and GDPR

 

The EU’s e-privacy Directive was devised over a decade prior to the enactment of the General Data Protection Regulation (GDPR), but despite the overlap, the PECR and GDPR apply in tandem.

While the GDPR does not replace the PECR, it does update the underlying standards for obtaining, recording and managing consent. Many of the controls organisations need to implement to adhere to the requirements of the GDPR will also help to achieve PECR compliance, but there are important differences to be aware of.

The main distinction is that the PECR apply even where the individuals being contacted cannot be personally identified. To avoid duplication, sections of the GDPR do not apply to network or service providers who already have additional obligations under the PECR.

The EU is currently in the process of developing a new e-privacy Regulation, which will eventually replace the PECR. However, this is yet to be agreed and for the foreseeable future, GDPR and PECR rules will continue to apply alongside each-other.

 

PECR requirements

 

Among PECR requirements are new rules on marketing communications, web cookies, updated thresholds for consent and new information security standards for service and network providers.

Marketing, Cookies and Consent

The PECR outlaws unsolicited marketing communications by phone, fax, email, text and other electronic means. While the rules differ slightly per communication method, they all focus on the need for organisations to obtain positive, freely given, clear and specific consent from individuals. While the rules are stricter for business to consumer (B2C) marketing, they still apply to business-to-business (B2B) marketing where communications are directed at specific individuals.

Organisations that use web cookies must also clearly explain which cookies they use, what they do and why they are required. Any cookies that are not entirely necessary to fulfil a user’s request also require active and clearly given consent, even if the data is anonymised. Desktop and mobile applications that store additional information on users are required to clearly outline use of cookies prior to installation.

Communications Networks and Services

Under the PECR, service providers, including telecoms and internet service operators, must take ‘appropriate measures’ to safeguard the security of their services. What is considered appropriate depends on the risks being safeguarded against, the technology required and any associated costs.
At the very least, measures must:

• ensure that personal data can be accessed only by authorised personnel for authorised purposes
• protect personal data stored against accidental or unlawful destruction, loss, alteration or disclosure
• ensure the implementation of a security policy for data processing

For service providers, PECR breach reporting requirements override equivalent rules set by the GDPR and Data Protection Act 2018. The PECR defines a personal data breach as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

Service providers in the UK are required to notify the Information Commissioners Office (ICO) if a personal data breach occurs within 24 hours of becoming aware of the essential facts. If the breach is likely to adversely affect the privacy or personal data of individuals, those individuals also be notified ‘without unnecessary delay’.

Notifications must include the date and times of compromise and detection, alongside basic details on the nature and scope of the breach and the personal data affected. Any affected individuals must also be notified of the likely impact and the measures being taken to address and mitigate the risks.

 

The ICO and PECR enforcement

 

The ICO offers advice and guidance to promote compliance best practice, but in order to deal with organisations that fail to comply with the rules, it also has a range of enforcement powers. These range from the performance of compulsory audits to criminal proceedings.

Service providers may receive audit requests at the will of the ICO, based on their perceived level of risk. Participation is voluntary, but organisations that fail to respond could be subjected to a compulsory audit.

Audits themselves involve a combination of off-site checks and on-site reviews to identify whether service providers have taken appropriate technical and organisational measures to safeguard the security of the public electronic communications service they provide. The results of PECR audits are published online and include observations and recommendations for improvement.

The maximum fine a non-compliant organisation can receive is £500,000. Fines can be issued not just against organisations but also directors, and sanctions between standards are not mutually exclusive, meaning the most egregious offences can result in both GDPR and PECR fines.

High profile examples of PECR fines include retailer Morrisons, manufacturer Honda and airline Flybe, who were fined £10,500, £13,000 and £70,000 respectively for sending out mass emails to contacts who had previously opted out of marketing communications.

 

How Redscan can help

 

Redscan is an award-winning provider of managed security services, helping organisations to better understand and minimise their cyber security risk in line with PECR, GDPR and other compliance requirements.

Our range of offensive security services, including penetration testing and red team operations, are designed to help organisations improve their security posture by identifying and addressing vulnerabilities before they be exploited maliciously.

ThreatDetect™, our Managed Detection and Response service, combines world-class CSOC expertise, the latest detection technologies and aggregated threat intelligence to help organisations hunt for, detect and promptly report breaches.

Discover our full range of services

Read more:

10 ways to strengthen your organisation’s cyber security in 2019

Redscan reveals a large disparity in cybersecurity skills and spending across NHS

Preparing your cyber security for PCI DSS compliance in 2019

 

back to all posts