UK Data Protection Act vs GDPR Explained: A 2026 Guide

Since the United Kingdom left the European Union, data protection has become one of the most confusing areas of compliance for British businesses. Many organisations still ask the same question: how does the UK Data Protection Act compare with the GDPR, and which one actually applies to my business? The short answer is that both apply, but in subtly different ways depending on who you collect data from and where they live.

This guide breaks down the UK Data Protection Act 2018, the UK GDPR, and the EU GDPR in plain English. You'll learn the key differences, the practical compliance steps your business needs to take, and how recent reforms in 2025 and 2026 are reshaping the landscape.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that came into force on 25 May 2018. It sets out how personal data of individuals in the EU must be collected, processed, stored, and protected. The GDPR applies to any organisation worldwide that handles the personal data of EU residents, not just companies based in the EU.

Personal data under the GDPR includes anything that can identify a living individual: names, email addresses, IP addresses, location data, biometric data, and even online identifiers like cookies. The regulation is enforced by national supervisory authorities in each EU member state, and fines can reach up to €20 million or 4% of global annual turnover, whichever is higher.

Core Principles of GDPR

Lawfulness, fairness, and transparency — data must be processed legally and openly
Purpose limitation — data is collected for specified, legitimate purposes
Data minimisation — only collect what you actually need
Accuracy — keep personal data correct and up to date
Storage limitation — don't keep data longer than necessary
Integrity and confidentiality — secure data against unauthorised access
Accountability — organisations must demonstrate compliance

What Is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 (DPA 2018) is the United Kingdom's national data protection law. It was introduced to supplement the EU GDPR and tailor it to UK-specific contexts, including law enforcement processing, intelligence services, and certain exemptions for journalism, research, and immigration.

When the UK left the EU on 31 January 2020, the EU GDPR was incorporated into UK domestic law as the "UK GDPR". The DPA 2018 was amended at the same time to work alongside the UK GDPR. Together, they form the backbone of UK data protection law and are enforced by the Information Commissioner's Office (ICO).

Structure of the DPA 2018

The Data Protection Act is divided into seven parts:

Part 1 — Preliminary provisions and key definitions
Part 2 — General processing (works alongside UK GDPR)
Part 3 — Law enforcement processing
Part 4 — Intelligence services processing
Part 5 — The Information Commissioner
Part 6 — Enforcement
Part 7 — Supplementary and final provisions

UK Data Protection Act vs GDPR: Key Differences

While the UK GDPR mirrors the EU GDPR almost word-for-word, the DPA 2018 introduces national-level provisions, exemptions, and adjustments. The most important differences relate to age of consent, immigration exemptions, and enforcement mechanisms.

Feature	EU GDPR	UK GDPR + DPA 2018
Geographic scope	EU/EEA residents	UK residents
Supervisory authority	National DPAs (e.g. CNIL, DPC)	Information Commissioner's Office (ICO)
Age of consent (children)	16 (member states can lower to 13)	13
Maximum fine	€20m or 4% global turnover	£17.5m or 4% global turnover
Immigration exemption	None	Yes (controversial Schedule 2)
National security provisions	Limited	Broader exemptions in DPA Part 4
International data transfers	Adequacy decisions by EU Commission	UK adequacy regulations
One-stop-shop mechanism	Yes (lead authority)	No

1. Age of Consent for Online Services

Under the EU GDPR, children under 16 need parental consent to use online services, although member states can lower this to 13. The UK has set this threshold at 13, the lowest permitted, making it easier for younger users to sign up for digital services without parental approval.

2. Immigration Exemption

The DPA 2018 contains a controversial exemption that allows the Home Office to restrict certain data subject rights when processing data for immigration control. This exemption has been challenged in UK courts and remains a notable divergence from the EU framework.

3. Enforcement and Fines

Both regimes allow for significant penalties, but the UK expresses its cap in pounds (£17.5 million) rather than euros. The ICO has independently issued multi-million pound fines to companies like British Airways, Marriott, and TikTok in recent years.

4. International Data Transfers

Post-Brexit, the UK and EU operate separate adequacy frameworks. The EU granted the UK adequacy status in June 2021, allowing data to flow freely from the EU to the UK. This decision was renewed in 2025 but is reviewed periodically.

Similarities Between the DPA 2018 and GDPR

Despite the differences, the overwhelming reality is that the UK GDPR and EU GDPR are functionally identical for most businesses. Both share:

The same seven data protection principles
The same six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
The same eight data subject rights, including the right to access, rectification, and erasure
Mandatory 72-hour breach notification
Requirements for Data Protection Impact Assessments (DPIAs)
Appointment of Data Protection Officers (DPOs) where applicable
Records of processing activities (ROPAs)

The Data (Use and Access) Act 2025

In June 2025, the UK passed the Data (Use and Access) Act, which amends both the UK GDPR and DPA 2018. This is the most significant reform to UK data law since Brexit and is designed to reduce compliance burdens while maintaining EU adequacy.

Key Changes Introduced

Recognised legitimate interests — a new list of pre-approved purposes where balancing tests are simplified
Smart data schemes — frameworks for secure data sharing in sectors like finance and energy
Soft opt-in for charities — extending PECR rules to allow charities to email past supporters
Automated decision-making reforms — relaxed rules outside special category data
Reformed ICO governance — the ICO is replaced by a new Information Commission
Cookie law simplification — fewer consent requirements for low-risk analytics cookies

Businesses should review their privacy notices, cookie banners, and DPIAs to ensure alignment with the 2025 reforms.

Who Needs to Comply With Which Law?

The simplest way to determine your obligations is to look at where your data subjects are based, not where your company is registered.

UK business with UK customers only — UK GDPR and DPA 2018 apply
UK business with EU customers — Both UK GDPR/DPA 2018 and EU GDPR apply; you may need an EU representative
EU business with UK customers — Both EU GDPR and UK GDPR apply; you may need a UK representative
Global business serving both — Comply with both regimes (which is straightforward given their similarity)

Practical Compliance Checklist for UK Businesses

Whether you're a sole trader or a multinational, the following steps will help you stay compliant with both the UK Data Protection Act and the UK GDPR:

Map your data — know what you collect, where it's stored, and who has access
Identify your lawful basis for each processing activity
Publish a clear, accessible privacy notice
Implement a process for handling data subject access requests (DSARs)
Conduct DPIAs for high-risk processing
Train staff on data protection principles annually
Sign data processing agreements with all third-party processors
Review international data transfer mechanisms (Standard Contractual Clauses, IDTA)
Maintain an incident response plan for 72-hour breach reporting
Audit cookies and tracking technologies

For organisations that share links containing tracking parameters or sensitive query strings, using a privacy-respecting URL shortener like Lunyb can help reduce inadvertent data exposure when forwarding links across channels. You can read our honest review of Lunyb or browse our 2026 buyer's guide to URL shorteners for more options.

Penalties and Enforcement in 2026

The ICO has become increasingly active. Recent enforcement trends include heavy fines for:

Inadequate security leading to breaches (e.g. ransomware attacks where backups were poor)
Unlawful direct marketing under PECR
Children's privacy violations under the Age Appropriate Design Code
Excessive use of facial recognition and biometrics
Failure to respond to DSARs within one month

In addition to monetary penalties, the ICO can issue enforcement notices, ban processing activities, and publicly name non-compliant organisations — which often does more reputational damage than the fine itself.

Will the UK and EU Frameworks Diverge Further?

The Data (Use and Access) Act 2025 was carefully drafted to preserve EU adequacy. However, ongoing reforms — particularly around AI training data, automated decision-making, and law enforcement processing — could create friction over time. Businesses operating in both markets should monitor:

The next EU adequacy review (due 2029)
UK-specific AI regulation proposals
Changes to international transfer mechanisms
Sector-specific smart data schemes

Frequently Asked Questions

Does the GDPR still apply in the UK after Brexit?

Yes. The EU GDPR was retained as the "UK GDPR" after Brexit and works alongside the Data Protection Act 2018. UK businesses must comply with the UK GDPR, and any business serving EU customers must also comply with the EU GDPR.

What is the main difference between the DPA 2018 and the UK GDPR?

The UK GDPR sets out the general rules for processing personal data, while the DPA 2018 supplements it with UK-specific provisions, exemptions (such as for immigration and national security), and rules for law enforcement and intelligence agencies. They are designed to be read together.

What is the maximum fine under UK data protection law?

The maximum fine is £17.5 million or 4% of global annual turnover, whichever is higher. This applies to the most serious infringements, such as breaches of data subjects' rights or unlawful international transfers.

Do I need a Data Protection Officer (DPO)?

You must appoint a DPO if you are a public authority, your core activities involve large-scale systematic monitoring (such as behavioural advertising), or you process large amounts of special category data. Many smaller businesses appoint one voluntarily for best practice.

How long do I have to report a data breach?

Personal data breaches that pose a risk to individuals' rights and freedoms must be reported to the ICO within 72 hours of becoming aware of them. If the breach is high-risk, you must also notify the affected individuals without undue delay.

What changed under the Data (Use and Access) Act 2025?

The 2025 Act introduced recognised legitimate interests, simplified cookie consent for low-risk analytics, reformed automated decision-making rules, restructured the ICO into a new Information Commission, and created frameworks for smart data sharing. It aims to ease compliance while maintaining EU adequacy.

Final Thoughts

For most UK businesses, the UK Data Protection Act 2018 and UK GDPR should be viewed as a single, integrated framework rather than competing laws. The principles are clear, the rights are well-established, and the ICO offers extensive free guidance. With the 2025 reforms now in effect, there's a real opportunity to streamline your compliance programme — but the fundamentals of accountability, transparency, and security remain unchanged.

Whether you're handling customer emails, employee records, website analytics, or shared links, treating personal data with respect is no longer just a legal requirement. It's a competitive advantage.