Are you ready for the ePrivacy Regulation?

Business Insights
15/05/2019

We have all been focussed on becoming compliant with GDPR (The General Data Protection Regulations) which came into force last May. Many organisations will be breathing a sigh of relief and be congratulating themselves on compliance.


Sadly it will still not be “job done” as there have been a number of amendments to the regulations to say nothing of the imminent arrival of yet another new regulation on privacy which will need to be factored in, the ePrivacy Regulation. Originally intended to come into force alongside GDPR and to complement its provisions with special regard to electronic communications, various bureaucratic hiccups have delayed its implementation until later this year.


The ePrivacy Regulation will replace the ePrivacy and Electronic Communications Directive 2002, which was implemented in the UK in 2003, and last updated in 2009. The new regulation has ben introduced in response to the greater protection of personal data needed since electronic communications have become such an integral part of our daily lives.


The ePrivacy Regulation is government’s attempt to protect people’s online privacy. Not just a further facet of GDPR, but a separate regulation, ePR concentrates on protecting personal privacy (both for individuals and businesses) across electronic communications. Being a “Regulation” rather than a “Directive” means that the regulation will be legally enforceable across all member states of the EU.


The legislation stands in lex specialis to the General Data Protection Regulation, in other words, although the ePR will use the same definitions as GDPR, it will actually override GDPR on matters of data-privacy in the context of electronic communications.


Particularising and complementing the GDPR on any electronic communications data that qualifies as personal data, the regulation will apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing.


Allowing our preferences to be used to tailor marketing messages through cookies is something we are all familiar with and as we have been able to say “No” to these since May 2011 (The Cookie Law) we could be considered to have tacitly agreed to their use in this way if we haven’t opted out. However, many of us, oddly especially the young who have grown up in a culture where electronic communications are omnipresent, fail to appreciate quite how much sensitive personal data we broadcast; often unintentionally, particularly via social media and through sites we visit regularly. Think of Facebook, Skype, WhatsApp, Facebook Messenger, or even Internet TV services.


Social media allows almost unlimited access by an infinite number of people and organisations to everything you post, and providers a goldmine of personal information - your birthday, your age, whether you are at home or on holiday, where you live, went to school, your political opinions, the list is endless. Marketeers currently harvest and process this data often without our knowledge or consent with the result that a substantial amount of personal information is held on us as individuals of which we may be unaware, and therefore haven’t exercised our rights under GDPR to request it be deleted.


Factor in the BYOD (Bring your own Device to work) and it is easy to see how easily confidential business information can find its way into the wider world.


Such data should always remain confidential, and any interference with the communication of that data, either directly by a human or through automated processes, without the consent of the user, is prohibited by the regulation. Interference in this context can occur at any time during the transfer of that data or metadata, including during its transmission and at its destination. For example, listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users all constitutes a breach of the regulation


As with the application of the UK's Data Protection Act and GDPR, any penalty is dependent on the scale of the incident and whether the breach of regulation was deliberate act.


Like GDPR, the ePR is highly unlikely to be affected by Brexit, especially given that the regulation covers technologies and communications that cross territories, the majority of businesses will have to comply even if they're based outside the EU.


In much the same way as the ICO is responsible for enforcing the UK's data protection laws, it will be similarly responsible for policing the ePrivacy Regulation, and so how it will go about that is still to be determined.


The exact details of the regulations and how they are to be enforced are still under discussion, but you can get up to speed by taking a look at the current draft proposal. However, it’s worth noting that the current proposal is not set in stone and there are likely to be amendments between now and when it comes into force. So, do keep track of all the latest developments.


Organisations are wasting resources by not being smart enough with customer data. Romax helps use the data more intelligently and produce more effective, joined-up customer communications. With Romax help you will make the most of the customer communications, maximising efficiencies to build trusted relationships that last. www.romax.co.uk