In the UK, the key regulations* that govern data protection are the General Data Protection Regulation (GDPR), the UK’s Data Protection Act (2018) and the Privacy and Electronic Communications Regulations, also known by its abbreviation PECR. The UK’s regulator for data protection is the Information Commissioner’s Office (ICO).
It is worth highlighting that the EU’s Privacy & Electronic Communications Directive (2002), or e-Privacy Directive for short and which PECR is based on, is in the process of being revised to become the e-Privacy Regulations, taking into consideration the changes introduced by GDPR. Even though the UK will leave the EU, the e-Privacy Regulation will have a bearing on UK organisations if they are handling EEA citizens’ data. Like GDPR, the new e-Privacy regulations will have extra-territorial reach.
We thought it would be useful to include links to the California Consumer Privacy Act (CCPA), which came into force on 1 January 2020. The legislation is similar in scope to the GDPR but is the most extensive shake up in consumer data protection laws in the US. There are already moves to implement a privacy law at the Federal level. Like the EU laws, they will also have extra-territorial reach.
- Data Protection Act 2018 – Sets the UK standards for protecting general data, in accordance with the GDPR but it also ensured that the UK had a operable data protection framework after Brexit.
- The Privacy and Electronic Communications Regulations (PECR) (2003) – This regulation is a UK transposition of the EU e-Privacy Directive (2002). Please note that the 2003 legislation is the original statutory instrument, there have been subsequent revisions since then.
- Information Commissioner’s Office Direct Marketing Code of Practice (draft for consultation) – this draft code applies to anyone who processes personal data for direct marketing purposes. It explains the law and provides good practice recommendations for those conducting direct marketing and those who participate in the broader direct marketing ecosystem. The code is undergoing public consultation until 4 March 2020 and is expected to be finalised later in the year.
Key Regulatory Bodies
UK’s Information Commissioner’s Office
European Data Protection Board (EDPB) – The EDPB is composed of representatives of EEA national data protection authorities and the European Data Protection Supervisor. It is established by the GDPR and is based in Brussels.
Federal Trade Commission (FTC) – Unlike Europe, the US does not have a specific data protection authority. Instead the FTC has very broad powers which cover consumer data protection.
*For in depth legal advice please visit the ICO website or consult a legal professional.