Examining the ICO's Revised Regulatory Approach to Electronic Communications Service Providers Under PECR

The ICO has announced an updated approach to regulating communication service providers, with a focus on reducing data protection compliance burdens and costs for businesses. Under Regulation 5A PECR, CSPs are required to notify the ICO within 24 hours of becoming aware of a personal data breach. The ICO has stated that they will use their discretion not to take enforcement action against CSPs under Regulation 5C PECR if they fail to comply with the 24-hour notification requirement in relation to such incidents, provided that they are still notified to the ICO within 72 hours of the breach. The ICO will continue to expect CSPs to report incidents that are likely to adversely affect the personal data or privacy of subscribers or users to the ICO within 24 hours, and failure to do so may result in the ICO taking regulatory action.