UK Data Protection Act vs GDPR Explained: Key Differences in 2026

Since Brexit, UK businesses have had to navigate two closely related but legally distinct privacy regimes: the UK Data Protection Act 2018 (DPA 2018) alongside the UK GDPR, and the EU GDPR for any data flowing in or out of the European Economic Area. While the two frameworks share the same DNA, the differences matter — particularly when it comes to enforcement, international transfers, and who your supervisory authority actually is.

This guide explains how the UK Data Protection Act and GDPR compare in 2026, where they overlap, and what UK organisations need to do to stay compliant under both.

Quick Definition: What Each Law Actually Is

The EU GDPR (General Data Protection Regulation) is a European Union regulation, in force since May 2018, that governs how personal data of people in the EEA is processed. The UK GDPR is the UK's domestic version, retained after Brexit and tailored for UK law. The Data Protection Act 2018 is the UK statute that sits alongside the UK GDPR, filling in national specifics such as exemptions, law enforcement processing, and the powers of the Information Commissioner's Office (ICO).

In short: in the UK, the UK GDPR and the DPA 2018 work together. They are not alternatives — you must comply with both simultaneously.

Why the Confusion Exists

Before Brexit, UK organisations followed the EU GDPR directly. When the UK left the EU on 31 December 2020, the GDPR was "copied" into UK law as the UK GDPR via the European Union (Withdrawal) Act. The DPA 2018 was already in place, originally written to supplement the EU GDPR — and it was amended to supplement the UK GDPR instead.

The result is a layered system:

• UK GDPR — the core principles, lawful bases, and data subject rights.
• DPA 2018 — UK-specific rules, exemptions, and regulator powers.
• EU GDPR — still applies if you offer goods/services to or monitor people in the EEA.

UK Data Protection Act vs GDPR: Side-by-Side Comparison

Feature	EU GDPR	UK GDPR + DPA 2018
Jurisdiction	EU/EEA member states	United Kingdom
Supervisory authority	National DPA (e.g. CNIL, DPC)	Information Commissioner's Office (ICO)
Maximum fine	€20m or 4% of global turnover	£17.5m or 4% of global turnover
Age of consent for online services	16 (member states may lower to 13)	13
International data transfers	Adequacy decisions, SCCs, BCRs	UK adequacy regs, IDTA, UK Addendum to SCCs
Law enforcement processing	Law Enforcement Directive (separate)	Part 3 of DPA 2018
Intelligence services	Outside GDPR scope	Part 4 of DPA 2018
National security exemptions	Member state law	Schedule 11, DPA 2018
Representative requirement	EU rep needed for non-EU controllers	UK rep needed for non-UK controllers

Where the Two Frameworks Are Identical

For most day-to-day compliance, the UK GDPR and EU GDPR are functionally the same. Both require organisations to:

1. Identify a lawful basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
2. Provide a clear privacy notice to data subjects.
3. Respect data subject rights — access, rectification, erasure, restriction, portability, and objection.
4. Implement appropriate technical and organisational measures (Article 32 security).
5. Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
6. Report serious personal data breaches within 72 hours.
7. Maintain records of processing activities (ROPA).
8. Appoint a Data Protection Officer (DPO) where required.

The seven core principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — apply identically under both regimes.

Key Differences That Actually Affect UK Businesses

1. Your Regulator Is the ICO

The Information Commissioner's Office is the UK's sole supervisory authority. EU member states each have their own (the Irish DPC, France's CNIL, Germany's BfDI, etc.). If you process only UK data, you deal exclusively with the ICO. If you also process EEA data, you may need to engage with EU regulators too — and the "one-stop shop" mechanism that previously simplified cross-border EU cases no longer applies to UK-headquartered businesses.

2. Fines Are Denominated in Pounds

The UK GDPR caps fines at the higher of £17.5 million or 4% of global annual turnover for the most serious infringements. The EU GDPR caps are €20 million or 4%. In practice, the amounts are similar, but you can be fined under both regimes for the same incident if it affects both UK and EEA data subjects.

3. International Data Transfers

This is the area where the two regimes diverge most. The UK has its own adequacy regulations and its own transfer tools:

• International Data Transfer Agreement (IDTA) — the UK's standalone transfer contract.
• UK Addendum — bolts onto the EU SCCs to make them work for UK exports.
• UK-US Data Bridge — extension of the EU-US Data Privacy Framework, allowing transfers to certified US organisations.

UK organisations transferring data to the EEA can do so freely (the EU has granted the UK adequacy until at least 2025, with renewal currently being negotiated). Transfers from the EEA to the UK are also permitted under EU adequacy.

4. Age of Consent for Online Services

Under the UK GDPR, children aged 13 and over can consent to online services. The EU GDPR sets the default at 16, although member states have flexibility — Ireland and France use 16, Germany uses 16, while Belgium and Denmark use 13.

5. DPA 2018-Specific Provisions

The Data Protection Act 2018 contains material with no direct EU GDPR equivalent:

• Part 3 — processing by competent authorities for law enforcement purposes.
• Part 4 — processing by intelligence services.
• Schedules 2–4 — extensive exemptions covering journalism, academic research, legal privilege, immigration, and more.
• Section 170 — criminal offence of unlawfully obtaining personal data.

Who Has to Comply With What?

Determining which law applies depends on where you are and whose data you handle:

Scenario	UK GDPR + DPA 2018	EU GDPR
UK business, UK customers only	Yes	No
UK business, EEA customers	Yes	Yes
EEA business, UK customers	Yes	Yes
US business selling to UK consumers	Yes (need UK rep)	Only if also targeting EEA
UK charity, UK donors only	Yes	No

Data Subject Rights: A Practical Comparison

Both regimes grant data subjects the same eight core rights, but the procedures and timelines are mirrored almost word-for-word.

The Eight Rights

1. Right to be informed
2. Right of access (Subject Access Request — SAR)
3. Right to rectification
4. Right to erasure ("right to be forgotten")
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision-making and profiling

Under both UK and EU GDPR, controllers must respond to a SAR within one calendar month, extendable by two further months for complex requests. Both regimes allow the controller to refuse manifestly unfounded or excessive requests.

Breach Notification: Same Clock, Different Regulators

A reportable personal data breach must be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of it. In the UK, that means the ICO. In the EU, it's the lead supervisory authority of your main establishment.

If a breach affects both UK and EEA residents, you may need to notify both the ICO and the relevant EU DPA. Many security incidents involve credentials stolen via social engineering — our guide on recognising and avoiding phishing attacks covers the most common breach vector in 2026.

The Data (Use and Access) Act 2025: What's Changing

The UK passed the Data (Use and Access) Act 2025 (DUAA), which introduces targeted reforms to the UK data protection regime without scrapping the UK GDPR or DPA 2018. Key changes include:

• Clearer rules on legitimate interests, with a list of "recognised" legitimate interests that don't require a balancing test.
• Reforms to cookie rules, allowing certain low-risk cookies (analytics, security) without consent.
• Streamlined subject access request procedures, including a clearer "reasonable and proportionate" search standard.
• Replacement of the ICO with a new Information Commission governance structure.
• Reforms to automated decision-making rules under Article 22.

The reforms are designed to reduce compliance burden while maintaining EU adequacy. UK organisations should review their privacy notices, cookie banners, and SAR procedures during 2026.

Practical Compliance Checklist for UK Businesses

1. Map your data flows — know what personal data you collect, where it's stored, who you share it with, and whether it leaves the UK.
2. Document lawful bases for every processing activity.
3. Update your privacy notice to reflect UK GDPR references (not EU GDPR).
4. Review international transfer mechanisms — use the IDTA or UK Addendum where required.
5. Appoint a UK representative if you're based outside the UK but target UK customers.
6. Train staff on SAR handling, breach reporting, and phishing awareness.
7. Encrypt personal data in transit and at rest — see our guide on encrypting internet traffic for practical steps.
8. Maintain a breach log, even for incidents that don't meet the reporting threshold.
9. Run DPIAs for any high-risk processing — particularly profiling, large-scale monitoring, or new technologies.
10. Review vendor contracts for Article 28 processor terms.

Common Compliance Pitfalls

The ICO's enforcement actions in recent years reveal recurring weaknesses:

• Cookie banners that don't allow easy refusal — "reject all" must be as prominent as "accept all".
• Marketing without proper consent under PECR (the Privacy and Electronic Communications Regulations, which sit alongside the UK GDPR).
• Tracking pixels and link tracking deployed without disclosure. If you shorten URLs for marketing, choose a service that's transparent about analytics — privacy-respecting tools like Lunyb let you generate short links without harvesting unnecessary user data, which simplifies your lawful-basis analysis. Compare options in our 2026 URL shortener buyer's guide.
• Failure to honour SARs within one month.
• Inadequate security — unencrypted laptops, weak passwords, missing MFA.
• QR code privacy issues — see our analysis of QR code tracking in restaurants for an example of how scanning behaviour can constitute personal data processing.

Should You Comply With UK GDPR or EU GDPR?

The honest answer for most organisations with cross-border activity: both. The good news is that aligning to the stricter EU GDPR generally satisfies UK requirements too, with the exception of UK-specific transfer paperwork and the appointment of a UK representative.

If your operations are purely UK-based — UK customers, UK staff, UK suppliers — then UK GDPR + DPA 2018 is your sole framework, and you only deal with the ICO.

Frequently Asked Questions

Is the UK GDPR the same as the EU GDPR?

Substantively, they are around 95% identical. The principles, lawful bases, data subject rights, and breach timelines are the same. The differences lie in jurisdiction, the regulator (ICO vs EU DPAs), the currency of fines, international transfer mechanisms, and the age of consent for online services (13 in the UK, 16 default in the EU).

Do I need to comply with both UK and EU GDPR?

Yes, if you process personal data of both UK and EEA residents. UK businesses targeting EU customers must comply with the EU GDPR and may need an EU representative. EU businesses targeting UK customers must comply with the UK GDPR and DPA 2018 and may need a UK representative.

What's the maximum fine under the UK Data Protection Act?

The maximum fine under the UK GDPR (enforced through the DPA 2018) is the higher of £17.5 million or 4% of global annual turnover for the most serious infringements, such as breaches of the core data protection principles or data subject rights.

Does Brexit mean UK companies don't need to follow GDPR anymore?

No. UK companies must follow the UK GDPR, which is essentially a domestic copy of the EU GDPR. They must also follow the EU GDPR if they offer goods or services to people in the EEA, or monitor their behaviour. Brexit didn't reduce data protection obligations — it duplicated them.

What is the Data (Use and Access) Act 2025?

The DUAA is UK legislation that reforms parts of the UK GDPR and DPA 2018. It introduces recognised legitimate interests, eases certain cookie consent requirements, streamlines SARs, and restructures the ICO into a new Information Commission. It does not replace the UK GDPR — it amends it. Compliance teams should review their documentation in light of the changes during 2026.

Who enforces data protection law in the UK?

The Information Commissioner's Office (ICO) is the UK's independent supervisory authority. It investigates complaints, audits organisations, issues enforcement notices and fines, and provides guidance. Under the DUAA, it is being reconstituted as the Information Commission with a new governance model, but its core functions remain unchanged.

This article is for general guidance only and does not constitute legal advice. Organisations with specific compliance questions should consult a qualified data protection lawyer or DPO.