UK Data Protection Act vs GDPR Explained: Key Differences for 2026
Since Brexit, UK businesses have had to navigate two overlapping but distinct privacy regimes: the UK Data Protection Act 2018 (DPA 2018), the UK GDPR, and the EU GDPR. While they share the same DNA, they are not identical, and getting the distinctions wrong can trigger enforcement action from either the Information Commissioner's Office (ICO) or EU data protection authorities.
This guide explains the relationship between the UK Data Protection Act and the GDPR, where they diverge, and what UK organisations need to do to stay compliant in 2026.
What is the UK Data Protection Act 2018?
The Data Protection Act 2018 is the UK's primary domestic data protection law. It came into force on 25 May 2018 — the same day the EU GDPR became enforceable — and was designed to supplement and tailor the GDPR for the UK context. It also covers areas the GDPR does not, such as law enforcement processing and intelligence services.
The DPA 2018 is split into several parts:
- Part 1: General preliminary provisions.
- Part 2: General processing, sitting alongside the UK GDPR.
- Part 3: Law enforcement processing (implementing the EU Law Enforcement Directive).
- Part 4: Intelligence services processing.
- Parts 5–7: The ICO's role, enforcement powers, and supplementary provisions.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that took effect on 25 May 2018. It harmonised data protection law across all EU member states and introduced strict rules around consent, transparency, data subject rights, breach notification, and international transfers.
After Brexit, the EU GDPR was retained in UK law as the UK GDPR, with minor amendments to make it function as a domestic statute. So when people in the UK talk about "GDPR", they usually mean the UK GDPR — but EU GDPR still applies to any UK organisation offering goods or services to people in the EU.
UK Data Protection Act vs GDPR: The Core Relationship
The simplest way to understand the relationship: the UK GDPR sets the main rules, and the DPA 2018 fills in the gaps, customises certain provisions, and extends protection to areas outside GDPR's scope.
They are designed to work together. You cannot comply with one and ignore the other if you are a UK-based controller or processor.
Quick Comparison Table
| Aspect | UK Data Protection Act 2018 | UK GDPR | EU GDPR |
|---|---|---|---|
| Type of law | UK Act of Parliament | Retained EU regulation (UK statute) | EU regulation |
| Geographic scope | United Kingdom | United Kingdom | European Economic Area |
| Regulator | ICO | ICO | National DPAs (e.g. CNIL, DPC) |
| Maximum fine | £17.5m or 4% global turnover | £17.5m or 4% global turnover | €20m or 4% global turnover |
| Covers law enforcement? | Yes (Part 3) | No | No (separate LED applies) |
| Covers intelligence services? | Yes (Part 4) | No | No |
| Age of consent (children) | 13 | 13 | 16 (default, varies by member state) |
Key Differences Between the DPA 2018 and the GDPR
Although the two regimes overlap heavily, there are several notable differences that UK organisations need to be aware of.
1. Scope of Application
The UK GDPR applies to the processing of personal data by controllers and processors in the UK, plus organisations outside the UK that target UK residents. The DPA 2018 applies more broadly — it covers the same general processing and processing by competent authorities for law enforcement purposes, and by the intelligence services. The EU GDPR does not touch these areas; they are governed by separate EU instruments.
2. Age of Consent for Online Services
One of the clearest divergences. Under the UK GDPR and DPA 2018, the age at which a child can consent to information society services (such as social media or online shops) is 13. Under the EU GDPR the default is 16, although member states can lower it. UK platforms targeting EU users must respect the relevant member state's threshold.
3. Exemptions
Schedule 2 of the DPA 2018 contains a long list of exemptions from certain GDPR rights and obligations. These include exemptions for:
- Crime prevention and taxation.
- Immigration control.
- Journalism, academia, art and literature.
- Legal professional privilege.
- Confidential references.
The EU GDPR allows member states to create such exemptions, but the specific UK list is unique to the DPA 2018.
4. International Data Transfers
Post-Brexit, the UK is treated as a "third country" by the EU. The European Commission issued an adequacy decision for the UK in June 2021, which allows personal data to flow freely from the EEA to the UK until at least 2025 (subject to review). Transfers from the UK to other countries are governed by the UK GDPR and rely on the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
5. Enforcement and Supervisory Authority
The ICO is the sole supervisory authority for the UK GDPR and DPA 2018. Under the EU GDPR, the "one-stop-shop" mechanism lets organisations deal with a single lead supervisory authority across the EU — but UK-based organisations lost access to this after Brexit, meaning they may now have to engage with multiple EU regulators if they operate across borders.
6. Fines and Penalties
Both regimes have two tiers of fines. The maximum under the UK GDPR and DPA 2018 is £17.5 million or 4% of annual global turnover, whichever is higher. Under the EU GDPR it is €20 million or 4%. The figures are broadly equivalent but technically distinct, and a single incident affecting both UK and EU data subjects could in theory attract separate fines from the ICO and an EU regulator.
What Stays the Same Across All Three?
The good news is that the fundamental principles and rights are nearly identical. If you have built a compliance programme around the EU GDPR, you will already meet most UK requirements.
Shared Data Protection Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Shared Data Subject Rights
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
Compliance Checklist for UK Businesses
If your organisation is based in the UK or processes UK residents' data, follow these steps to stay aligned with both the DPA 2018 and the UK GDPR.
- Map your data. Document what personal data you collect, where it comes from, why you hold it, and who you share it with.
- Identify your lawful basis. For every processing activity, record one of the six lawful bases under Article 6 (and a special category condition where applicable).
- Update privacy notices. Make sure your notices reference the UK GDPR and DPA 2018, not just the EU GDPR.
- Review international transfers. Use the IDTA or UK Addendum for transfers out of the UK, and check the EU's adequacy status for inbound flows.
- Appoint a UK representative if needed. Non-UK organisations targeting UK individuals may need to appoint one under Article 27 of the UK GDPR.
- Train staff. Make sure employees understand subject rights, breach reporting, and the 72-hour notification window.
- Audit vendors. Tools that handle URLs, analytics, or marketing data — including link shorteners — should be reviewed for GDPR-aligned data handling.
For marketing and link management specifically, choosing a privacy-conscious provider matters. Platforms like Lunyb let you shorten and track URLs without aggressive third-party tracking, which simplifies your compliance posture. You can read more in our honest review of Lunyb or browse the 2026 buyer's guide to URL shorteners for alternatives.
Common Misconceptions
"GDPR doesn't apply in the UK anymore"
Wrong. The UK GDPR is now part of UK law, and the EU GDPR still applies extraterritorially if you target EU residents. Brexit did not eliminate GDPR — it duplicated it.
"The DPA 2018 replaced the GDPR"
Also wrong. The DPA 2018 supplements the UK GDPR. Both apply simultaneously to general processing in the UK.
"Small businesses are exempt"
There is no general small business exemption. However, some obligations (like appointing a Data Protection Officer) only apply if you meet specific criteria. Most organisations of any size that handle personal data must comply with the core principles.
The Future: Data (Use and Access) Act and Reform
The UK has been actively reforming its data protection regime. The Data (Use and Access) Act, which received Royal Assent in 2025, introduces targeted changes to the UK GDPR and DPA 2018 — including reforms to legitimate interests, automated decision-making, and the ICO's structure. It does not scrap GDPR; it tweaks it. Organisations should monitor ICO guidance for implementation timelines and ensure the EU continues to view the UK as adequate.
Frequently Asked Questions
Is the UK Data Protection Act the same as GDPR?
No. The DPA 2018 is a UK Act of Parliament that works alongside the UK GDPR. The UK GDPR sets out the main rules; the DPA 2018 customises them for the UK and covers areas like law enforcement and intelligence services that GDPR does not.
Does GDPR still apply in the UK after Brexit?
Yes. The EU GDPR was retained in UK law as the UK GDPR. The EU GDPR also still applies directly if you offer goods or services to, or monitor, individuals in the EEA.
What is the maximum fine under the UK GDPR?
£17.5 million or 4% of annual global turnover, whichever is higher, for the most serious infringements. A lower tier of £8.7 million or 2% applies to less severe breaches.
Do I need a UK representative and an EU representative?Potentially both. If you are based outside the UK but process UK residents' personal data, you may need a UK representative under Article 27 of the UK GDPR. Similarly, non-EU organisations targeting EU residents need an EU representative. UK companies targeting EU customers typically need an EU representative.
Which regulator should I report a breach to?
Report to the ICO for breaches affecting UK data subjects. If EU data subjects are affected, you may also need to notify a relevant EU supervisory authority within 72 hours of becoming aware of the breach.
Conclusion
The UK Data Protection Act 2018 and the UK GDPR are two halves of the same compliance puzzle. The GDPR (in both UK and EU forms) provides the principles, rights, and obligations; the DPA 2018 adapts and extends them for the UK. For most businesses, the practical compliance work — lawful bases, privacy notices, breach response, vendor due diligence — looks very similar across both regimes.
The key in 2026 is to recognise that you may be operating under three overlapping laws (DPA 2018, UK GDPR, EU GDPR) and to choose tools, partners, and processes that respect personal data by design. Get the foundations right and the regulatory detail becomes manageable.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
A complete 2026 guide to privacy rights in Canada, covering PIPEDA, Bill C-27, Quebec's Law 25, AIDA, and what individuals and businesses must do to stay compliant. Learn your rights, how to exercise them, and how organizations can build a defensible privacy program.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a fast-evolving privacy landscape from PIPEDA to Quebec's Law 25. This guide breaks down compliance, consent, breach response, and practical safeguards every organization should adopt in 2026.
GDPR After Brexit: What Changed for UK Businesses in 2026
GDPR didn't disappear after Brexit — it was cloned into UK GDPR and now runs alongside the EU regulation. This guide explains what changed, how dual compliance works in 2026 and the practical steps every UK business should take to stay on the right side of both regimes.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
A complete guide to Ireland's Data Protection Act 2018, covering scope, individual rights, the role of the Data Protection Commission, penalties, and a practical compliance checklist. Learn what Irish businesses must do in 2026 to stay on the right side of the law.