2018 Will most likely be known by many organisations the 'Year of GDPR'. In the first half of the year everyone was talking about this four letter acronym! There was a lot of fear, uncertainty and doubt about the topic and yet when you looked closer the majority of concerns were focused on the need to gain 'explicit' consent for processing of data.
So I imagine you're pleased that this is nearly over and we can all get on with our lives... But wait, there is more to come.
Whilst the GDPR put more emphasis on organisations to be transparent and evidence how they process data, the need for Consent is nothing new. There is a regulation that has been around for 15 years called the 'Privacy of Electronic Communication Regulation' (PECR) and it is this regulation that sets out the rules that govern when and how we can communicate with data subject.
If this is the first time you've heard of the PECR then you are already 15 years late to the party, and worse still the party is about to change.
What does PECR cover?
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR and give people specific privacy rights in relation to electronic communications. Specifically these cover;
- website owners
- owners of apps that have electronic communication as a component
- natural or legal persons sending direct marketing communications
- telecommunications companies
- messaging service providers (WhatsApp, Facebook and Skype)
- internet access providers, (ex. a store or café providing open WIFI access)
Noting that 15 years ago many of the means of communicating hadn't been invented, it's time for a change, and this change comes by the name of the 'ePrivacy Directive'.
Replacing the outgoing PECR, the ePrivacy Regulation will encompass modern communication services including WhatsApp, Facebook Messenger, Gmail and Internet of Things (IoT) devices.
To ensure confidentiality, the Regulation mandates that organisations must not store, monitor, scan or otherwise intercept the electronic communications data of their users without their knowledge or Consent.
Organisations must respect these preferences, giving data subjects more control over the way in which their movements are tracked online and ultimately removing the need to confirm consent for each individual website.
Just like the GDPR, ePrivacy will apply to any business that services EU-based end-users with an electronic communication service, uses technology to track online activity or conducts direct marketing online. The implications are clear; This is going to affect a lot of organisations.
For example when it comes to marketing and advertising online many organisations rely on customer analytics to inform their direct marketing communications but, under ePrivacy, they will have to secure prior consent before tracking behaviour and launching such communications.
When is this happening?
Currently there is no set date for the new Regulation to come into force. It was originally slated to be enacted in 2018, but 2019 and possibly even 2020 are now looking likely. So you've plenty of time, right? Wrong.
GDPR and ePrivacy – Stronger together
If you take a look at the enforcement notices and the fines that have been levied by the ICO, the vast majority are for infringements not of the GDPR or Data Protection, but for breaches of the current PECR. This is happening because the majority of complaints to the ICO are for nuisance emails and calls, and this is unlikely to change under the new regulation.
So there has been no better time to look closely at your PECR.
What you need to do now
It may sound like this is a long way off, but 2019 is just around the corner and even 2020 will soon be upon us, but it depends on your organisation on what needs to be done, based on what you have already done for the GDPR.
Remember that ePrivacy will not replace the GDPR; the two regulations are meant to coexist and complement each other. It is not the case that ePrivacy will totally change privacy rules so that GDPR-compliant companies have to start over again in 2019, so if you're confident of the work you have done the GDPR then you should be in good shape. But ePrivacy will expand EU privacy laws.
If there were one piece of advice I would offer now, is to review your lawful basis for processing, and where Consent is relied upon, you should be confident in evidencing that you are doing it correctly (i.e have obtained Consent clearly). So having a GDPR-compliant method of obtaining consent in place already, is a great way of preparing for ePrivacy.
If you are already confident about your GDPR practices surrounding Consent then you have very little to worry about. For example if you rely on email marketing you need to be confident that data subjects have opted in to this form of communication, and that you can evidence that this has taken place. But you're doing that now, right?
If you're concerned about ePrivacy it could be because you're not confident with your Consent processes, and that's something that needs to be addressed now, not in 2019 or 2020.
Written by Gary Hibberd, Managing Director of Agenci.
Agenci provide Cyber Security consultancy services and assistance on GDPR compliance