• 2 min read

What is data protection law, why do we have it and why do we have to comply with it?


When we refer to data protection law (sometimes called privacy law) in the UK we generally mean the following key pieces of legislation:

  1. The UK General Data Protection Regulation (the UK GDPR), which translated the EU General Data Protection Regulation into UK law following Brexit in January 2021. The UK GDPR is the main piece of data protection legislation in the UK and it sets out the fundamental principles of data protection law, the rights it gives to individuals who provide their personal data to organisations and the obligations of the organisations who collect and use that data. The UK GDPR applies where an organisation within the UK “processes” personal data and it also applies to organisations outside of the UK if they are offering goods or services to individuals in the UK or they are monitoring the behaviour of individuals in the UK.
  2. The Data Protection Act 2018, which sets out the UK data protection framework in conjunction with the UK GDPR.
  3. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which regulate electric communications like marketing emails and cookies.

After much talk in the first part of 2022 about the Data Reform Bill and the modifications it would make to the UK GDPR, its progress was paused in early September 2022. At the recent Conservative party conference, it was revealed that the government is rethinking the approach to data protection reform altogether. Businesses should not however ease off on their data protection compliance; recent enforcement activity by the UK data protection regulator, the Information Commissioner’s Office (ICO) shows that compliance with current data protection legislation needs to be taken seriously.

In modern society individuals are routinely and regularly asked to provide their personal data to third parties whether it is their employer, their landlord, a government agency or a business from whom they want to purchase goods or services. Data protection law recognises the importance of protecting that data and ensuring it is used properly and fairly by organisations.

Failure by an organisation to comply with data protection law poses many risks including enforcement action by the ICO, loss of business and loss of reputation.

A UK based organisation may also have to comply with the EU GDPR if:

  1. It has offices, branches or other “establishments” in the European Economic Area (EEA).
  2. It is offering goods or services to individuals in the EEA.
  3. It is monitoring the behaviour of individuals in the EEA.

In these circumstances a non-compliant UK based organisation could be subject to enforcement action (including fines) in both the UK and EU.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please click below.

Answers are just a click away