An overview of UK Data Protection Law

The UK GDPR, DPA 2018 and EU GDPR, and the ePR and PECR

What is data protection?

Data protection is about defending individuals’ personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, and ensuring it is processed fairly.

Organisations have a duty to protect the personal information they hold and to ensure that it is only used for the purpose for which it was collected.

Which data protection laws apply in the UK after Brexit?

In the UK, data protection is governed by the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018, which should be read together.

All organisations in the UK that process personal data must comply with these two data privacy laws or risk fines of up to £17.5 million or 4% of annual global turnover – whichever is greater.

How your organisation must comply with the data protection legislation will depend on how you process personal data. For instance, you might need to appoint a data protection officer.

Learn more about the GDPR

Learn more about the DPA 2018

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information Bill through parliament and will keep you updated on how it might affect your data processing obligations.

Brexit and the GDPR - free pdf download

Does the EU GDPR still apply in the UK?

Although the EU GDPR no longer applies to domestic data processing, organisations that offer products or services to the EU, or monitor EU residents’ behaviour, are still bound by it, and risk fines of up to €20 million or 4% of annual global turnover – whichever is greater – for breaches.

Download our free green paper to learn more about the UK’s post-Brexit data protection regime

Other UK data protection and privacy laws

Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with the PECR (Privacy and Electronic Communications Regulations).

Non-compliance can lead to criminal prosecution, non-criminal enforcement, and monetary penalties of up to £500,000.

Learn more about the PECR

Data protection definitions

Personal data is defined in the DPA 2018 and GDPR as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Special categories of personal data (sensitive data) include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” and “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.

Processing is any operation or set of operations performed on personal data (for example collection, storage, use, disclosure, erasure, or destruction).

Data privacy and protection solutions - free pdf download

Free brochure download: Data privacy and protection solutions

Learn how IT Governance can help your organisation comply with privacy laws and implement a PIMS (privacy information management system). Take an integrated approach to tackling your privacy risks and regulatory compliance requirements.

Find out how we can help you meet your data privacy compliance needs by downloading our free privacy brochure.

Download now

The EU GDPR, UK GDPR and DPA 2018

Originally proposed by the European Commission in January 2012, the EU GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016.

It was published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it has applied to the processing of EU residents’ personal data since 25 May 2018.

In the UK, the new Data Protection Act received royal assent on 23 May 2018.

The DPA 2018 supplemented the EU GDPR by filling in sections the Regulation left to individual member states to interpret and implement. It also applied the GDPR provisions – or at least a “broadly equivalent regime” – to certain areas outside the Regulation’s scope, such as processing by public bodies.

Following the Brexit transition period, the DPPEC (The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019 combined the EU GDPR’s provisions with the DPA 2018’s “applied GDPR” to form a UK data processing regime called the “UK GDPR”, which has applied in the UK since 1 January 2021.

UK organisations that process personal data must therefore comply with:

  • The DPA 2018 and UK GDPR if they process only domestic personal data.

The DPA 2018 and UK GDPR, and the EU GDPR if they process the personal data of UK residents and offers goods and services to, or monitor the behaviour of, EU residents.

Find out more about the UK GDPR and DPA 2018

Find out more about the EU GDPR

Find out about the differences between the EU GDPR and UK GDPR/DPA 2018

The PECR and the ePR

The UK’s PECR enact the EU’s 2002 ePrivacy Directive (the ‘cookie law’), and set out the rules on:

  • Electronic communications, including marketing emails, faxes, texts and phone calls.
  • The use of cookies that track website visitors’ information.
  • The security of public electronic communications services; and
  • The privacy of end users.

If you market by phone, email, text, or fax, use cookies or compile public directories, the PECR currently apply.

The ePR is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the PECR.

The ePR aims to ensure more robust privacy in all electronic communications – including instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and the IoT (Internet of Things).

It was initially intended to come into effect alongside the GDPR on 26 May 2018 but is now unlikely to take effect until 2022.

The extent to which its provisions will be enacted in the UK remains to be seen.

Find out more about the PECR

Find out more about the ePR

SAVE 25%