top of page

What are the three key pieces of legislation which govern the way we handle information?

Three years ago, one of the biggest changes to data protection legislation in our lifetime came into force in the UK.

The General Data Protection Regulation became legislation in 2018, bringing with it tighter rules for the gathering, sorting, and processing of personal data.

This month, our blogs will focus on information security, how GDPR changes things, and what penalties businesses and other organisations have faced for data breaches.

This week, we look at the three important pieces of legislation now governing information security in the UK:

  1. The General Data Protection Regulation – This wide-ranging EU data protection legislation was brought into force in the UK during May 2018. If you run a business, charity, or other organisation in the UK, you must comply with it. GDPR set out seven principles which ensured that data is held safely and securely, it is held for a specific purpose, for no longer than is necessary, and that data is accurate. It also made businesses and organisations accountable for the way data was gathered, processed, and stored. GDPR gave data subjects new rights including the right to see what was held about them, to correct information, and to ask for it to be deleted. It also gave the regulator, the Information Commissioner, the power to impose larger fines than before for data protection breaches. The maximum fine rose from £500,000 to up to 4% of worldwide annual turnover, or 20 million euros.

  2. The Data Protection Act 2018 – This legislation implements the UK’s version of GDPR and updates the Data Protection Act 1998. It sits alongside GDPR. One of the key updates is that this legislation now also covers paper files and records, not just those held on computers.

  3. The Privacy and Electronic Communications Regulations - Govern the use of electronic communications. The PECR has specific rules on marketing calls, emails, texts and faxes, cookies (and similar technologies), keeping communications services secure, and customer privacy about traffic and location data, itemised billing, line identification, and directory listings. The PECR will apply to you if you are a network provider or you market by phone, email, text, or fax, use cookies or a similar technology on your website, or compile a telephone directory.

If you’d like to talk to our consultants about information security, call us on 029 2070 3328 or email us on You could also work towards ISO 27001.

bottom of page