GDPR v PECR: The ICO multi-million pound enforcement
Since May 2021, the Information Commissioner’s Office (‘ICO’) have issued 37 fines for a total of £3.04 million to companies for nuisance calls and messages.
These fines fall under the Privacy and Electronic Communications Regulations (‘PECR’) and not the General Data Protection Regulation (‘GDPR’). This is an important distinction when we are thinking about ICO fines, due to the fact that the ICO typically focus on PECR fines over GDPR. Looking at the amount of fines that will have had to have been given out, the figures would suggest that it is mainly mid-tier SME businesses that have been subject to these fines.
The UK government, outlined in the new Data Reform Bill proposal, have proposed an increase in fines to organisations that breach PECR, with the aim of preventing companies contacting people for marketing purposes without consent. It proposes that the ICO’s power to fine companies will increase from the current maximum of £500,000 to up to four per cent global turnover or £17.5 million, whichever is greater.
Why is this important?
If you are a business who regularly calls customers and potential customers, you may want to consider your marketing strategy and how this may be affected by the change. Similarly, this is a testament to the increased powers that the ICO will have under the proposed new legislation.
As it stands, the ICO can only penalise organisations for calls that are answered however, legislation, outlined in the Data Reform Bill, will allow them to take action over high volumes of unanswered calls. However, a key thing to mention here is the fact that these calls do need to be reported before the ICO can take action and therefore, while the fine increase is a step in the right direction, arguably it does not do enough to protect consumers.