GDPR After Brexit: What Changed for UK Businesses and Data Protection
When the United Kingdom left the European Union, one of the biggest questions for businesses, data controllers and privacy professionals was simple: what happens to GDPR? The General Data Protection Regulation had reshaped how organisations handled personal data since May 2018, and Brexit threatened to unpick years of compliance work. In reality, the picture is more nuanced. The UK did not scrap GDPR — it copied it into domestic law, tweaked parts of it, and now runs a parallel regime that mostly mirrors, but sometimes diverges from, the EU version.
This guide explains exactly what changed after Brexit, how the UK GDPR differs from the EU GDPR, what UK businesses must do about international data transfers, and how the Data Protection and Digital Information Bill is quietly reshaping the landscape in 2026.
The Short Answer: GDPR Still Applies in the UK
GDPR after Brexit is best understood as two regimes running side by side. The UK retained the substance of the EU GDPR by incorporating it into domestic law as the "UK GDPR", which sits alongside the Data Protection Act 2018. If your organisation was compliant with GDPR before 1 January 2021, you were largely compliant with UK GDPR on day one after transition.
However, the two regimes are now legally distinct. The EU GDPR is enforced by EU supervisory authorities and interpreted by the Court of Justice of the European Union (CJEU). The UK GDPR is enforced by the Information Commissioner's Office (ICO) and interpreted by UK courts, which are no longer bound by post-Brexit CJEU rulings.
Key Legal Framework in the UK
- UK GDPR — the retained EU regulation, with UK-specific amendments.
- Data Protection Act 2018 (DPA 2018) — supplements UK GDPR and covers areas like law enforcement processing.
- Privacy and Electronic Communications Regulations (PECR) — still governs cookies, marketing emails and electronic communications.
- Data Protection and Digital Information Bill — the anticipated reform package being progressed through Parliament.
What Actually Changed on 1 January 2021
The transition period ended on 31 December 2020, and from 1 January 2021 the UK became a "third country" in the eyes of the EU. Several practical things shifted overnight, even though the core rules looked identical.
1. Territorial Scope Split in Two
Before Brexit, one law covered processing across the UK and EU. After Brexit, organisations processing personal data of both UK and EU residents may need to comply with both regimes simultaneously. A London-based e-commerce store selling to customers in Paris and Berlin, for example, must now follow UK GDPR for its British customers and EU GDPR for its European ones.
2. EU Representatives Became Necessary
UK organisations without an establishment in the EU that offer goods or services to, or monitor the behaviour of, EU residents must appoint an EU representative under Article 27 of the EU GDPR. Similarly, EU businesses targeting UK data subjects may need a UK representative.
3. Lead Supervisory Authority Changes
Before Brexit, the ICO acted as lead supervisory authority under the EU's "one-stop-shop" mechanism for many multinationals headquartered in the UK. That privilege ended. UK-based multinationals now typically need a new lead authority within the EU — often Ireland, the Netherlands or France — for their EU processing activities.
4. International Data Transfers Got Complicated
Data flowing from the EU to the UK, and vice versa, is now a cross-border transfer that must satisfy the international transfer rules of both regimes. The good news: the European Commission granted the UK an adequacy decision in June 2021, meaning EU-to-UK transfers can continue without additional safeguards. That adequacy decision is due for review in 2025-2026 and its renewal is not guaranteed.
UK GDPR vs EU GDPR: Side-by-Side Comparison
On paper the two regulations are almost identical. In practice, small but meaningful differences are emerging as UK law diverges.
| Area | EU GDPR | UK GDPR |
|---|---|---|
| Regulator | National supervisory authorities (e.g. CNIL, DPC) | Information Commissioner's Office (ICO) |
| Maximum fine | €20 million or 4% of global turnover | £17.5 million or 4% of global turnover |
| Age of consent for online services | 16 (member states may lower to 13) | 13 |
| Court interpretation | CJEU binding | UK courts; post-2020 CJEU rulings persuasive only |
| International transfers | EU Standard Contractual Clauses (SCCs) 2021 | UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs |
| Adequacy decisions | Issued by European Commission | Issued by UK Secretary of State ("data bridges") |
| One-stop-shop | Yes, across EEA | No |
International Data Transfers: The New Rules
Cross-border data transfers are where GDPR after Brexit gets most technical. Any transfer of personal data from the UK to a country outside the UK must satisfy Chapter V of the UK GDPR. There are three main routes.
1. Adequacy Regulations ("Data Bridges")
The UK government can determine that another country provides an adequate level of protection. The UK has inherited the EU's adequacy decisions for countries like Canada, Japan, New Zealand, and Switzerland, and has independently agreed a data bridge with South Korea and extended the UK-US Data Bridge, an extension of the EU-US Data Privacy Framework, for certified US organisations.
2. Appropriate Safeguards
Where no adequacy exists, controllers must put safeguards in place. The main tools are:
- International Data Transfer Agreement (IDTA) — the UK's bespoke contract, launched in March 2022.
- UK Addendum to EU SCCs — allows organisations to bolt UK-specific terms onto the EU's 2021 Standard Contractual Clauses, useful for multinationals.
- Binding Corporate Rules (BCRs) — for intra-group transfers within large multinationals.
3. Derogations
Limited exceptions apply — such as explicit consent, contractual necessity, or important public interest — but the ICO expects these to be used sparingly and never for large-scale, repetitive transfers.
Transfer Risk Assessments
Following the CJEU's Schrems II ruling — which the UK inherited before Brexit — organisations must also carry out a Transfer Risk Assessment (TRA) when relying on safeguards like the IDTA. The ICO published its own TRA tool that offers a slightly more pragmatic, risk-based approach than the equivalent EDPB guidance in the EU.
The Data Protection and Digital Information Bill: What's Coming
The UK government has proposed reforms intended to reduce compliance burdens while maintaining EU adequacy. The Data Protection and Digital Information Bill (DPDI) has been through several iterations. Key proposed changes include:
- Records of Processing Activities (ROPAs) — replaced with lighter-touch "records of processing of personal data" only for high-risk activities.
- Data Protection Officers — replaced by a "senior responsible individual" for organisations carrying out high-risk processing.
- Data Protection Impact Assessments — replaced with more flexible "assessments of high-risk processing".
- Subject Access Requests — a raised threshold for refusing "vexatious or excessive" requests (up from "manifestly unfounded or excessive").
- Legitimate interests — a new list of "recognised legitimate interests" that do not require a balancing test.
- Cookies — plans to allow certain low-risk cookies (analytics, functionality) without explicit consent.
- ICO reform — restructuring the ICO into an "Information Commission" with a board and chair.
These reforms are being carefully calibrated to avoid jeopardising the EU adequacy decision. Diverge too far, and Brussels could withdraw adequacy, forcing every EU-to-UK data flow onto SCCs overnight — a nightmare for British business.
What UK Businesses Need to Do Now
Whether you're a startup, a scale-up or an enterprise, there are concrete steps to take to stay compliant with GDPR after Brexit.
Step 1: Map Your Data Flows
Know where personal data enters your business, where it is stored, who processes it and where it goes. Pay special attention to any transfers into or out of the UK, and to any EU customer data you handle.
Step 2: Review Your Legal Basis and Documentation
Update privacy notices to reference the UK GDPR rather than solely the EU GDPR. If you serve customers in both jurisdictions, be transparent about both regimes and who supervises processing.
Step 3: Sort Out Representatives
If you're a UK business selling to EU consumers, appoint an EU representative under Article 27. If you're an EU business targeting UK data subjects, appoint a UK representative. Failure to do so is a common — and easily avoided — compliance gap.
Step 4: Update International Transfer Mechanisms
Replace legacy 2010 SCCs with the IDTA or UK Addendum. Complete Transfer Risk Assessments for any transfers to third countries. Document your reasoning; the ICO will expect to see it if it asks.
Step 5: Review Vendor and Sub-Processor Contracts
Any tool that touches personal data — from analytics platforms to customer support software to link management services — should be checked. If you use branded short links for marketing, choose providers that are transparent about where they host data and what safeguards they apply. Tools like Lunyb, for example, publish clear data handling practices so marketers can confirm compliance before rolling out campaigns. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners.
Step 6: Train Your Team
The rules haven't fundamentally changed, but the terminology has. Make sure staff know they are handling "UK GDPR" data, understand the ICO's guidance, and know how to spot a subject access request or a personal data breach.
ICO Enforcement Since Brexit
The ICO's enforcement style has evolved post-Brexit. It has continued issuing significant fines — including multi-million pound penalties against major retailers, telcos and public sector bodies — but has also signalled a preference for engagement, reprimands and improvement notices where possible, especially against public authorities. Under the current leadership, the regulator has emphasised outcomes over ticking boxes, focusing on real-world harm to data subjects.
Notable enforcement themes since 2021 include:
- Cookie compliance and dark patterns.
- Nuisance calls and unlawful direct marketing under PECR.
- Data breaches involving inadequate security (particularly ransomware).
- Children's data and the Age Appropriate Design Code ("Children's Code").
- AI, automated decision-making and biometric processing.
Adequacy: The Elephant in the Room
The EU's adequacy decision for the UK, granted in 2021, is the single most valuable piece of the post-Brexit privacy settlement. It allows data to flow freely from the EU to the UK without additional paperwork. It also includes a sunset clause: the decision must be reviewed, and if the UK diverges too far, adequacy could be withdrawn.
Watch these signals carefully:
- How far the DPDI Bill's final version departs from EU GDPR.
- UK government stances on surveillance and national security data access.
- ICO independence and enforcement rigour.
- Political developments in Brussels, particularly following any change of EU Commission priorities.
If adequacy were withdrawn, UK organisations would need to renegotiate EU data imports using SCCs and TRAs — expensive, slow and risky. Most large employers, banks and cloud providers are quietly running contingency plans just in case.
Practical Compliance Checklist
- Privacy notices reference UK GDPR and DPA 2018.
- Records of processing activities are updated and accurate.
- Lawful basis for each processing activity is documented.
- International transfer mechanisms (IDTA, UK Addendum) are in place.
- Transfer Risk Assessments completed and stored.
- EU representative appointed if applicable.
- Data Protection Officer or senior responsible individual identified.
- Staff training refreshed within the last 12 months.
- Breach response plan tested and up to date.
- Vendor contracts reviewed against UK GDPR requirements.
FAQ: GDPR After Brexit
Does GDPR still apply in the UK after Brexit?
Yes. The EU GDPR was incorporated into UK law as the "UK GDPR" and continues to apply alongside the Data Protection Act 2018. The core principles, individual rights and enforcement powers are almost identical to the EU version, though the two regimes are now legally separate and enforced by different regulators.
What is the difference between UK GDPR and EU GDPR?
The main differences are institutional rather than substantive. UK GDPR is enforced by the ICO, interpreted by UK courts, uses the IDTA for international transfers, has a lower age of consent for online services (13 vs 16), and expresses fines in pounds rather than euros. Ongoing reforms under the Data Protection and Digital Information Bill may widen these differences further.
Do I need an EU representative if my business is based in the UK?
You do if you offer goods or services to individuals in the EU, or monitor their behaviour (for example through targeted advertising or website analytics), and you have no establishment in the EU. The representative acts as a point of contact for EU supervisory authorities and data subjects and must be appointed in writing under Article 27 of the EU GDPR.
Can I still transfer personal data between the UK and the EU?
Yes. The European Commission granted the UK an adequacy decision in June 2021, allowing EU-to-UK transfers to continue without additional safeguards. UK-to-EU transfers are treated as transfers to an adequate jurisdiction under UK law. The EU's adequacy decision is subject to periodic review, so businesses should monitor developments.
What happens if the EU withdraws adequacy for the UK?
UK organisations receiving personal data from the EU would need to put alternative safeguards in place — most commonly the EU's 2021 Standard Contractual Clauses combined with a Transfer Impact Assessment. That would significantly increase compliance costs and paperwork, particularly for smaller businesses. It's one of the main reasons the UK government has been careful to keep post-Brexit reforms proportionate.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you powerful rights over your personal data, from access and correction to data portability and breach notifications. This 2026 guide explains every right you have, how to exercise them, and what to do when organisations don't comply.
Singapore PDPA vs GDPR: Key Differences Every Business Must Know
Singapore's PDPA and the EU's GDPR both protect personal data, but their rules on consent, DPOs, breach reporting, and penalties differ significantly. This guide compares the two frameworks side-by-side to help businesses build compliant, efficient data practices.
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Canadian privacy law has changed dramatically with Quebec's Law 25 in full force and federal reform underway. This 2026 guide explains your rights under PIPEDA and provincial laws, business obligations, breach reporting, and practical steps to protect your personal data.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27 overhauls Canadian privacy law with the Consumer Privacy Protection Act, a new enforcement tribunal, and the Artificial Intelligence and Data Act. Learn what has changed from PIPEDA, who is affected, and how Canadian businesses can prepare for compliance in 2026.