GDPR stands for General Data Protection Regulation (2016) and is the EU’s new framework for data protection laws, regulating how organisations process and manage their data. The European Parliament and Council agreed in April 2016 to replace Data Protection Directive 95/46/ec with the new requirements of GDPR, requiring each country to enact it in their local laws by 25 May 2018 at the latest. The aim is to deliver a higher degree of protection to personal data for the consumer, and more consistently so across the EU.

DPA in its current context the Data Protection Act 2018 (DPA) is the UK’s implementation of GDPR and came into force on 25^th May 2018. Older sources will be referring to the DPA 1984, amended in 1998 which was a very different beast. GDPR is the EU legislation, that required each EU government to implement their own version, and DPA is the UK implementation. When people talk about ‘GDPR’, they almost always actually mean the many local and consistent implementations of it (DPA in the UK’s case), or to highlight the new GDPR-compliant DPA, as opposed to the substantially different older one. But in general usage they mean the same thing and have the same requirements and responsibilities – so ‘GDPR’ has become an industry standard shorthand.

PECR is the Privacy and Electronic Communications Regulations (2003). The full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. They are again derived from EU law, and are the UK implementation of European Directive 2002/58/EC, also known as ‘the e-privacy Directive’, and setting out specific rules for marketing channels, use of cookies, and the regulation of telecommunication services for instance. It complements the general data protection regime (the last updates specifically take account of GDPR) and set out more specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the Internet opens up new possibilities for businesses and users, but also new risks to their privacy.

Data Protection

The DPA controls how personal information is used by organisations and is reflects the requirements of GDPR. In a nutshell, it mandates a baseline set of standards for organisations that handle EU personal data to better safeguard the processing and movement of that data, and give the owner of that data more transparency, and more rights.

Analysis shows GDPR to be the most comprehensive and strongest data privacy regulation in the world and applies to all EU citizens – even to companies outside the EU that possess any data on EU citizens. Organisations failing to comply will be subject to strict penalties and fines – potentially up to the greater of; 4% of annual turn-over or €20m.