PECR Amendment: Personal Liability for Directors

PECR amendment personal liability directors

As noted in DPAS’s January Update, PECR (the Privacy and Electronic Communications (EC Directive) Regulations 2003) is likely to have a replacement in the new year. This new law, the E-Privacy Regulation (ePR) is in draft status and so for now, PECR still applies.

PECR was amended recently and on 17th December 2018, a small but significant insertion in Schedule 1 came in to force, that creates personal liability for senior members of an organisation that breach PECR’s rules.

Where an organisation has been served a monetary notice under PECR for breach of marketing requirements, the ICO may now also serve a monetary notice on an officer of the body corporate, where the contravention (a) took place with the consent or connivance of the officer, or (b) was attributable to any neglect on the part of the officer.

Here an officer should be taken to mean a director, manager, secretary or other similar officer of the body, or person purporting to act in such a capacity. In essence then, the decision makers, the partners, the controlling members.

This is significant because directors can no longer use the corporate veil to protect themselves against liability or simply wind up a company and set up a similar one a short time later, to avoid payment of the fine.

Whilst “connivance” might be an old-fashioned word, negligence is not so narrow, and directors therefore are likely to want to pay tight attention to their marketing practices, so as to ensure they stay on the right side of the law.

Sign up for our newsletter for the latest in Data Protection. We’ll bring you updates on this potential PECR replacement as they happen.

related posts

Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation