UK Data Protection Act vs GDPR Explained: Key Differences for 2026
Since Brexit, British businesses have been juggling two closely related but legally distinct privacy regimes: the EU General Data Protection Regulation (GDPR) and the UK's own framework, made up of the Data Protection Act 2018 (DPA 2018) and the UK GDPR. They look almost identical on the surface, yet the differences matter for compliance, contracts, cross-border transfers and regulator engagement.
This guide breaks down the UK Data Protection Act vs GDPR debate in plain English, so you can understand which rules apply to your organisation, where they diverge, and what to prioritise in 2026.
What Is the GDPR?
The General Data Protection Regulation (EU) 2016/679 is the European Union's flagship data protection law, in force since 25 May 2018. It governs how organisations collect, store, share and process personal data of individuals located in the EU and European Economic Area (EEA).
The EU GDPR is directly applicable across all EU member states. It introduced the principles most privacy professionals now take for granted: lawful basis for processing, data minimisation, purpose limitation, accountability, data subject rights (access, erasure, portability), 72-hour breach notification and fines of up to €20 million or 4% of global annual turnover.
Who Does the EU GDPR Apply To?
- Any organisation established in the EU/EEA that processes personal data.
- Organisations outside the EU that offer goods or services to people in the EU.
- Organisations outside the EU that monitor the behaviour of people in the EU (e.g. tracking, profiling, analytics).
What Is the UK Data Protection Act 2018?
The Data Protection Act 2018 is the UK statute that sits alongside the UK GDPR. It implements, supplements and tailors data protection rules for the UK context. It is not a replacement for GDPR-style rules — it is the legal scaffolding around them.
The DPA 2018 has four main parts that matter in practice:
- Part 2: General processing, working with the UK GDPR and setting UK-specific exemptions (for example, journalism, research, immigration).
- Part 3: Law enforcement processing, implementing the EU Law Enforcement Directive.
- Part 4: Intelligence services processing.
- Part 5 onwards: Powers of the Information Commissioner's Office (ICO), enforcement, offences and appeals.
What Is the UK GDPR?
The UK GDPR is, in effect, the EU GDPR copied into UK law after Brexit, with amendments to make it work domestically. It came into force on 1 January 2021 when the Brexit transition period ended. The text is almost identical to the EU GDPR, but references to the EU, Commission and member states have been swapped for UK equivalents.
So when British lawyers and the ICO talk about "GDPR compliance" today, they almost always mean the UK GDPR + DPA 2018 read together, not the EU regulation directly.
UK Data Protection Act vs GDPR: The Core Differences
The honest answer is that the substantive rules are roughly 95% the same. The differences lie in jurisdiction, regulator, certain national derogations, and the mechanics of international data transfers.
| Feature | EU GDPR | UK GDPR + DPA 2018 |
|---|---|---|
| Geographic scope | EU/EEA residents | UK residents |
| Regulator | National DPAs (e.g. CNIL, DPC) + EDPB | Information Commissioner's Office (ICO) |
| Maximum fines | €20m or 4% global turnover | £17.5m or 4% global turnover |
| Age of consent (children) | 16 (member states can lower to 13) | 13 |
| International transfers | EU Standard Contractual Clauses (SCCs) | UK International Data Transfer Agreement (IDTA) or UK Addendum |
| Adequacy decisions | Made by European Commission | Made by UK Secretary of State |
| Representative | EU representative required for non-EU controllers | UK representative required for non-UK controllers |
| National security exemptions | Limited under EU law | Broader UK exemptions (DPA Schedules 2-4) |
1. Different Regulators
Under the EU GDPR, the lead supervisory authority is determined by your main establishment in the EU. Under the UK regime, the ICO is the single regulator. If you operate in both the UK and EU, you may need to engage with both the ICO and an EU authority — the "one-stop shop" mechanism no longer applies between them.
2. Different Fine Currencies (and Slightly Different Amounts)
EU GDPR maximums are denominated in euros (€10m / €20m). UK GDPR maximums are denominated in pounds (£8.7m / £17.5m). The 2% / 4% turnover-based caps remain the same in principle.
3. Children's Consent
The UK set the age at which children can consent to information society services at 13. EU member states vary between 13 and 16. If you offer online services to minors across borders, you must check each market.
4. International Data Transfers
Transferring personal data outside the UK requires either an adequacy decision, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or another approved safeguard such as Binding Corporate Rules. The EU has its own SCCs. Many UK businesses use the UK Addendum bolted onto the EU SCCs to cover both regimes in one document.
5. Adequacy Status
The UK currently benefits from an EU adequacy decision (granted June 2021), meaning data can flow freely from the EU to the UK. That decision was extended in 2025 but is reviewed periodically. If it is ever revoked, EU-to-UK transfers would require SCCs, which would be a significant compliance burden.
6. National Exemptions
The DPA 2018 includes UK-specific exemptions and conditions in its schedules — for example, around immigration control, criminal offence data, journalism in the public interest, and research. These are areas where UK practice diverges from the EU.
What Stays the Same
Despite the divergences, the day-to-day compliance picture is largely identical:
- The seven data protection principles (lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability).
- Lawful bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interests.
- Data subject rights: access, rectification, erasure, restriction, portability, objection, rights related to automated decision-making.
- 72-hour breach notification to the regulator and notification to affected individuals where there is a high risk.
- Data Protection Impact Assessments (DPIAs) for high-risk processing.
- Records of processing activities (ROPAs) under Article 30.
- Data Protection Officer (DPO) appointments in the same triggering scenarios.
Who Has to Comply With Which Law?
This is where many UK businesses get tangled. The general rule is that you may be subject to both regimes simultaneously.
UK GDPR + DPA 2018 Applies If:
- You are established in the UK and process personal data, regardless of where the individuals are.
- You are outside the UK but offer goods or services to people in the UK.
- You monitor the behaviour of people in the UK (analytics, advertising, profiling).
EU GDPR Also Applies If:
- You have an establishment in the EU (an office, branch or stable arrangement).
- You offer goods or services to people located in the EU.
- You monitor the behaviour of people in the EU.
A typical UK e-commerce store that ships to Ireland and France is therefore subject to both. It will need a UK privacy notice, an EU representative under Article 27 EU GDPR, an updated cookie banner that respects both PECR and the ePrivacy Directive, and transfer mechanisms covering both jurisdictions.
Practical Compliance Checklist for UK Organisations
- Map your data. Maintain a Record of Processing Activities listing every category of personal data, purpose, lawful basis, retention period and recipients.
- Update privacy notices. Reference the UK GDPR and DPA 2018 explicitly. If you also serve EU residents, include EU GDPR references and your EU representative.
- Review lawful bases. Especially for marketing, profiling and analytics. PECR still requires consent for non-essential cookies in the UK.
- Refresh international transfer documentation. Replace legacy EU SCCs with the UK IDTA or the UK Addendum where data leaves the UK.
- Run DPIAs on any high-risk processing — AI tools, large-scale profiling, biometric systems, children's data.
- Train your team. Most fines stem from human error, not novel legal questions. Annual training and phishing simulations matter.
- Tighten vendor management. Ensure Article 28 processor contracts are in place with every supplier touching personal data, including marketing platforms and link tools.
- Plan for incidents. A documented breach response plan, including the 72-hour ICO notification window, is non-negotiable.
How the ICO Enforces the Rules
The ICO is generally seen as a proportionate, guidance-led regulator. Its enforcement toolkit includes information notices, assessment notices, enforcement notices, reprimands and monetary penalties. Recent ICO trends include a focus on:
- AI and automated decision-making transparency.
- Children's data (the Age Appropriate Design Code).
- Adtech, real-time bidding and cookie compliance.
- Public sector data sharing and breaches.
- Nuisance marketing under PECR.
The ICO has signalled it will continue to use reprimands more frequently than headline fines, particularly for public sector bodies, while reserving large monetary penalties for serious, persistent or negligent breaches.
Where Privacy-Friendly Tools Fit In
Compliance is not just paperwork — your tooling choices shape your risk profile. Every third-party tracker, marketing pixel or link redirector is a potential data flow that needs documenting and, sometimes, a transfer mechanism.
When choosing operational tools like analytics platforms, email systems or link shorteners, look for providers that minimise data collection, host within the UK or EU, and offer clear data processing terms. For example, if you share short links in marketing campaigns, using a UK-friendly shortener such as Lunyb reduces the number of cross-border transfers you need to paper over. We cover this in more depth in our honest Lunyb review and our 2026 buyer's guide to URL shorteners.
The Future: Data (Use and Access) Act and UK Divergence
The UK has been progressively reforming its data laws through the Data (Use and Access) Act 2025, which amends the UK GDPR and DPA 2018. Key shifts include:
- Clearer rules around legitimate interests for certain "recognised" purposes.
- Reforms to subject access request handling, including time-stopping for clarification.
- Adjustments to cookie rules, allowing some low-risk cookies without consent.
- A streamlined approach to research and statistical processing.
- Reforms to the ICO's structure and governance.
These changes nudge UK law away from strict EU alignment but stop short of breaking adequacy. The direction of travel for 2026 and beyond is incremental, business-friendly divergence — not deregulation.
FAQ
Is the UK still under GDPR after Brexit?
Yes. The UK retained the GDPR in domestic law as the "UK GDPR", which works alongside the Data Protection Act 2018. The substantive rules are almost identical to the EU GDPR, but the ICO is now the sole regulator and fines are denominated in pounds.
What is the main difference between the DPA 2018 and the UK GDPR?
The UK GDPR sets out the core data protection rules — principles, lawful bases, rights and obligations. The DPA 2018 supplements it with UK-specific provisions: exemptions, rules for law enforcement and intelligence services, the ICO's powers, offences and definitions. You cannot read one without the other.
Do I need to comply with both UK GDPR and EU GDPR?
If you serve customers or monitor users in both the UK and the EU, then yes. You will need privacy notices, lawful bases, transfer mechanisms and (often) representatives that satisfy both regimes. Many organisations produce a single "dual-compliant" set of policies referencing both laws.
What is the maximum fine under the UK GDPR?
The standard maximum is £8.7 million or 2% of global annual turnover, whichever is higher. The higher tier — for serious breaches such as violating data subject rights or unlawful international transfers — is £17.5 million or 4% of global annual turnover.
Do I still need EU Standard Contractual Clauses for transfers from the UK?
For transfers out of the UK to countries without UK adequacy, you should use the UK International Data Transfer Agreement (IDTA) or the UK Addendum bolted onto the EU SCCs. The EU SCCs alone do not satisfy UK law for UK-originating transfers.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Bill C-27 Digital Charter: What Canadian Businesses Need to Know
Bill C-27, Canada's Digital Charter Implementation Act, will replace PIPEDA with modern privacy rules, new individual rights, and Canada's first federal AI law. Here's a complete breakdown of what's in the bill, who it affects, and the compliance steps Canadian businesses should take now.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, penalties, and individual rights. This guide breaks down the key differences and shows Canadian businesses how to stay compliant with both.
Australian Data Breach Notification Scheme: Complete 2026 Guide
Australia's Notifiable Data Breaches scheme requires organisations to report eligible breaches to the OAIC and affected individuals. This complete guide covers obligations, timelines, penalties up to AUD 50 million, and practical steps to build a compliant response plan.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy landscape — PIPEDA, Quebec's Law 25, provincial acts, and the upcoming CPPA. This guide explains exactly how to build a compliant, trustworthy privacy programme in 2026, with practical steps, tools, and best practices.