ePR

Beyond GDPR: new EU ePrivacy Regulation

Forthcoming ePrivacy Regulation, hot on the heels of GDPR, means companies have even more to think about as they manage people’s digital information. The good news is that a flexible, systematic, and centralised platform for managing data allows companies to comply with both, says Consentric’s Karen Watson

The dust has barely settled on the EU’s General Data Protection Regulation (GDPR), with many companies still perfecting their plans for managing this, and already a further-reaching EU data privacy shake-up is looming. A substantially updated EU ePrivacy Regulation (ePR) is expected to hit the market in 2019.

The new Regulation on Privacy and Electronic Communications, part of the EU’s digital single market strategy, is designed to shore up privacy across all forms of electronic communications – from online messaging, phone and conferencing apps to devices connected over the Internet of Things (IoT).

The good news is that those organisations that opted for a flexible, systematic, and centralised approach to managing data for GDPR compliance need not start again. They should be able to absorb the latest developments within the same stream of work.

ePrivacy’s remit

So how does ePR fit with GDPR? Whereas the latter is concerned with people’s personal data, the new ePrivacy Regulation, proposed in January 2017 and now navigating the EU legislative process, safeguards the confidentiality of any data involved in electronic communications – and the devices it came from. It will protect the integrity of information, even if this isn’t personal data, ensuring that communications-based mobile apps or internet services, such as Skype, WhatsApp and iMessage, cannot be tapped into or recorded – certainly not without explicit permission from the individuals concerned.

In addition to new controls over web cookies that track people’s interactions with websites using computers, tablets and phones, the measures will affect the data collected by smart utility meters, health and fitness trackers, CCTV cameras, connected vehicles and more.

The new rules also cover metadata – ie contextual data about any data activity. This might include how many times a day a device is connecting and transmitting data; the size of files being downloaded; and the time, date and location of data exchanges. Such information is invaluable to advertisers, marketers and retailers, but will need a lot of careful handling in future if companies are to stay within the rules.

There’s a handy at-a-glance EU factsheet about the new requirements under ePR to download here.

Preparing for the inevitable

Whatever the global reaction to this controversial digital clampdown, participants at the recent International Association of Privacy Professionals Global Privacy Summit agreed that the rollout of the new requirements was inevitable.

So, as with GDPR, this is something organisations need to prepare for. It’s important to note that where both are called into play, ePrivacy terms will take precedence over GDPR because of ePR’s more specialised remit. The financial consequences of non-compliance are expected to be the same (fines worth up to 4 per cent of global annual turnover).

Just as copying a 2018 privacy statement off a competitor’s website does not result in GDPR compliance, so crafting new wording on communications privacy will not suffice in meeting companies’ new obligations under ePR. As with GDPR, companies wishing to capture information about people’s digital activities will largely need to be able to show that they have secured express consent to monitor, record and process that data.

The reassuring news is that if organisations prepared for GDPR by adopting a central platform for obtaining consent for collecting and using personal data, they should already be in a good place for achieving ePR compliance. The key is the ability to govern and audit everything, and to be able to stand up to external scrutiny if challenged.

A final and important point to note is that, as with GDPR, the requirements around ePR are likely to evolve and change over time. This means that companies must take a long-term approach to managing this and keep abreast of developments as the new regulations are bedded in. If the two diverging sets of requirements can be brought together within a single management platform, so much the better.

Whichever way they go about it, organisations should start planning for ePR now – giving them the best opportunity to get this right first time, and to link this to existing work around GDPR.

 

* Consentric offers a comprehensive, evolving platform for managing data permissions in line with GDPR, which will also encompass ePR requirements as these are finalised in the coming months. Enabling everything to be coordinated in one place. Discover more here.