Additional data protection legislation


Additional UK data protection legislation

Alongside the GDPR, there are several different pieces of data protection legislation in place in the UK that are designed to protect people’s personal data and privacy. In this article, we will look at four of these pieces of legislation (PECR, NIS, Freedom of Information Act, and PCI DSS) and how they interact with the UK GDPR.

  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • Network and Information Systems Regulations 2018 (NIS)
  • Freedom of Information Act 2000 (FOIA)
  • Payment Card Industry Data Security Standard (PCI DSS)

What are the Privacy and Electronic Communications Regulations 2003?

The Privacy and Electronic Communications Regulations 2003 sit alongside the Data Protection Act and the UK GDPR, and give people specific privacy rights regarding electronic communication. More specifically, the regulations cover:

Some of the rules within the PECR only apply to organisations that provide public electronic communications networks or services (such as BT, Virgin Media and TalkTalk). These rules are there to protect people’s security while using electronic communication networks or services.

For those organisations that are not a network or service provider (what’s one of those?), PECR still apply if they: 

  • Use telephone marketing, or use email, text, or fax for marketing purposes.
  • Use cookies or other tracking technologies on their website.
  • Compile a phone directory (or similar public directory).

In general, the regulations set out the rules on unsolicited live calls, who can be sent marketing faxes (and what information must be included), and who can and can’t be contacted via email or text for marketing purposes (and what the messages must contain). 

When it comes to cookies and other tracking technologies, PECR put in place some basic rules: organisations must tell people the cookies are there, explain what the cookies do and why, and get consent to store cookies on a person’s device.

For directory compilers, there are rules for compliance, including telling individuals they are included in the directory, giving people the chance to opt-out of being included, getting consent for reverse searches, and correcting or withdrawing entries upon request. Directory compilers are also required to provide certain information to anyone included in the directory.

How does PECR fit with UK GDPR?

The two sets of regulations are designed to be complimentary. To help simplify things, the PECR use and apply the UK GDPR standard of consent

In many circumstances, an organisation will need to comply with both PECR and GDPR. There is quite a lot of overlap because both regulations cover similar topics, so complying with one will make complying with the other easier, and vice versa.

There are some situations in which the GDPR and PECR provide specific rules on the same thing. For example, network and service providers must follow certain rules listed in the PECR that govern security breaches, traffic data, location data, etc. If this is the case, the rules in the PECR take precedence to avoid duplication of rules.

Importantly, unlike the GDPR, PECR still applies when personal data is not involved. Many of the rules are there to protect organisations, as well as individuals, and the marketing rules apply even if an organisation cannot identify the person they are contacting.

What is NIS?

NIS is short for network and information systems. NIS includes electronic communication networks, devices or groups of interconnected devices that automatically process digital data, and digital data stored, received or transmitted by these systems for their operation, use, protection or maintenance.

What are the NIS Regulations?

The Network and Information Systems Regulations 2018 came into force on the 10th May 2018. 

These regulations established a common level of security for network and information systems. This is important because these systems play vital roles in the economy and wider societal activities, and are often at risk of cyber attacks.

NIS applies to two groups of organisations: operators of essential services (OES) and relevant digital service providers (RDSPs). An essential service is defined by NIS as ‘a service which is essential for the maintenance of critical societal or economic activities’, while a relevant digital service could be an online marketplace, an online search engine, a cloud computing service, etc.

It should be noted that there is a general exemption for digital services that are small, and for micro-businesses (unless they are part of a larger group or are controlled by larger organisations).

How does NIS affect UK GDPR?

The UK GDPR and NIS cover different things: UK GDPR is concerned with personal data (both physical and digital), while NIS is concerned with the security of systems and digital data.

However, organisations that are required to be compliant with one will most likely need to comply with the other one too, and the two regulations have been designed with this in mind. The ICO is also the enforcing body for both sets of regulations, which makes it easier to obtain guidance for both.

What is the Freedom of Information Act 2000?

The Freedom of Information Act 2000 gives people access to much of the information held by public authorities. There are two ways in which the Act does this:

  1. It requires public authorities to publish certain information about their activities.
  2. Members of the public are entitled to request information from public authorities.

The Act covers recorded information held by any public authority in England, Northern Ireland, Wales, and UK-wide authorities based in Scotland. Scottish public authorities are covered by the Freedom of Information (Scotland) Act 2002.

Under the Act, recorded information includes: printed documents, computer files, letters, emails, photos, and sound or video recordings.

How does the Freedom of Information Act affect UK GDPR?

The UK GDPR exists to protect people’s privacy, while the Act exists to remove unnecessary secrecy. The two aims are not incompatible, but can be in competition at times. 

One area where this becomes apparent is the releasing of personal data. The Freedom of Information Act does not give people access to their own personal data, such as their health records or credit reference files, the UK GDPR does.

Therefore, if somebody makes a request for information that includes another person’s personal data, a careful balance must be struck between transparency and openness under the Act and the person’s right to privacy under the UK GDPR.

More information about exemptions and personal data can be found here.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that was designed to reduce payment card fraud by introducing greater security controls for cardholder data.

The Standard was designed in a collaborative effort by the major card brands (American Express, Discover, JCB, Mastercard and Visa) and is administered by the Payment Industry Security Standard Council (PCI SSC). While PCI DSS is not enshrined by UK law, so compliance is not a legal requirement, it is a global standard and non-compliance can result in fines or withdrawal of card payment services.

Is PCI DSS compliance mandatory in the UK?

PCI DSS compliance is not legally required in the UK. However, failure to comply could result in an organisation’s payment processor withdrawing their services.

According to the PCI DSS, any merchant or service provider that processes, transmits, or stores cardholder data must comply with the PCI DSS. This includes merchants that accept debit and credit card payments for goods or services, and service providers are those directly involved in processing, transmitting, or storing cardholder data on behalf of another entity.

How does PCI DSS interact with GDPR?

Both PCI DSS and UK GDPR are designed to protect personal data, so there is significant crossover between the two.

However, the two do differ when it comes to their aims. PCI DSS is very prescriptive and focuses on card and cardholder data, while UK GDPR is much broader. The UK GDPR provides much information on what must be protected without providing a detailed action plan, but PCI DSS details clearly what needs to be achieved and how it should be done.

One thing is universally agreed upon: PCI DSS compliance is a great step towards complying with the UK GDPR.


For more information on the UK GDPR, consider taking one of our GDPR Awareness courses: