Why is this all happening? In short, what is the point?
The overhaul of the current ePrivacy Directive (2002/58/EC) is, in the same manner as the GDPR, driven by the need to protect the rights and freedoms of EU citizens in today’s all-pervasive electronic communications environment. Since that directive in 2002, the world has completely changed in the sphere of electronic communications. An update is long overdue in order to take these new risk categories into account.
NB: The new PECR was supposed to come into effect at the same time as the GDPR (May 2018). This would have made a great deal of sense, but at the time of writing, “PECR2” has still to be definitively codified.
GDPR dealt with all this, didn’t it? How is the PECR different?
While the two regulations are closely linked and should be considered “companion pieces”, the easiest way to explain why there are two interlinked regulations is that PECR concerns itself specifically with communications, and the GDPR is, as the name suggests, ‘general’.
A lot of the talk around GDPR was concerned with promotional marketing messages and the ‘re-consenting’ supposedly required, which is actually very much in PECR territory. The new enhanced PECR rules will require organisations to consider even more types of communications data and modes of communication.
What kinds of communications data is in scope?
The ePrivacy Regulation’s requirements will encompass the obvious channels like email that have typically been examined pre-GDPR, but will now also address any other electronic communications platforms, from VoIP to myriad chat and collaboration platforms. And it is in this aspect that PECR will have its greatest impact on the financial markets community.
It is also highly significant that the PECR will also have in its scope any communications that are made without the intervention of human beings. So-called “Machine to Machine” or M2M communications include ‘Internet of Things’ endpoints like Home Assistants, but also could include the feed of an algorithmically-executed trade order. The metadata associated with the trade feed and any communications leading up to or following it will need to be treated with great consideration.
What should you be doing about it?
What this all proves is how necessary it is to have an ongoing proactive approach to compliance, rather than approaching things regulation by regulation. As ever with these new regulations, rather than just doling out fines in the expectation of perfection, regulatory bodies such as the ICO take into account what organisations have really done in order to prepare for the new laws.
Organisations must grasp the opportunity to understand their data assets more deeply. If the GDPR did not already lead you to carry out data lifecycle mapping and third-party due diligence exercises, then the time is now. Terms and conditions governing the relationships between your firm and third parties need to be evaluated and updated. There may also be some benefit in reviewing the privacy and confidentiality aspects of employee contracts in the light of the use of platforms such as WhatsApp.