UK Data Protection Act vs GDPR Explained: Key Differences for 2026
If your organisation handles personal data in the United Kingdom, you've almost certainly encountered both the UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). Despite being closely related, they are not the same law — and since Brexit, the differences have grown more meaningful. This guide explains how the two frameworks relate, where they diverge, and what UK businesses need to do in 2026 to stay compliant.
What Is the UK Data Protection Act 2018?
The UK Data Protection Act 2018 is the United Kingdom's primary domestic legislation governing the processing of personal data. It sits alongside the UK GDPR and tailors the regulation to the British legal context, covering areas the GDPR leaves to member states — such as law enforcement processing, intelligence services, and specific exemptions for journalism, research, and immigration.
The DPA 2018 originally implemented the EU GDPR into UK law before Brexit. After the UK left the EU on 31 January 2020, the EU GDPR was retained as the "UK GDPR" through the European Union (Withdrawal) Act, and the DPA 2018 was amended to work alongside it.
What Is the GDPR?
The General Data Protection Regulation is an EU-wide law that came into force on 25 May 2018. It standardises data protection rules across all EU member states and applies to any organisation worldwide that processes the personal data of individuals located in the EU. The GDPR introduced the core principles modern privacy law is built on: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability.
Today, there are effectively two GDPRs that UK businesses must be aware of:
- EU GDPR — applies when processing the data of individuals in the EU/EEA.
- UK GDPR — applies when processing the data of individuals in the UK, and works in tandem with the DPA 2018.
UK Data Protection Act vs GDPR: At a Glance
The simplest way to understand the relationship: the UK GDPR sets out the high-level rules, and the DPA 2018 fills in the UK-specific detail. They are designed to be read together, not as alternatives.
| Aspect | UK GDPR | DPA 2018 | EU GDPR |
|---|---|---|---|
| Jurisdiction | United Kingdom | United Kingdom | EU/EEA |
| Regulator | ICO | ICO | National DPAs (e.g. CNIL, DPC) |
| Maximum Fine | £17.5m or 4% global turnover | Same tiers as UK GDPR | €20m or 4% global turnover |
| Age of Consent (children) | 13 | 13 | 16 (member states can lower to 13) |
| Law Enforcement Processing | Not covered | Part 3 covers it | Separate Directive (LED) |
| Intelligence Services | Not covered | Part 4 covers it | Outside EU GDPR scope |
| Adequacy Status | Held by EU (renewed 2025) | — | — |
Key Differences Between the UK DPA and the EU GDPR
While the two frameworks share the same DNA, several practical differences matter for UK organisations.
1. Scope of Coverage
The EU GDPR focuses almost entirely on general personal data processing in commercial and public-sector contexts. The DPA 2018, by contrast, has a much broader scope. It is structured into seven parts, covering:
- General processing (Part 2, aligned with UK GDPR)
- Law enforcement processing (Part 3)
- Intelligence services processing (Part 4)
- The role and powers of the Information Commissioner (Part 5)
- Enforcement (Part 6)
- Supplementary provisions (Part 7)
2. Children's Consent Age
The EU GDPR sets the default age for valid consent to information society services at 16, allowing member states to lower it to 13. The UK has set this at 13 via the DPA 2018. This affects social platforms, gaming companies, and any service marketed to younger teens.
3. National Security and Immigration Exemptions
The DPA 2018 includes a controversial immigration exemption that disapplies certain data subject rights when processing relates to "effective immigration control". The EU GDPR has no equivalent. The exemption has been challenged in UK courts and narrowed, but it remains a notable divergence.
4. Journalistic, Academic, Artistic and Literary Exemptions
Both frameworks allow exemptions for freedom of expression, but the DPA 2018 lays out these in much more granular detail in Schedule 2, giving UK media organisations clearer (and arguably broader) latitude than equivalents in some EU states.
5. International Data Transfers
Post-Brexit, the UK operates its own international transfer regime. UK organisations transferring data abroad must use:
- UK adequacy regulations (the UK has its own list, similar but not identical to the EU's)
- The UK International Data Transfer Agreement (IDTA), or
- The UK Addendum to the EU Standard Contractual Clauses (SCCs)
EU organisations rely on EU SCCs and Commission adequacy decisions. The UK currently holds EU adequacy status (renewed in 2025), meaning data can flow freely from the EU to the UK — but this is reviewed periodically.
6. Enforcement and Fines
Both regimes have similar two-tier fine structures, but the currency and ceiling differ:
- UK GDPR / DPA 2018: up to £8.7 million or 2% of global turnover (lower tier); up to £17.5 million or 4% of global turnover (higher tier).
- EU GDPR: up to €10 million / 2%, and €20 million / 4%.
UK enforcement is carried out by the Information Commissioner's Office (ICO), while EU enforcement is led by each member state's data protection authority, coordinated by the European Data Protection Board (EDPB).
Where the UK DPA and GDPR Overlap
Despite the differences, the core obligations are almost identical. If you're already compliant with one, you're 90% of the way to compliance with the other.
Shared Principles
- Lawfulness, fairness and transparency
- Purpose limitation — collect data only for specified purposes
- Data minimisation — collect only what is necessary
- Accuracy — keep personal data up to date
- Storage limitation — don't keep data longer than needed
- Integrity and confidentiality — protect with appropriate security
- Accountability — demonstrate compliance with records
Shared Data Subject Rights
Individuals enjoy the same eight rights under both regimes:
- Right to be informed
- Right of access (subject access requests)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
Which Law Applies to Your Business?
This is one of the most common questions UK organisations ask. The answer depends on where your data subjects are located, not where your business is based.
| Scenario | Applicable Law |
|---|---|
| UK business serving only UK customers | UK GDPR + DPA 2018 |
| UK business serving UK and EU customers | UK GDPR + DPA 2018 and EU GDPR |
| EU business serving UK customers | EU GDPR and UK GDPR (may need UK representative) |
| US/global business with UK and EU users | UK GDPR and EU GDPR |
| UK public authority | UK GDPR + DPA 2018 (including FOI considerations) |
Businesses operating in both jurisdictions often need two representatives: an EU representative under Article 27 of the EU GDPR, and a UK representative under the UK GDPR.
Practical Compliance Steps for UK Businesses in 2026
Whether you're a small e-commerce shop or a multinational, the practical checklist is broadly the same. Follow these steps to align with both the DPA 2018 and the UK GDPR.
- Map your data. Document what personal data you collect, where it comes from, where it's stored, and who has access.
- Identify your lawful basis. For each processing activity, choose one of the six bases (consent, contract, legal obligation, vital interests, public task, legitimate interests).
- Update privacy notices. Make them clear, layered, and accessible. Reference the UK GDPR and DPA 2018 specifically.
- Review consent mechanisms. Especially for marketing, cookies, and children's services. UK consent age is 13.
- Establish a DSAR process. You have one month to respond to subject access requests.
- Audit international transfers. Use the UK IDTA or Addendum where needed, and check transfer risk assessments.
- Appoint a DPO if required. Mandatory for public authorities and certain large-scale processors.
- Prepare a breach response plan. Notifiable breaches must be reported to the ICO within 72 hours.
- Train your staff. Human error is still the leading cause of data breaches.
- Maintain records of processing (ROPA). Required for most organisations under Article 30.
Data Security and the Role of Tools You Use
Both the DPA 2018 and the UK GDPR require "appropriate technical and organisational measures" to protect personal data. That means encryption in transit and at rest, access controls, regular security testing, and careful vendor selection.
This extends to seemingly simple tools. For example, if your marketing team shares shortened links containing tracking parameters, those URLs may carry personal identifiers. Choosing a privacy-respecting link platform like Lunyb — which provides HTTPS-only short links, transparent analytics, and minimal data collection — helps you meet the security and minimisation principles without extra overhead. For a deeper look, see our honest review of Lunyb or compare options in our 2026 URL shortener buyer's guide.
If you're evaluating enterprise link platforms with custom domains and team controls, our Rebrandly review for 2026 walks through the trade-offs in detail.
Enforcement Trends Under the ICO
The ICO has shifted its enforcement approach in recent years toward a more proportionate, risk-based model — but fines remain significant. Recent high-profile UK actions have targeted:
- Unlawful direct marketing and nuisance calls (PECR enforcement)
- Inadequate breach response and slow notification
- Failure to honour data subject rights, particularly DSARs
- Cookie consent failures on major websites
- Inappropriate use of facial recognition and biometric data
The ICO publishes its enforcement actions on its website and offers regulatory sandboxes and guidance to encourage compliance over punishment for good-faith actors.
The Future: Data (Use and Access) Act and Reform
The UK has been gradually reforming its data protection framework. The Data (Use and Access) Act 2025 introduces targeted changes — including simplified rules around legitimate interests, research, and automated decision-making — while preserving the core of the UK GDPR to maintain EU adequacy.
Key reforms to watch:
- A more flexible regime for scientific research
- Clearer rules for cookies and online tracking
- Reduced ROPA obligations for low-risk SMEs
- A reformed ICO governance structure
None of these changes fundamentally break compatibility with the EU GDPR — but UK organisations should monitor ICO guidance for practical updates.
Frequently Asked Questions
Is the UK still covered by GDPR after Brexit?
Yes — but by the UK GDPR, not the EU GDPR. The UK retained the GDPR in domestic law via the European Union (Withdrawal) Act. The EU GDPR still applies if you process the personal data of individuals located in the EU/EEA.
What is the main difference between the DPA 2018 and the UK GDPR?
The UK GDPR sets out the principles and rules for general personal data processing. The DPA 2018 supplements it with UK-specific provisions, including law enforcement and intelligence services processing, national exemptions, and the powers of the ICO. They are designed to be read together.
Do small businesses in the UK need to comply with the DPA 2018?
Yes. There is no general small-business exemption. However, the obligations scale with risk: a small online retailer faces far lighter practical requirements than a hospital or bank. Many SMEs must also pay an annual data protection fee to the ICO, which starts at £40.
What happens if I breach the UK GDPR or DPA 2018?
The ICO can issue enforcement notices, require changes to processing, and impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. Individuals can also bring civil claims for compensation, including for non-material damage such as distress.
Do I need separate privacy policies for UK and EU users?
Not necessarily. Most organisations produce a single policy that references both the UK GDPR and the EU GDPR, identifies their UK and EU representatives (where required), and explains rights under each. The substance is nearly identical; the references and contact points differ.
Conclusion
The UK Data Protection Act 2018 and the GDPR are not rivals — they are partners. The UK GDPR provides the rulebook; the DPA 2018 provides the British context, exemptions, and enforcement architecture. For most UK businesses, compliance is one unified exercise: map your data, justify your processing, respect individuals' rights, and secure what you hold.
The differences with the EU GDPR are real but narrow, and the regulatory direction in 2026 is toward sensible reform, not divergence. Stay close to ICO guidance, build privacy into your tools and processes from the outset, and treat compliance as an ongoing programme rather than a one-off project.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Citizens and Businesses
A complete 2026 guide to privacy rights in Canada, covering Bill C-27, the CPPA, Quebec's Law 25, provincial laws, and what citizens and businesses must do. Learn your rights to access, deletion, portability, and how to protect personal data effectively.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, replaces PIPEDA with a modern privacy framework and introduces Canada's first dedicated AI law. Learn what the CPPA and AIDA require, the new penalties (up to 5% of global revenue), and how Canadian businesses should prepare.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face an evolving privacy landscape shaped by PIPEDA, Quebec's Law 25, and the proposed Bill C-27. This practical guide explains compliance obligations, breach response, vendor management, and how to build a privacy program that earns customer trust.
GDPR After Brexit: What Changed for UK Businesses in 2026
GDPR did not disappear when the UK left the EU — it was retained as the UK GDPR. This guide explains what changed, what stayed the same, and the practical steps UK businesses must take in 2026 to stay compliant under both regimes.