With headline-making fines and daily news updates on the ongoing impacts of data security post-Brexit, it’s difficult to disregard the GDPR these days. Most companies will be aware of what they need to do in order to comply with the GDPR, and an increasing number will be taking action. However, UK companies must adhere to another privacy regulation. It might not get as much attention as the GDPR, but it is still in effect, and the Information Commissioner’s Office (ICO) continues to levy fines for data breaches caused by non-compliance.
The Privacy and Electronic Communications Regulation, or PECR, is the other piece of legislation.
What is the difference between GDPR and PECR?
PECR and the UK’s introduction of the GDPR are both derived from separate European privacy measures, and organizations must comply with both. To make compliance with both sets of regulations simpler, PECR has adopted the GDPR’s concept of valid consent. PECR was last revised in early 2019 to address some of the GDPR’s grey and incomplete areas.
Despite the fact that the two regulations are meant to complement each other, there are a few main differences between the GDPR and the PECR:
- PECR, unlike the GDPR, refers to other organizations in addition to individuals.
- Even if you are not processing personal data, PECR applies, and marketing guidelines apply even if you are unable to identify the person you are contacting.
- A violation must be reported within 72 hours under the GDPR. PECR has a much shorter time limit, just 24 hours.
Who is Required to Follow the PECR?
If you’re a non-UK or non-EU company doing business in the UK, you may be wondering if you have to follow the UK’s privacy laws. In a nutshell, the PECR refers to non-UK and non-EU companies that do business in the United Kingdom.
If your goods, services, or ads are directed at citizens in the United Kingdom, you must comply with the PECR and GDPR.
This is applicable even if the organisation has no physical presence in the United Kingdom or the European Union. It’s part of the GDPR’s data security laws, which are outlined in Article 3.
You may also need to nominate an EU Representative if you’re based outside of the UK.
What will the ICO do to enforce the PECR?
The ICO has a number of options for changing the behavior of someone who violates the PECR. Crime investigation, non-criminal compliance, and audit are among them. The Information Commissioner may also give a monetary penalty notice to the organisation or its directors, which can carry a fine of up to £500,000.
These abilities do not conflict with one another. ICO uses them in addition when the situation calls for it.
How Teceze will assist you in achieving compliance?
With our independent PECR Audit service, you will find out how compliant you are with the PECR.
- PECR knowledge within the organisation; how risks are handled and the documentation that goes with it.
- Access restriction is one of the security procedures in operation.
- Data subjects’ privileges and privacy notifications are handled properly.
- Staff education.
- Mechanisms for data transfer and third-party processors.
- Your ISMS (Information Security Management System), which includes testing, and frameworks, as well as your breach response procedures.
We will recognize areas of non-compliance and provide you with a report to assist you in taking corrective action.
PECR stands for Privacy and Electronic Communications Regulation which is a part of the European Union’s ePrivacy Directive…..