Are UK Businesses Ready for Big Changes to personal Data under ePrivacy?

Bob Dylan sang about 'The Times They Are a-Changin' and that perfectly sums up the UK business sector at the moment.

Are UK Businesses Ready for Big Changes to personal Data under ePrivacy?

Bob Dylan sang about ‘The Times They Are a-Changin’ and that perfectly sums up the UK business sector at the moment. With the change in Government and Prime Minister, and the dilemma of Brexit still looming, UK businesses could be forgiven for wondering just where this is all heading.

Equally there are big changes afoot when it comes to the question of personal data usage in the business environment. GDPR has already tightened the use of customer data and enforces the right to be ‘forgotten’, causing a flurry of panicking businesses and virtually a new industry of ‘experts’ on the subject.

However, the forthcoming EU ePrivacy Regulation will supplement this and potentially could bring some of the biggest changes to UK workplace communications since the BYOD (Bring Your Own Device) revolution.


ePrivacy Regulation will usher in new protection of personal data that is likely to surpass GDPR. However, something which many UK businesses may not have thought about is how the legislation will affect the use of personal communications in the workplace.

Inevitably a degree of personal data (such as website cookies and metadata) along with communications (emails via work IP connections etc.) are stored by businesses and tighter ePrivacy Regulations will have to be adhered to. This could be emails or IM sent via business systems, cookies/metadata saved on a browser – in fact any other personal details/data that passes through business systems ensure it has a responsibility to the regulations.

challenges and risks

So, what’s the problem? On the face of it this seems fairly straightforward, but imagine the scope for a large business – how do you reliably and easily separate personal data from business data?  

Employees (and ex-employees) can already make Data Subject Access Requests (DSARs) and GDPR allows 30 days to do this –  but figures from a Talend report in September 2018 found that 70% of businesses are unable to comply with DSARs within this timeframe.

ePrivacy is designed to enforce this still further and could potentially mean big fines for non-compliance. As the big recent fines for British Airways and Marriott hotel chain show, the UK  Information Commissioner’s Office (ICO) is happy to flex its muscles when it comes to enforcing legislation.


We have all seen a blurring of the lines when it comes to personal and business communications. Take your smartphone for instance, what percentages of data are personal and business related? Could you filter between the two? If the smartphone belongs to the business, it is even more complicated!

As an example, consider what happens if work-based communications are conducted over personal communications channels (such as WhatsApp). The business will need to keep records for compliance, but inevitably these communications also hold personal data. This is perhaps less of problem whilst the employee is still working for the business, but what happens when they leave?

When anyone is employed by a business, inevitably their personal data will be processed on some level. Even appearing in business-related photos constitutes a record or your likeness and there could be complications if this continues to be used once you leave.

Ban on
personal data on work systems

One approach, albeit an extreme one, is to ban personal eComms from the workplace and any business systems (including smart devices).

Whilst not impossible, this would be impractical for many employees. It would certainly mean a return to carrying multiple devices for many people, turning back the clock to before BYOD and its considerable benefits in terms of convenience, flexibility and cost savings. 


With the UK’s change of Government and its relationship with the EU still uncertain before the Brexit situation is resolved, businesses still have much uncertainty to deal with.

There is a chance that ePrivacy rules won’t be directly adopted in the UK (although past experience suggests this is unlikely), but it will still apply to EU citizens which are likely to represent a big percentage of customers for many UK businesses and also any workers for the business that are based in EU territories (which could be very interesting for businesses based in North Ireland for example).

Realistically, UK businesses will have to deal with the processing and storage of personal data at some stage and it stands as a reminder that they will need some kind of robust and reliable RegTech (Regulatory Technology) solution to maintain the flexibility of their data systems whilst ensuring they avoid the potential wrath of the ICO.

Shiran Weitzman
Shiran Weitzman

Share via
Copy link