What happens if we don’t comply?

In detail

The ICO’s aim is to ensure organisations comply with the law. In cases where organisations refuse or fail to comply voluntarily the ICO has a range of options available for taking formal action where this is necessary.

Although the GDPR gives the ICO enhanced powers, the enforcement regime for PECR remains that which was in effect under the 1998 Data Protection Act — except where personal data is processed.

Where formal action is considered, any use of formal regulatory powers would be considered in line with the factors set out in the ICO’s published Regulatory Action Policy. For example, perhaps an organisation refuses to take steps to comply or has been involved in a particularly privacy-intrusive use of storage and access technologies without telling people or obtaining consent.

More guidance on the circumstances in which the Information Commissioner will use enforcement powers, including what is considered a ‘serious infringement’, can be found in the ICO's Regulatory Action Policy and associated guidance.

The Regulatory Action Policy makes clear that any formal action must be a proportionate response to the issue it seeks to address and that monetary penalties will be reserved for the most serious infringements of PECR.