SponsoredBuild your website with Vincony

Zastrzeżenie: To nie jest porada prawna. Ustawodawstwo i orzecznictwo ulegają zmianom. Zawsze skonsultuj się z wykwalifikowanym prawnikiem w swojej konkretnej sytuacji.

UK Law Reference
← All Comparisons
Consumer
Updated 2026-05-16

UK GDPR Data Breach vs PECR Marketing Breach

UK GDPR governs the processing of personal data broadly; PECR (Privacy and Electronic Communications Regulations 2003) applies specifically to electronic marketing, cookies, and communications networks. Both are enforced by the ICO but carry different maximum fines and apply to different types of conduct. This comparison explains the overlap, distinction, and enforcement regimes.

Overview

Data protection law in England and Wales comprises two principal instruments: the UK General Data Protection Regulation (UK GDPR — the retained EU GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) read together with the Data Protection Act 2018 (DPA 2018); and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR, SI 2003/2426) as amended. UK GDPR sets out the comprehensive framework for processing personal data, with maximum fines of the higher of £17.5 million or 4% of global annual turnover (DPA 2018 Sch.6 as amended). PECR is a more targeted instrument that imposes specific rules on direct marketing by electronic means, the use of cookies and similar tracking technologies, and the security of electronic communications networks. PECR fines are currently capped at £500,000 — a significantly lower maximum than UK GDPR, reflecting its narrower scope. However, the two regimes overlap substantially: an unlawful direct marketing campaign may simultaneously breach both PECR reg.22 (no marketing without consent) and UK GDPR (no lawful basis for processing). The ICO routinely investigates and fines organisations for breaches of both instruments arising from the same conduct.

Side-by-Side Comparison

UK GDPR Breach

Cost: Maximum fine: higher of £17.5 million or 4% of global annual turnover. Compliance costs vary widely.

Pros

  • Comprehensive framework covering all processing of personal data across all sectors and all types of personal data
  • Accountability and governance requirements (DPIAs, DPO, records of processing) provide a structured compliance framework
  • Data subject rights (access, erasure, portability, objection) give individuals direct recourse
  • Mandatory 72-hour breach notification requirement promotes transparency and early remediation

Cons

  • Complex compliance obligations — DPIAs, legitimate interests assessments, data processing agreements, and international transfer mechanisms
  • Broad scope creates compliance burden for even small organisations processing personal data
  • Enforcement can be slow — ICO investigations can take 12–24 months before a fine or reprimand is issued

Best For

Any processing of personal data by any controller or processor — UK GDPR applies across all sectors and all types of processing. Any organisation collecting, storing, using, or sharing personal data is subject to UK GDPR.

PECR Marketing Breach

Cost: Maximum fine: £500,000. ICO has power to issue enforcement notices requiring cessation of unlawful conduct.

Pros

  • Clear, specific rules targeted at direct marketing and cookies — easier to identify what conduct is prohibited
  • Consent requirement under PECR is clear: opt-in required; existing customer ('soft opt-in') exception available for similar goods/services
  • Enforcement is faster for clear-cut marketing breaches — the ICO regularly fines nuisance callers and spam senders
  • Applies to all organisations sending direct marketing by electronic means — not just those with large data sets

Cons

  • Fine cap of £500,000 is significantly lower than UK GDPR maximum — may be insufficient deterrent for large organisations
  • PECR does not cover all personal data processing — only electronic marketing, cookies, and communications network security
  • Often breached alongside UK GDPR in practice — organisations face dual enforcement for the same campaign

Best For

Organisations conducting direct marketing, using cookies and tracking technologies, or operating electronic communications services. Compliance with PECR is required in addition to UK GDPR for any organisation engaged in electronic marketing.

Key Differences

AspectUK GDPR BreachPECR Marketing Breach
ScopeAll processing of personal data — comprehensive and sector-neutralElectronic marketing, cookies, and communications network security only
Maximum fineHigher of £17.5 million or 4% of global annual turnover (DPA 2018 Sch.6)£500,000 (PECR reg.31)
Governing instrumentUK GDPR + Data Protection Act 2018Privacy and Electronic Communications Regulations 2003 (SI 2003/2426)
Consent standardConsent under UK GDPR Art.6(1)(a) — freely given, specific, informed, unambiguous; withdrawable at any timePECR consent — opt-in required; soft opt-in exception for existing customers marketing similar products
Breach notificationMandatory 72-hour notification to ICO for personal data breaches meeting the threshold (Art.33 UK GDPR)No general breach notification requirement under PECR for most organisations
OverlapUnlawful direct marketing simultaneously breaches UK GDPR (no lawful basis) and PECR (no consent)PECR breach arising from direct marketing also triggers UK GDPR obligations — dual compliance required
Data subject rightsData subjects have rights to access, erasure, portability, and objection under Arts.15–22 UK GDPRPECR gives individuals the right to opt out of marketing — enforced through TPS/FPS registers and opt-out requirements

Our Recommendation

Any organisation conducting electronic marketing or using cookies must comply with both UK GDPR and PECR simultaneously — the two regimes are complementary, not alternative. Organisations should ensure they have a lawful basis under UK GDPR for processing personal data used in marketing campaigns and that they have obtained valid opt-in PECR consent for electronic marketing. The ICO's direct marketing guidance and cookie guidance provide practical compliance frameworks.