Lee Holloway, Director, FPL reviews GDPR 6 months on and the potential impact of ePR legislation

It's likely you've spent a huge amount of time in Q1 2018 reviewing, assessing, categorising and legally justifying the personal data your organisation used and shared, ensuring that that usage was clearly communicated to your data subjects and making sure that everything you were doing complied with two pieces of key legislation - the new GDPR (using data in general) and the existing, although revised, PECR (using data for marketing purposes). You will hopefully have learned about “legitimate interest” and that B2B marketing-based email was likely to be seen as legal, with opting-out for corporate bodies a good practice measure. 
 
Well, six months on from GDPR Day and the torrents of poorly informed “we value your privacy” emails that circulated from April to June, the dust has settled and most people I speak with have reached a comfortable place. There have been ICO prosecutions and the dozen or so fines since May have been in the six figure range, however these have related in the main either to large, corporate scale security breaches or wrong doing, or to a handful of SME’s not complying with administrative requirements of general data law such as ICO registration, screening end-user prospects against the Telephone Preference Service or sending email to consumers without consent. And these ICO actions have not in fact required the GDPR as an instrument with which to prosecute, other existing legislation being sufficient.  
 
Showlite and event sector suppliers and organisers I have worked with on data risk this year, and other B2B positioned clients outside of the events space, have generally found that their existing pre-GDPR practices were still legal post-GDPR and that their main tasks involved qualifying and documenting this on paper, improving transparency with data subjects and reviewing existing technological and procedural security measures. I’ve had the sense that, although nobody can claim to be perfect in this area (perfection is not the nature of any operational risk management) – the journey has not been as tough as was feared.
 
The elephant in the room
The previously mentioned PECR – the Privacy in Electronic Communications Regulations – the sister legislation to GDPR that says B2B direct marketing is legal without consent – is tabled to be replaced with new European legislation in 2019, the ePrivacy Regulations or ePR and the current draft is about as contentious as this type of legislation gets.
 
Delayed from its intended roll-out alongside GDPR last May, the ePR is still to make it through the complex “Trilogue” negotiations between the European Commission, Council of the European Union and the European Parliament, but pressure to soften current drafts of the legislation have failed so far.
 
The Direct Marketing Association has put in writing to the European Parliament its concerns that:

• B2B electronic marketing communication, including one to one email introductions, would need consent under the proposed ePR just as B2C does currently
• That this failure to parallel GDPR’s “legitimate interest” justification for unsolicited B2B electronic marketing is uncompetitive, favours large business, does not factor in the context or benefits of the communication to the data subject, as such does not reflect GDPR’s risk based approach and limits awareness of innovations that a data subject would not seek out for themselves.

A DMA survey of marketers found that more than a third felt that mandatory B2B opt-in to receive email was their biggest legislative concern and over a quarter were similarly concerned about an imposed B2B telemarketing opt-in. As an operational risk practitioner, I think it’s quite startling that these rules have the potential to be enforced in the UK. It’s difficult to see how the majority of B2B enterprises would be able to function if they weren’t allowed to pick up the phone to a prospect or send an introductory email. 

We will have to watch this space.