Recently a client asked us which data protection laws actually apply in the UK. It can be puzzling since we have the UK GDPR, DPA 2018 (amended 2021), PECR (2002) and PECR (2003), not to mention some that are specific to particular sectors or activities.
So we thought it might be helpful to clarify things, but bear in mind that your circumstances may be different and you should always check with https://ico.org.uk or book a free 25-minute call with Nick using https://zorva.info/free-insight-call/.
The Data Protection Act 2018 (DPA) sets out the UK’s data protection framework, alongside the General Data Protection Regulation (GDPR). https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/. These two work together.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications. https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/what-are-pecr/. PECR includes specific rules on marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
PECR generally refers to PECR 2003, but this refers back to PECR 2002.
All have been updated at intervals since being published. This is one reason that the ICO is so important, as it interprets the legislation and issues advice.