PECR Audit program

PECR | Seers Article

PECR stands for Privacy and Electronic Communications Regulations. Its complete title is “The Privacy and Electronic Communications (EC Directive) Regulations 2003.

It was promulgated by the UK Parliament; they implement European Directive 2002/58/EC, which is also known as “the e-Privacy Directive”.

More-specifically privacy rights on electronic communications are settled by the e-Privacy Directive. It also complements the General Data Protection Regulation (GDPR).

It has been observed that broad access to digital mobile networks and the internet have brought about a myriad of possibilities and opportunities for businesses and users.

At the same time, it has also increased the privacy risk and cybercrime.

Alterations and clarifications

PECR has been altered many times in the previous years. In 2018, it changed to ban cold-calling of claims management services and to halt the violation of marketing rules.

In 2019, the sole purpose of alteration in e-Privacy was to ban cold-calling of pension schemes in certain circumstances. The latest version of PECR was launched on 9 January 2019, to cover up the flaws within the GDPR that was enforced on 25 May 2018.

The current status of PECR is, EU is endeavouring to generate a new-e-privacy regulation to replace the old one to sit alongside the GDPR. But the new Regulation is not yet agreed.

Please find the link to overlook the amendments that took place in 2004, 2011, 2015, 2016, 2019 and 2019 on the ‘what we do’ section of our website.

Areas which PECR covers

PECR encourages marketing through an electronic mechanism such as calls, texts, emails, and faxes. E-privacy also sheaths technologies like cookies and the use of cookies.

These technologies track information that has been accessed on an electronic service or a website. Public electronic communications services’ security also comes under the PECR.

Customers’ privacy by using communication networks or services known as traffic and location data, itemised billing, line identification services, and directory listings also falls under the PECR.

There are certain rules of PECR which are applied to specific organisations, especially to those who provide electronic communications network or services. But the terms and conditions vary if you are not on a network.

  • marketing by phone, email, text or fax;
  • uses cookies or similar technology on your website;
  • compiles a telephone directory (or a similar public directory)


How PECR fits with GDPR

They both perform their functions; however, there is no way PECR has been replaced by GDPR, but it changes the underlying definition of consent. The rules which exist within PECR are being applied but by the GDPR’s standard of approval.

It indicates that if you are involved in any use of cookies, electronic marketing or similar technologies from 25 May 2018 onwards, you must comply with both PECR and the GDPR.

They both work for the same means, which is to protect the privacy of a person. If your standards comply with GDPR then they must also comply with PECR. Nevertheless, there are specific differences that need to be adhered to under both these regulations.

No matter how you are processing your data, PECR will still apply to this processing. For example, companies are protected under multiple rules so are individuals. Whereas, marketing rules apply whether you can identify the person (you are in contact with) or not.

Being a service or a network provider, you should know the rules and regulations associated with GDPR and PECR. Article 95 of the GDPR stipulates, that GDPR does not apply where the PECR regime already exists.

It is to shun duplication/replication, and further indicates that being a service or network provider you have to adhere to PECR rules. These rules will apply to security and security breaches, traffic data, location data, itemised billing, and line identification services.

The question that arises here is, are there any exemptions that exist? Some of the rules have built-in exemptions, so yes.

Moreover, some other general exemptions can be applied to national security, law enforcement or compliance with other law.

PECR “privacy” refers to the privacy laws and regulations under the PECR. 

Whereby, the PECR itself stands for the Privacy and Electronic Communications Regulations. The Privacy and Electronic Communications Regulations are the short forms to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

They are derived from European law. They implement European Directive 2002/58/EC, which is also known as the ‘ e-Privacy Directive’.

The PECR “privacy” entails privacy provisions for data subjects and the organisations collecting data to enhance the privacy of individuals online through the use of better cookie policies, web banners and more. Privacy and Electronic Communications Regulations include:

  • Policies regarding marketing communication
  • Use of information for market research 
  • Guidelines for the providers of electronic communication services
  • Ensuring customer privacy online wherever possible
Pros Cons
Allows a better assurance of the privacy of individuals. Does not apply to individuals outside of the EU’s jurisdiction
Helps in the provision of a basic guideline to marketers and businesses on what can and cannot be done under the law Needs understanding and policy enforcement in each organisation
Limits the scope of unwanted communication
Allows restriction of communication that an individual chooses not to adhere to

Does a PECR compliance audit help?

If you are facilitating your customers with a service whether it is telecom or internet, then you must conduct an inspection of your current security measures.

This PECR audit will identify any gaps within your organisation in terms of your security policies by examining your effective policies and procedures and to what extent you are pursuing them.

The audit refers to a general view, plays a vital role for many organisations and lastly enhances their understanding and meets their obligations. Inspections are needed when the level of risk increases. As a service provider, if a company selects you and sends you an invitation for audit.

Your immediate response will create a good impression. But if you will not respond or delay your response then this tardiness will encourage them to have an enforced mandatory examination. And then they will have an off-site inspection of your security procedures, policies, and practices.

Later on, you will be given a comprehensive report and executive summary. You will be allowed to ask any questions regarding the audit. If in case you find any incomprehensible action of the team or their recommendation.

PECR and Information Commissioner’s Office (ICO)’s action of enforcement

When anyone tries to breach PECR, the ICO immediately takes action. These actions include criminal prosecution, non-criminal enforcement, and audit.

For example, is anybody gets caught, in that case, the ICO will issue a monetary penalty notice. It means enforcing a fine of up to £500,000, which can be issued against an organisation or its directors.

Electric communications

PECR does not define “electronic communications”; however, with the help of specific concepts and definitions, specific rules are being applied in different ways.

There are rules for everyone and everything, whether it is marketing messages, service providers and at last, communication providers. Every law on each aspect is applied and hence working accordingly.

Although, the single concept of electronic communications strengthens the regulation.

In other words, it includes the sharing of information between particular parties by using a phone line or internet connection, including phone calls, faxes, text messages, video messages, emails, and internet messaging.

The general information such as the content of web pages or broadcast programming is excluded from this.

Public electronic communications network

The idea of a public electronic communications network was first discussed in section 151 of the communication Act 2003.

It was defined as “an electronic communications network provided wholly or mainly to make electronic communications services available to members of the public”.

Whereas, in section 32, it was referred in several points,