While preparations for the GDPR dominate the headlines, it’s not the only change in the digital landscape.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – AKA the cookie law – currently sets out the rules on electronic communications, including nuisance calls and messages, cookies and the provision of internet or telecoms services.
GDPR and ePR have the potential to whip up serious disruption for organisations that breach the data protection and privacy rules. The ICO already enforce PECR on a regular basis; combined with GDPR legislation the penalties include hefty fines and criminal prosecution, non-criminal enforcement and audit. An ICO audit will look at whether you have effective policies and procedures in place and whether they are being implemented. We can’t do much about ePR right now, but organisations can at least meet GDPR compliance and be aware of what awaits on the horizon.
Kate Armstrong, GDPR Fundamentals Practitioner
What is PECR?
PECR covers the collection and use of electronic data such as location, itemised billing, line identification and directory listings. These rights extend to companies as well as individuals. The ICO take these regulations very seriously and take decisive action for breaches. The quarterly list of enforcement actions on their website makes for cautionary reading.
PECR is already law and will remain in effect alongside GDPR. However, PECR is on the European Commission’s table for reform as a new ePrivacy Regulation aims to better protect people in the digital age. While GDPR is being finalised and scheduled for implementation on 25 May, the accompanying ePrivacy Regulation is still in the approval process, and its language could change.
According to i-Scoop in its article, The New ePrivacy Regulation: What you need to know (well worth a read if you’re interested in learning more about the subject), we can expect the ePrivacy Regulation to be applied no sooner than the second half of 2019.
ePR may not be our main focus of concern right now, but the two laws were designed to accompany each other. There are two laws because they are derived from two different rights in the European Charter of Human Rights. The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality. There is overlap between the two legislations. Get PECR right and you will be on track to comply with GDPR and vice versa.
These regulations currently apply to electronic channels: website, telephone, email and SMS. Whilst these are particularly applicable to internet, mobile networks and telephone directory providers, PECR also applies to your business if you:
- market by phone, email or text
As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU.
What will the differences be?
The current draft proposal includes some headline changes:
- It removes separate security obligations, which will be covered under the GDPR, but introduces customer notification of specific security risks.
- In terms of cookies and other online tracking devices, the focus shifts from website cookie banners to users’ browser settings, and seeks to address issues around ad-blocking and Wi-Fi location tracking.
- It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
- It incorporates the GDPR’s two-tier system of fines of up to €20 million, or 4% of worldwide turnover, for breaches of some parts of the Regulation.
- It would apply to services providing so-called ‘over-the-top’ communication channels over the internet, such as Skype, Messenger or WhatsApp. It would also apply to businesses providing customer Wi-Fi access, as well as the traditional telecoms and internet providers.
- It would apply to organisations based anywhere in the world if they provide services to people in the EU.
The Interactive Advertising Bureau’s Alex Propes has said the ePrivacy Regulation “will likely require additional compliance” in an interview with Barry Levine. For example, the current ePrivacy Regulation version dictates browser-level settings that take the control of personal data out of the hands of publishers, an approach that is not found in GDPR.
Gabriela Zanfir-Fortuna from the Future of Privacy Forum Policy council (also interviewed by Levine) suggested there might be some uses of personal data that are permissible under GDPR that are not under ePrivacy. She also made clear that, in the case of GDPR vs ePrivacy, ePrivacy will rule.
But it will be the same supervisory bodies in EU countries (the ICO for the UK) that will be enforcing bot GDPR and ePR, so we should assume that they will try to make sense of any differences.
How can companies comply with two laws when one is not yet finished?
Once ePR is finalised – as with GDPR – the onus will be on you to be able to demonstrate the communication methods you use are compliant and secure and that you have policies and processes in place to keep information safe. “All you can do is comply with the law as written,” Propes has said, meaning that organisations can only comply with GDPR until the ePR is agreed.
Does your company meet the GDPR Fundamentals Standard?
There is no shortage of advice on GDPR, but if want to take a more practical approach, Kate Armstrong, nesma Tutor and Blue Shadow Growth Agency’s Managing Director is a registered GDPR Fundamentals Practitioner and recognised as a specialist in the new GDPR Fundamental standard.
If you would like some practical help with GDPR, this 3-part programme of activity is ideal for you. The programme will help you understand your organisation’s legal duties, put a spotlight on any changes you need to make and ultimately ensure you reach the GDPR Fundamentals standard.
The GDPR Fundamentals standard* has been devised to assist organisations in their efforts to comply with the with the new data protection regulations. It offers businesses the opportunity to obtain external recognition of their GDPR management system and has been written using the principles of General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
There are three elements; the training, the audit and the certificate.
The Training will give you the knowledge to assess organisation relative to the GDPR requirements using a practical framework that will assist you to understand what it means to be compliant. Businesses will receive a GDPR Fundamentals attendance certificate from the accrediting body on completion of the course of the 1-day training.
The Audit delivered in the form of a 2-hour survey carried out by an accredited GDPR Fundamentals Practitioner will help you to assess your systems and policies against the demands of the GDPR Fundamentals standard.
The GDPR Fundamentals Certificate of Compliance is a recognised management standard for data protection compliance which immediately identifies that your organisation has been audited by an independent third party and that you can demonstrate compliance.
Find out more about the GDPR Fundamentals programme –
The 1-day training costs start from £395 + VAT per person.
Get more information about this course and the full programme by emailing firstname.lastname@example.org or calling Kate Armstrong on 07930 473 971.
This information is aimed at giving you a summary of current and emerging data protection and privacy regulations and guidance. It is not intended as legal advice and is not represented as such by the author or publisher. It is advised that legal counsel is sought to ensure compliance with legislation.
*QG Business Solutions is the Accreditation Body based in the UK.