The ePrivacy Regulation: a recruitment perspective

  • March 24, 2021

Data privacy compliance has been all about GDPR for the last few years. Now it seems that the ePrivacy Regulation is finally coming into force, so it’s time to switch focus. Here’s a brief update on the situation and a few ideas on how to prepare.

What is ePrivacy?

The ePrivacy Regulation is essentially an extension of the GDPR. Both were drafted to protect personal data, but ePrivacy specifically relates to personal online presence and activities. ePrivacy will address some limitations of the previous ePrivacy Directive and will extend data protection legislation to overlooked technologies such as the Internet of Things. Key aspects of the ePrivacy Regulation include changes to unsolicited marketing and use of cookies. For the former, marketers will now be unable to send emails, texts or social media communications to the user without their consent. For the latter, the rules surrounding cookie consent will be simplified (e.g., some cookies, such as those used for security, will be exempt from the consent ruling). 

ePrivacy has been in the works for quite some time, leading some to conclude that it might be scrapped due to repeated delays. However, a recent report from the European Council suggests we may finally see some movement, as the EU member states have agreed on a negotiating mandate for revised rules on ePrivacy — talks can now begin to develop the final text.

Lessons from GDPR

Given that the details of the ePrivacy Regulation have not yet been finalised, we can’t prepare for the specifics. However, considering the significant overlap between the ePrivacy Regulation and GDPR, we can glean insights from the latter. The announcement of GDPR resulted in soaring demand for analysts, consultants, project managers and DPO’s with a strong understanding of the legalisation. In fact, reports showed that the majority of businesses intended to hire permanent or at least temporary staff to handle the transition. GDPR also caused an explosion of specialist data protection officer (DPO) roles. 

Given the consequences of a GDPR infringement — up to a maximum of 4% of worldwide revenue or €20 million (about £18 million) — it’s hardly surprising that so many organisations took preparation seriously.

Despite this, the GDPR transition was hugely challenging. In the year after GDPR came into force, an estimated third of European businesses were still not GDPR compliant. In 2020, both the number and size of regulation breach penalties increased, and so far, penalties imposed by the EU total £242.5 million.

Preparing for ePrivacy Regulation

Like GDPR, hiring a DPO with a strong technical background will help you prepare for the ePrivacy changes. GDPR didn’t stipulate the exact qualifications for what made a good DPO, but emphasised experience and knowledge. DPO’s can be sourced externally or internally, but the latter can raise challenges as GDPR stipulates that the DPO must operate independently.

In larger companies, it’s vital that new regulations are understood across teams. For example, professionals working in Marketing will be particularly affected by the ePrivacy Regulation changes to unsolicited communication and cookies. Therefore, it’s crucial to hire data privacy experts with excellent communication skills, who are experienced at working with inter-departmental teams and are committed to spearheading data protection throughout the organisation.

Overall, the coming ePrivacy Regulation presents a challenge similar to that of GDPR a few years ago. Those who were well-prepared experienced minimal disruption and protected themselves from potentially staggering fines. Approaching the ePrivacy Regulation in the same manner is likely to have positive results.

If you wish to discuss this in more detail or your own firm plans, please reach out at your convenience.

Paul Geist, Head of Practice, Regulation, Compliance and Financial Crime
t: +44 (0)207 422 9030
m: 07791 806 434