United Kingdom
Select regional store:

Data Protection

UK data protection law: the GDPR, DPA 2018, PECR and ePR

The EU GDPR (General Data Protection Regulation) and DPA 2018 (Data Protection Act)

The EU GDPR (General Data Protection Regulation) superseded the EU Data Protection Directive 1995 and all member state law based on it on 25 May 2018.

The UK DPA (Data Protection Act) 2018 came into force at the same time, modifying the EU GDPR by filling in sections that were left to individual member states to interpret and implement.

The DPA 2018 also applies “a broadly equivalent regime” – which it calls “the applied GDPR” – to certain types of personal data processing that fall outside the EU GDPR’s scope, including processing by public authorities. It also sets out data processing regimes for law enforcement and intelligence purposes.

Because the DPA 2018 supports the EU GDPR rather than enacting it, the two laws should be read together.

After Brexit, the government plans to combine the provisions of the EU GDPR with the applied GDPR to form a data processing regime called the UK GDPR.

Find out what will happen to data protection law in the UK after Brexit >>

A brief history of data protection law in the UK

The Data Protection Directive 1995 and the DPA 1998

The DPA 1998 enacted the provisions of the EU’s Data Protection Directive 1995 (Directive 95/46/EC) in the UK.

Among other stipulations, it set out eight data protection principles to ensure that personal data was:

  1. Processed fairly and lawfully;
  2. Obtained and processed only for specific and specified purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate and up to date;
  5. Not retained for longer than necessary;
  6. Processed in accordance with the individual’s rights;
  7. Held with appropriate levels of security; and
  8. Not transferred outside the EEA (European Economic Area) without adequate levels of legal protection.

Organisations found to be in breach of the DPA 1998 could be fined up to £500,000 by the ICO (Information Commissioner’s Office).

The Data Protection Directive 1995 and all local laws derived from it, including the DPA 1998, have now been superseded by the EU GDPR.

The EU GDPR and the DPA 2018

Originally proposed by the European Commission in January 2012, the EU GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it has been enforced in all EU member states since 25 May 2018.

In the UK, a new Data Protection Act was also enacted in May 2018 to supplement the EU GDPR by filling in sections of the Regulation that were left to individual member states to interpret and implement, and applying its provisions – or at least a “broadly equivalent regime” – to certain areas outside the EU GDPR’s scope.

Under the EU GDPR, data subjects also have the right to lodge a complaint with the supervisory authority (the ICO) if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.

On top of this, the ICO has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the EU GDPR) – i.e. it can effectively shut organisations down altogether.

Both the EU GDPR and the DPA 2018 are backed by a regime of considerably higher penalties than the DPA 1998, with administrative fines of up to €20 million (about £17 million) or 4% of annual global turnover – whichever is greater.

Find out more about the EU GDPR >>
Find out more about the DPA 2018 >>

The PECR and the ePR

The UK’s PECR (Privacy and Electronic Communications Regulations 2003) enact the EU’s 2002 ePrivacy Directive (the ‘cookies law’), setting out the rules on electronic communications, including marketing emails, faxes, texts and phone calls; the use of cookies that track website visitors’ information; the security of public electronic communications services; and the privacy of end users. If you market by phone, email, text or fax, use cookies or compile public directories, the PECR currently apply.

The ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications) is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the PECR. It was originally intended to come into effect alongside the GDPR on 25 May 2018, but is now tentatively scheduled to apply from late 2019.

The ePR aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).

Find out more about the PECR >>
Find out more about the ePR >

The difference between EU regulations and directives

The EU has two primary types of legal instrument that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the EU GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

How IT Governance can help you to comply

Let us support you on your journey to compliance with our range of bestselling data protection products and services.

This website uses cookies. View our cookie policy