Personal liability for trustee directors under the Privacy and Electronic Communications Regulations

A new law came into force on 17 December 2018 enabling the Information Commissioner’s Office (ICO) to hold company directors personally liable for breaches of the Privacy and Electronic Communications Regulations (PECR) by their company. This follows a government consultation earlier this year.   The new law applies to corporate bodies and to charity trustees who are also directors of a charitable company.

PECR gives the ICO the power to fine company directors up to £500,000 for breaches of the Privacy and Electronic Communications Regulations. The ICO can fine the company, its directors, or both. It also allows the ICO to hold individual directors to account in the event that a corporate body fails to pay any fine imposed by the ICO or is placed into liquidation, and where the individual is no longer in a senior position (e.g. through resignation).

What is PECR?

There has been no getting away from GDPR over the last year but it is important that charities do not forget that they also need to comply with PECR which sits alongside GDPR and the UK Data Protection Act.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 contain restrictions on the ability for organisations to make unsolicited marketing calls, emails, texts and faxes even if this is to businesses.  Many organisations wrongly believe that if they are not contacting individuals and are only doing B2B marketing then they don’t need to worry, but this is not the case.  The rules also apply even if you cannot identify the person you are contacting. For example, did you know that it is against the law to make marketing calls to numbers that have been registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS) without consent?

This is a complex area of law and we it is important to flag that if you carry out these types of marketing/fundraising activities then you need to familiarise yourself with your obligations under  PECR.

What if I buy marketing lists?

If you buy marketing lists from third parties you still need to be very careful not to fall foul of PECR  The fact that you purchased the list from a third party will not exonerate you from your obligations as the recent enforcement action from the ICO shows.

You should screen lists against the CTPS, TPS and your own ‘do-not-call’ list of people who have previously objected to or opted out of your calls. The ICO guidance also indicates that you can only use marketing lists if all the people on the list specifically consented to receive that type of message from you and that generic consent covering any third party will not be enough.

But what about GDPR?

GDPR does not replace PECR and sits alongside it although it has changed the underlying definition of consent. The existing PECR rules continue to apply but the new higher GDPR standard of consent should be used.

This means that if you send electronic marketing or use cookies or similar technologies you must comply with both PECR and the GDPR.

What if I get it wrong?

In the last few months the ICO has taken enforcement action against several businesses under the PECR in relation to nuisance calls.  In October a company called Secure Home Systems (SHS) was fined £80,000 for making calls to numbers registered with the TPS using call lists bought from third parties without screening them to check whether the names were on the TPS list.  The ICO is ramping up its enforcement in this area and the ability to hold directors personally liable is an interesting development.

The charity sector has not been immune from enforcement action from the ICO for breach of data protection laws.  In April 2017 the ICO fined eleven charities for misusing information about millions of past donors to seek further funds.  The Charity Commission is now assessing whether the trustees of those charities acted in accordance with their duties under charity law. The Charity Commission’s guidance to trustees on fundraising makes it clear that trustees need to understand and comply with the relevant data protection laws and requirements so it is important that trustees are aware of their obligations under GDPR and PECR.