Firstly - what is PECR?
PECR is the Privacy and Electronic Communications (EC Directive) Regulations 2003. They are the main rules that affect direct marketing, in particular telemarketing and electronic marketing. So, if you are looking to drive sales via phone or by email, text or automated calling, you need to be aware of the rules.
The regulations tell us when we can contact potential customers via phone and when we can’t - and we need to abide by the requirements of the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) for business calls. We need to understand how to operate a DNC (‘Do Not Call’) or suppression list and that certain sectors are prohibited from making cold calls at all.
Likewise, if we are looking to make contact with new clients through email or SMS, then we need to understand that consent is required to do so. That is the higher standard of consent which came in with the GDPR.
The ICO explained
Failure to abide by the rules has always been a dangerous game to play, as it can bring the Information Commissioner’s Office (ICO) to your door with formal enforcement action. They begin by doing a thorough investigation into what marketing activity you have been doing and why it may have fallen foul of the rules.
The ICO essentially police the direct marketing laws, in particular, PECR. They will ask a lot of questions as part of their investigation, which includes things such as where you purchased your data from, how many messages you sent or calls you made, what contracts were in place, what due diligence was done and so on.
They also want to know what policies and procedures you put in place to comply with PECR and what staff training you have done. Failure to satisfy them that you have paid attention to such matters is usually seen as an aggravating factor when the ICO are deciding whether to fine the company and determine the level of fine. It also reflects badly on the directors, who may also face personal fines for the breaches.
What are the current penalties for a breach?
Fines range hugely depending upon the scale of the breaches, the seriousness, the aggravating and mitigating factors, the response to the investigation and the size of the business. For many companies, the fine is not such a threat as it is limited to a maximum of £500,000, which can be reduced through early payment.
However, it does cause serious damage to the company’s reputation, which many fear. The ICO publish their enforcement action and decisions on their website, which they then share through social media, such as LinkedIn posts.
The law is set to change…
However, change is afoot. The fines are going to increase dramatically with the introduction of the Data Protection and Digital Information Bill.
The new law, which is currently making its way through Parliament, makes a number of significant changes to our data protection laws, including changing the ICO to the Information Commission. However, one of the most significant changes is that it will amend the size of the potential fines available for breaching PECR, which will increase to a whopping £17.5 million! This is in line with the GDPR and is not to be taken lightly.
It is unclear when the new law will be enacted, but it is coming and will be here before we know it.
So the best advice is to prepare, prepare, prepare!
If you are doing any outbound marketing, you really need to consider where it lies within the rules, in particular, PECR. Are you direct marketing? If you are, then you really must think about how compliant your business model is and whether you are working within the rules. For example, is the data you are buying really TPS screened? Your supplier may well have told you it is, but have you checked - have you done any due diligence?
What training have you provided to your staff? If the ICO came knocking, would your sales team be able to explain what the telemarketing rules are and how they believe they are compliant? Would they be able to explain what ‘consent’ to direct marketing is?
The new law is coming, don’t get caught out!
If you need a helping hand in auditing your direct marketing processes ahead of the changes or feel your staff would benefit from training on the direct marketing laws, please don’t hesitate to contact me at andrew@andrewswanlaw.co.uk or on tel: 07907 308773.