So, you’ve heard about the GDPR…

You think you’ve got the GDPR covered? Data mapping? Check. Privacy notice updated? Check. Data Processing Agreements signed? Check. That’s great to hear, but did you hear, there’s a new kid in town? The GDPR’s bigger brother. Having recently attended a talk on ePrivacy, led by Chiara Rustici, GDPR analyst and author of several reports on the regulation of the data markets, it’s clear that data protection is becoming the next big thing for business.

Meet the ePrivacy Regulation

The ink is not yet dry on this regulation, so we are limited in what we can say, but we can tell you what it aspires to be. On 13 March 2018, the EU Council met to discuss the EU Commission’s original proposal. The EU Parliament amendments to the original Commission draft are already known, but we are now awaiting for a compromise text, which both Parliament and Council can agree on. We do not know when a final version will be published.

Why do we need another regulation relating to data protection?

The GDPR does not consider metadata or the privacy of communication about or between legal entities. Metadata? A set of data that describes and gives information about legal entities i.e. registered businesses, or about data subjects. Or let’s just say people like you or me.The ePrivacy Regulation aims to respect the confidentiality of communication between natural persons and legal persons. It is aimed squarely not just at telecommunication content data, but at telecommunication metadata.

Why is metadata so important?

Communication data; be it content data or metadata, is extremely important as it can reveal sensitive aspects of an individual’s personal life, for example, their sexual orientation, philosophical, political and freedom of expression.

“I don’t work in telecommunications, so it won’t affect me”

This regulation isn’t just applicable to those working in telecommunications, it applies to pretty much every business that communicates digitally with their clients. So. if your business emails its clients with special offers and promotions (who doesn’t?), then this Regulation will apply to you.

The ePrivacy Regulation will apply to:

  • electronic communication network providers;
  • electronic communication service providers;
  • anyone making publicly available directories of end-users of electronic communications;
  • anyone sending direct marketing via electronic communication; and
  • anyone placing on the market software enabling interpersonal communications.

It’s got muscles too!

So we referred to the ePrivacy Regulation, as the GDPR’s bigger brother. And that, essentially is what is meant by saying it’s a Lex Specialist to the GDPR. In effect, if something is covered by both regulations, then the ePrivacy’s rules trump those of the GDPR. In essence, what is stipulated in the ePrivacy Regulation will overrule what is stated in the GDPR. So if requirements are more stringent in the ePrivacy Regulation, then they must be followed.

Let’s talk consent

For those tackling the GDPR, the issue of consent has been talked about a lot. We mean, a lot! But, consent isn’t the only reason you are allowed to process data under the GDPR, in fact, there are five other lawful reasons for processing data. Yet consent, however, is a biggie in the ePrivacy Regulation.In the GDPR, consent must be clear, written in simple English and explicit. It cannot be conditional or incentivised. Under the European Parliament version of the ePrivacy Regulation, however, service providers that store and process metadata will be asked to seek consent at a granular level:

  • Consent to track behavioural advertising.
  • Consent to track for personalised content.
  • Consent to track for analytical purposes.
  • Consent to provide personal dataWe imagine Facebook and their counterparts are literally sweating right now.

ePrivacy is still being written

This Regulation is still in draft format, so no doubt there will be more amendments brought to the Council before it is formally established.The important point to take from this is that data of any kind has the potential to be gold, but should also be handled with extreme care. Review what you hold on data subjects and ask if it is really necessary and adds potential value to your businesses bottom line, but is used in the context that adds value to your clients in terms of service levels, experience or quality. Consider the tools you use to communicate with your clients and the partnering tools you subscribe to.Big changes are afoot for the message to message service providers (M2M), social media platforms, browsers, apps and other digital tools. But this Regulation will no doubt touch business from all industry, scope, size and location.

It’s not over when the May deadline arrives, it’s just the beginning

While everyone is focusing on getting their data ducks in order for the 25, May deadline, it seems with the launch of the ePrivacy Regulation, this is just the beginning of our journey. Be aware that you may need to further adapt your processes, policies and practices and make your people aware that change could be iterative and not conclusive.



Create a culture that enforces good data protection practice in your organisation.

We do cultural change

GDPR, ePrivacy – these regulations will change the way you do things. Depending on the nature of your business and the data you store and handle, their enforcement could instigate transformational change in your organisation. Creating a culture that positively reinforces the importance of data protection is not an easy task. We can help you to drive your people and your organisation towards a successful transition. For more information, click here.