An overview of UK Data Protection Law

The UK GDPR, DPA 2018 and EU GDPR, and the ePR and PECR

What is data protection?

Data protection is about defending individuals’ personal information against destruction, loss, alteration, unauthorised disclosure or access, and ensuring it is processed fairly.

Organisations have a legal obligation to protect the personal information they hold and to ensure that it is used only for the purpose for which it was collected.

Which data protection laws apply in the UK?

UK organisations that process personal data must now comply with:

How your organisation must comply with the data protection legislation will depend on how you process personal data.

Learn more about the GDPR

Learn more about complying with the UK GDPR and DPA 2018

Other UK data protection and privacy laws

Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with the PECR (Privacy and Electronic Communications Regulations).

Non-compliance can lead to criminal prosecution, non-criminal enforcement, and monetary penalties of up to £500,000.

Learn more about the PECR

Data privacy and protection solutions - free pdf download

Free brochure download: Data privacy and protection solutions

Learn how IT Governance can help your organisation comply with privacy laws and implement a PIMS (privacy information management system). Take an integrated approach to tackling your privacy risks and regulatory compliance requirements.

Find out how we can help you meet your data privacy compliance needs by downloading our free privacy brochure.

Download now

A brief history of the EU GDPR, UK GDPR and DPA 2018

Originally proposed by the European Commission in January 2012, the EU GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016.

It was published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it has applied to the processing of EU residents’ personal data since 25 May 2018.

In the UK, the new Data Protection Act received royal assent on 23 May 2018.

The DPA 2018 supplemented the EU GDPR by filling in sections the Regulation left to individual member states to interpret and implement. It also applied the GDPR provisions – or at least a “broadly equivalent regime” – to certain areas outside the Regulation’s scope, such as processing by public bodies.

Following Brexit, the EU GDPR’s requirements were combined with the DPA 2018’s “applied GDPR” to form the UK GDPR, which has applied in the UK since 1 January 2021.

Find out more about the UK GDPR and DPA 2018

Find out more about the EU GDPR

The PECR and the ePR

The UK’s PECR enact the EU’s 2002 ePrivacy Directive (the ‘cookie law’), and set out the rules on:

  • Electronic communications, including marketing emails, faxes, texts and phone calls.
  • The use of cookies that track website visitors’ information.
  • The security of public electronic communications services; and
  • The privacy of end users.

If you market by phone, email, text, or fax, use cookies or compile public directories, the PECR currently apply.

The ePR is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the PECR.

The ePR aims to ensure more robust privacy in all electronic communications – including instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and the IoT (Internet of Things).

The extent to which its provisions will be enacted in the UK remains to be seen.

Find out more about the PECR

Find out more about the ePR

How IT Governance can help you comply

Let us support you on your journey to compliance with our range of bestselling data protection products and services.

LEARN
FOR LESS
SAVE 25%