Because there has been so much hype around GDPR, many people think that it is the be all and end all of data protection regulation. It is not.
There are many statutory instruments (e.g. Acts of parliament and regulations) that apply to companies' handling of personal data, other than GDPR.
Find the needles in the data-protection regulation haystack
To illustrate this point, I've used the UK as an example, and I've included a list below which is a sample of regulations taken from a stack of statutory instruments which apply to a UK company's handling of personal data. Although this is a list of UK and EU statutes, for companies operating in other countries, the same principle holds true - namely that there are many regulations dealing with the handling of personal data other than GDPR.
That all of these statutory instruments regulate a company's use of data is a bit counter-intuitive because the names of the regulations often don't include the phrase: "data-protection". Nevertheless, each of these statutory instruments include at least one provision which apply to the domain of data:
(Note this is not a full list. I've deliberately omitted certain statutes relevant to the data protection domain. The point is to show us all that there's more to data protection regulation than GDPR!)
- Civil Contingencies Act, 2004
- Companies Act 2006
- The Companies (Trading Disclosures) Regulations 2008
- Computer Misuse Act 1990
- Copyright, Designs and Patents Act, 1988
- Copyright (Computer Programs) Regulations, 1992
- Defamation Act, 2013
- Electronic Communications Act, 2000
- Equality Act, 2010
- European Communities Act 1972
- Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations, 542 of 2015
- Business Protection from Misleading Marketing Regulations 2008
- Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013
- Consumer Protection (Distance Selling) Regulations, 2003
- Consumer Protection From Unfair Trading Regulations, 2008
- Copyright (Computer Programs) Regulations, 1992
- Electronic Commerce (EC Directive) Regulations, 2002
- Electronic Identification and Trust Services for Electronic Transactions Regulations, 2016
- The Provision of Services Regulation, 2009
- The Intellectual Property (Enforcement, etc.) Regulations 2006
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
- The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018
- Public Order Act, 1986
- Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I)
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
- Terrorism Act, 2000
- The Companies (Trading Disclosures) Regulations 2008
- The Intellectual Property (Enforcement, etc.) Regulations 2006
- Trade Marks Act 1994
Now you know.
Towards knowing simply, what data protection regulation requires
You may think "I wish the law was better organised and that there were fewer regulations to keep track of!" Indeed, part of the problem with regulation is that it is terribly organised. Fortunately, however, legal technology is being put to work to simplify the complicated organisation of regulatory texts. Using legal technology, it is possible to filter out the provisions of the above data-protection regulations which do not apply to your company. This filtering, combined with the use of smart meta-data, enables anyone, in any organisation to experience freedom in knowing what data protection regulations require of them, without having to sift through reams of complicated and irrelevant regulatory texts! Freedom in complexity is possible.