GDPR stands for General Data Protection Regulation (2016) and is the EU’s new framework for data protection laws, regulating how organisations process and manage their data. The European Parliament and Council agreed in April 2016 to replace Data Protection Directive 95/46/ec with the new requirements of GDPR, requiring each country to enact it in their local laws by 25 May 2018 at the latest. The aim is to deliver a higher degree of protection to personal data for the consumer, and more consistently so across the EU.

DPA in its current context the Data Protection Act 2018 (DPA) is the UK’s implementation of GDPR and came into force on 25th May 2018. Older sources will be referring to the DPA 1984, amended in 1998 which was a very different beast. GDPR is the EU legislation, that required each EU government to implement their own version, and DPA is the UK implementation. When people talk about ‘GDPR’, they almost always actually mean the many local and consistent implementations of it (DPA in the UK’s case), or to highlight the new GDPR-compliant DPA, as opposed to the substantially different older one. But in general usage they mean the same thing and have the same requirements and responsibilities – so ‘GDPR’ has become an industry standard shorthand.

PECR is the Privacy and Electronic Communications Regulations (2003). The full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. They are again derived from EU law, and are the UK implementation of European Directive 2002/58/EC, also known as ‘the e-privacy Directive’, and setting out specific rules for marketing channels, use of cookies, and the regulation of telecommunication services for instance. It complements the general data protection regime (the last updates specifically take account of GDPR) and set out more specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the Internet opens up new possibilities for businesses and users, but also new risks to their privacy.

Data Protection

The DPA controls how personal information is used by organisations and is reflects the requirements of GDPR. In a nutshell, it mandates a baseline set of standards for organisations that handle EU personal data to better safeguard the processing and movement of that data, and give the owner of that data more transparency, and more rights.

Analysis shows GDPR to be the most comprehensive and strongest data privacy regulation in the world and applies to all EU citizens – even to companies outside the EU that possess any data on EU citizens. Organisations failing to comply will be subject to strict penalties and fines – potentially up to the greater of; 4% of annual turn-over or €20m.


PECR gives people specific privacy rights in relation to electronic communications. Because PECR is derived from an EU directive, rather than an EU regulation (like GDPR), there is a much greater amount of local variation possible. Many European countries have much stronger protections for companies versus Direct Marketing for example. Whereas UK GDPR Compliance is sufficient for all the EU, this is not the case for PECR compliance, and any planned activities that would cross national boundaries need checking against each country’s regulations, even within the EU.