UK Data Protection Act vs GDPR Explained: Key Differences for 2026

Since Brexit, UK businesses have had to navigate two closely related but distinct privacy regimes: the UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). Although they share most of their DNA, the differences matter — especially if you handle data across borders, run a website with EU visitors, or process sensitive categories of personal data.

This guide breaks down the UK Data Protection Act vs GDPR in plain English, with side-by-side comparisons, fines, enforcement bodies, and practical compliance steps for 2026.

What Is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 is the United Kingdom's primary data protection law. It sits alongside the UK GDPR — a domestic version of the EU GDPR that was retained in British law after Brexit — and together they form the UK's data protection framework.

The DPA 2018 does three main things:

It supplements and tailors the UK GDPR for British use, filling in gaps where EU law gave member states discretion.
It applies data protection rules to areas outside the UK GDPR's scope, such as law enforcement and intelligence services.
It sets out the powers and responsibilities of the Information Commissioner's Office (ICO), the UK's data protection regulator.

Key features of the DPA 2018

Lowers the age of consent for online services to 13 (versus the GDPR default of 16).
Includes specific exemptions for journalism, research, and national security.
Creates criminal offences for unlawfully obtaining or re-identifying personal data.
Governs processing by competent authorities for law enforcement purposes (Part 3).

What Is the GDPR?

The General Data Protection Regulation is an EU-wide law that took effect on 25 May 2018. It harmonises data protection rules across all 27 EU member states and applies to any organisation worldwide that processes the personal data of people in the EU.

The GDPR introduced now-familiar concepts such as:

Lawful bases for processing (consent, contract, legitimate interests, and so on).
Data subject rights — access, rectification, erasure, portability, objection.
Mandatory breach notification within 72 hours.
Data Protection Impact Assessments (DPIAs) for high-risk processing.
Fines of up to €20 million or 4% of global annual turnover.

UK GDPR vs EU GDPR: Are They the Same?

The UK GDPR is essentially a copy-and-paste of the EU GDPR, adjusted to work as British domestic law. The core principles, rights, and obligations are virtually identical. However, the two have started to diverge in subtle ways since 2021, and that gap is expected to widen.

Key divergences so far include:

Regulator: The ICO enforces the UK GDPR; EU data protection authorities (DPAs) enforce the EU GDPR.
Fine currency: UK fines are denominated in pounds (up to £17.5 million or 4% of turnover) rather than euros.
International transfers: The UK has its own International Data Transfer Agreement (IDTA) and UK Addendum to the EU SCCs.
Adequacy: The UK has issued its own adequacy decisions, separate from the EU's list.

UK Data Protection Act vs GDPR: Side-by-Side Comparison

The clearest way to see the differences is in a side-by-side table. Note that "GDPR" below refers to the EU GDPR, while the DPA 2018 column includes how it interacts with the UK GDPR.

Feature	UK Data Protection Act 2018 (+ UK GDPR)	EU GDPR
Jurisdiction	United Kingdom	27 EU member states + EEA
Regulator	Information Commissioner's Office (ICO)	National DPAs (e.g. CNIL, DPC, BfDI)
Maximum fine	£17.5 million or 4% of global turnover	€20 million or 4% of global turnover
Age of digital consent	13	16 (member states may lower to 13)
Breach notification	72 hours to ICO	72 hours to lead DPA
International transfers	UK IDTA, UK Addendum, UK adequacy list	EU SCCs, EU adequacy decisions
Law enforcement processing	Covered by DPA 2018 Part 3	Covered by Law Enforcement Directive (separate)
Intelligence services	Covered by DPA 2018 Part 4	Outside GDPR scope
Criminal offences	Yes — unlawful obtaining, re-identification	Set by individual member states

Where the Two Laws Overlap

For most day-to-day compliance tasks, the UK DPA 2018 and the EU GDPR look almost identical. The core obligations that apply under both include:

Lawful basis for processing — you must identify and document a legal ground before processing personal data.
Transparency — clear privacy notices explaining what you collect, why, and for how long.
Data subject rights — access, rectification, erasure, restriction, portability, and objection.
Security obligations — appropriate technical and organisational measures (encryption, access controls, pseudonymisation).
Accountability — records of processing activities (ROPA), DPIAs for high-risk activities, and a Data Protection Officer where required.
Breach reporting — notify the regulator within 72 hours of becoming aware of a personal data breach.

If you built your privacy programme around the EU GDPR before Brexit, you almost certainly already meet the UK requirements — provided you've updated your documentation to reference the UK regime.

Where the Two Laws Differ in Practice

1. International data transfers

This is the area causing the most headaches in 2026. UK organisations sending personal data outside the UK must use either:

A UK adequacy decision (the UK has its own list, which broadly mirrors the EU's but is not identical),
The UK International Data Transfer Agreement (IDTA), or
The UK Addendum to the EU Standard Contractual Clauses.

EU organisations, by contrast, must use the EU SCCs and rely on EU adequacy decisions. If you transfer data both ways across the Channel, you'll need both sets of safeguards.

2. Age of consent for online services

The DPA 2018 sets the age at 13 — significantly lower than the GDPR default of 16. This affects social media platforms, educational apps, and any service relying on consent to process children's data.

3. Immigration exemption

The DPA 2018 includes an exemption from certain data subject rights when processing data for immigration control purposes. This has been controversial and was found partially unlawful by the Court of Appeal in 2021, leading to amendments.

4. National security and intelligence

The DPA 2018 explicitly covers processing by intelligence services (Part 4) — something the EU GDPR leaves to member states.

5. Criminal offences

The DPA 2018 creates several criminal offences, including unlawfully obtaining personal data (Section 170) and re-identifying de-identified personal data (Section 171). Individuals — not just companies — can be prosecuted.

Who Needs to Comply With Both?

You probably need to comply with both the UK regime and the EU GDPR if any of the following apply:

You're a UK business that offers goods or services to people in the EU.
You're an EU business that markets to or monitors UK residents.
You operate a website or app accessed by both UK and EU users.
You have offices or staff in both jurisdictions.

In these cases, you may also need to appoint:

A UK representative if you're an overseas business targeting UK users.
An EU representative under Article 27 of the EU GDPR if you target EU users from outside the EU.

Fines and Enforcement: A Reality Check

The ICO has shown it will use its powers. Notable UK enforcement actions include:

British Airways — originally £183 million, reduced to £20 million after appeals and pandemic considerations.
Marriott International — £18.4 million for a breach affecting hundreds of millions of guests.
Clearview AI — £7.5 million for scraping facial images of UK residents.
TikTok — £12.7 million for misusing children's data.

EU regulators have gone further, with billion-euro fines against major US tech platforms. The takeaway: both regimes have real teeth, and the question is not whether enforcement is coming but whether your organisation is ready when it does.

Practical Compliance Checklist for UK Businesses

Use this checklist as a starting point in 2026:

Map your data. Know what personal data you hold, where it sits, and who you share it with.
Document lawful bases. For every processing activity, record the lawful basis under UK GDPR Article 6 (and Article 9 for special category data).
Update privacy notices. Reference the UK GDPR and DPA 2018, name the ICO as the supervisory authority, and explain UK-to-EU transfer safeguards.
Review international transfers. Replace any pre-Brexit SCCs with the UK IDTA or the UK Addendum.
Train your staff. Most ICO investigations involve human error — phishing, lost devices, misdirected emails.
Plan for breaches. Have an incident response runbook and know exactly how to report to the ICO within 72 hours.
Use privacy-respecting tools. When sharing links or tracking marketing campaigns, choose providers that minimise data collection. A privacy-aware link shortener like Lunyb can help you track clicks without exposing visitor data to dozens of third-party trackers — useful if you're trying to keep your processing footprint small. For more options, see our 2026 buyer's guide to URL shorteners.

Looking Ahead: The Data (Use and Access) Act and Beyond

The UK has signalled its intention to reform data protection law to be more "business-friendly" while maintaining EU adequacy. The Data (Use and Access) Act introduces changes to areas including:

Subject access requests and proportionality of response.
Legitimate interests for direct marketing and AI training.
Smart data schemes and digital identity.
The structure and powers of the ICO.

If you're a UK business, expect more divergence from the EU GDPR over the next few years — but don't expect the fundamentals (transparency, security, data subject rights) to change. Build your programme around those, and you'll stay compliant no matter how the politics shifts.

Frequently Asked Questions

Is the UK GDPR the same as the EU GDPR?

They are nearly identical in substance, but they are separate legal instruments. The UK GDPR is part of UK domestic law and is enforced by the ICO, while the EU GDPR is enforced by national data protection authorities across the EU. Fines, international transfer mechanisms, and some discretionary provisions differ.

Does the GDPR still apply in the UK after Brexit?

The EU GDPR no longer applies directly in the UK, but a copy of it — the UK GDPR — was retained in domestic law. UK businesses must comply with the UK GDPR and DPA 2018. The EU GDPR can still apply extraterritorially if you offer goods or services to people in the EU or monitor their behaviour.

What is the maximum fine under the UK Data Protection Act?

The maximum fine is £17.5 million or 4% of global annual turnover, whichever is higher. This mirrors the EU GDPR's €20 million / 4% ceiling, just denominated in pounds.

Do I need both a UK and EU representative?

If you're based outside both the UK and EU but offer services to people in both, yes — you generally need a UK representative under UK GDPR Article 27 and an EU representative under EU GDPR Article 27. They can be different organisations or, in some cases, the same provider acting in both capacities.

What happens if I only comply with the EU GDPR?

If you process the personal data of UK residents, complying only with the EU GDPR isn't enough. You'll need to also comply with the UK GDPR and DPA 2018 — update your privacy notice to identify the ICO as your supervisory authority, use UK transfer mechanisms, and follow UK-specific rules such as the age 13 consent threshold.