Now we have GDPR in hand (or not) … get ready for new eprivacy regulations
The much-publicised General Data Protection Regulation (GDPR) has now been in force for nearly six months. The regulation gives individuals a greater level of control over their personal data, both online and offline, as organisations must now obtain consent for the use, sharing and storage of such information or be able to demonstrate a legal basis for holding and processing information within the rules. However, it is not the only new privacy regulation becoming part of EU law, with new rules on electronic communications following hot on its heels.
Those thinking that all of the data protection hurdles were duly jumped back in May and that it is time to settle into business as usual may need to think again. During the preparation for the implementation of GDPR it was clearly established that digital ‘identifiers’ such as email addresses and IP addresses were captured under the new regulations and should be covered by a firm’s plans.
You may have more to do
Many mistakenly believe that they have therefore done all they need to do in respect of protecting electronic data. However the upcoming eprivacy regulations will bring with them an additional requirement around the right to confidentiality and data privacy on all electronic communications. This includes emails, texts, the internet, WhatsApp, Skype, online messaging, VoIP, the Internet of Things (IoT), apps, online advertising networks and telecommunications.
Sometimes known as the cookie law, as it is the law that governs the use of cookies on websites, the regulation will introduce new rules for communications content and communications metadata that will mean that organisations must ensure the confidentiality of all electronic communications and prevent surveillance from third parties. Again, we will all have updated our website notices to include reference to the use of cookies. It remains to be seen what additional requirements concerning cookies may be in the new regulations.
The new eprivacy regulation will replace the Privacy and Electronic Communications Directive 2002, and is expected to come into force sometime this year, with organisations likely to have a one-year transitional period to become compliant.
Although there is some overlap, the key difference between ePrivacy and GDPR is that GDPR covers the handling of personal data in all forms, while the e-Privacy regulation covers online communications more specifically.
ePrivacy will likely require additional compliance, and like GDPR, ePrivacy regulations will involve heavy fines.
Contact us for a review of your data protection position
The message is clear – if you are breathing a sigh of relief and hoping that the imperative to take action around data protection came and went with the 25th May deadline – then you need to think again. Even having everything lined up for GDPR is no guarantee that you will be covered for the new eprivacy regulations.