An Overview of UK Data Protection Law

The GDPR, DPA 2018, PECR and ePR

What is data protection?

Data protection is about defending individuals’ personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and ensuring it is processed fairly.

In the UK, data protection is governed by the EU GDPR (General Data Protection Regulation) and the UK DPA (Data Protection Act) 2018.

The DPA 2018 supplements the EU GDPR rather than enacting it, so the two laws should be read together.

All organisations in the UK that process personal data must comply with these two data privacy laws or risk fines of up to €20 million or 4% of annual global turnover. 

How your organisation must comply with the data protection legislation will depend on how you process personal data. For instance, you might need to appoint a data protection officer.

Learn more about the GDPR

Learn more about the DPA 2018

Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with the PECR (Privacy and Electronic Communications Regulations).

Non-compliance can lead to criminal prosecution, non-criminal enforcement and monetary penalties of up to £500,000.

Learn more about the PECR

In the UK, data protection and privacy law is regulated and enforced by the ICO (Information Commissioner's Office).

Personal data is defined in the DPA 2018 and EU GDPR as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Special categories of personal data (sensitive data) include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” and “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.

Processing is any operation or set of operations performed on personal data (for example collection, storage, use, disclosure, erasure or destruction).

Data privacy and protection solutions - free pdf download

Free brochure download: Data privacy and protection solutions

Learn how IT Governance can help your organisation comply with privacy laws and implement a PIMS (privacy information management system). Take an integrated approach to tackling your privacy risks and regulatory compliance requirements.

Find out how we can help you meet your data privacy compliance needs by downloading our free privacy brochure.

Download now

A brief history of data protection law in the UK: The Data Protection Directive 1995 and the DPA 1998

The UK Data Protection Act 1998 enacted the provisions of the EU's Data Protection Directive 1995 (Directive 95/46/EC).

Among other stipulations, it set out eight data protection principles to ensure that personal data was:

  1. Processed fairly and lawfully;
  2. Obtained and processed only for specific and specified purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate and up to date;
  5. Not retained for longer than necessary;
  6. Processed in accordance with the individual’s rights;
  7. Held with appropriate levels of security; and
  8. Not transferred outside the EEA (European Economic Area) without adequate levels of legal protection.

Organisations found to be in breach of the DPA 1998 could be fined up to £500,000 by the ICO.

The Data Protection Directive 1995 and all EU member state laws derived from it, including the UK DPA 1998, have now been superseded by the EU GDPR and, in the UK, the DPA 2018.

The difference between EU regulations and directives

The EU has two primary types of legal instrument that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR (Regulation on Privacy and Electronic Communications, or ePrivacy Regulation) and the EU GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

The EU GDPR and the DPA 2018

Originally proposed by the European Commission in January 2012, the EU GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016.

It was published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016.

Following a two-year transition period, it has applied across the EU since 25 May 2018.

In the UK, the new Data Protection Act received royal assent on 23 May 2018.

This law supplements the EU GDPR by filling in sections the Regulation left to individual member states to interpret and implement.

It also applies the GDPR provisions – or at least a “broadly equivalent regime” – to certain areas outside the Regulation’s scope, such as processing by public bodies.

Find out more about the EU GDPR

Find out more about the DPA 2018

When the UK is no longer subject to EU law at the end of the Brexit transition period, the provisions of the EU GDPR will be combined with the DPA 2018’s “applied GDPR” to form a UK data processing regime called the UK GDPR.

Find out how Brexit affects the EU GDPR and DPA 2018

The PECR and the ePR

The UK’s PECR enact the EU’s 2002 ePrivacy Directive (the ‘cookie law’), setting out the rules on:

  • Electronic communications, including marketing emails, faxes, texts and phone calls
  • The use of cookies that track website visitors’ information
  • The security of public electronic communications services; and
  • The privacy of end users.

If you market by phone, email, text or fax, use cookies or compile public directories, the PECR currently apply.

The ePR is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the PECR.

It was initially intended to come into effect alongside the GDPR on 25 May 2018 but, but is now unlikely to take effect until 2022.

The ePR aims to ensure more robust privacy in all electronic communications – including instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and the IoT (Internet of Things).

Find out more about the PECR

Find out more about the ePR

How IT Governance can help you comply

Let us support you on your journey to compliance with our range of bestselling data protection products and services.

This website uses cookies. View our cookie policy
WIN £100