facebook-pixel

UK Data Protection Act vs GDPR Explained: 2026 Compliance Guide

L
Lunyb Security Team
··10 min read

Since Brexit, UK organisations have had to navigate two closely related but distinct data protection regimes: the UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). Although they share a common heritage, the differences matter — especially if you handle personal data belonging to people in the UK, the EU, or both. This guide breaks down each framework, highlights the practical distinctions, and shows you what compliance looks like in 2026.

What Is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 is the primary piece of legislation governing how personal data is processed in the United Kingdom. It sits alongside the UK GDPR — a domesticated version of the EU GDPR that was retained after Brexit — and together they form the UK's data protection framework.

The DPA 2018 does three main things:

  1. It supplements the UK GDPR, filling in areas where member states are allowed to set their own rules (such as age of consent for online services).
  2. It applies data protection standards to areas outside the scope of the UK GDPR, including law enforcement processing and intelligence services.
  3. It gives the Information Commissioner's Office (ICO) its enforcement powers and defines specific UK offences.

Key features of the DPA 2018

  • Sets the age of consent for online services at 13 (compared with 16 in the standard EU GDPR).
  • Contains specific provisions for journalism, research, and archiving in the public interest.
  • Includes bespoke rules for law enforcement (Part 3) and intelligence services (Part 4).
  • Grants the ICO the power to issue fines and enforcement notices.

What Is the GDPR?

The General Data Protection Regulation (EU) 2016/679 is a European Union regulation that came into force in May 2018. It harmonises data protection law across all EU and EEA member states and applies to any organisation, anywhere in the world, that processes personal data of individuals located in the EU.

Under the EU GDPR, organisations must:

  • Have a lawful basis for processing personal data.
  • Provide clear privacy notices to data subjects.
  • Uphold rights such as access, rectification, erasure, and portability.
  • Implement appropriate technical and organisational security measures.
  • Report personal data breaches to the relevant supervisory authority within 72 hours.
  • Appoint a Data Protection Officer (DPO) where required.

Since 1 January 2021, the UK has no longer been bound by the EU GDPR directly. Instead, its provisions were copied into UK law as the UK GDPR, which now operates in tandem with the DPA 2018.

UK Data Protection Act vs GDPR: The Core Relationship

A common misconception is that the DPA 2018 and the GDPR are competing frameworks. They aren't. The clearest way to think about it is:

  • EU GDPR = the European Union regulation.
  • UK GDPR = the UK's domesticated version of that regulation, retained after Brexit.
  • DPA 2018 = the UK Act that supplements the UK GDPR and covers gaps.

If you're a UK business processing UK residents' data, you must comply with the UK GDPR plus the DPA 2018. If you also process data of EU residents, you must additionally comply with the EU GDPR.

Key Differences Between the DPA 2018 and the EU GDPR

While the two regimes are around 95% identical in substance, the differences can have real operational consequences.

AreaEU GDPRUK DPA 2018 / UK GDPR
RegulatorNational supervisory authorities (e.g. CNIL, DPC)Information Commissioner's Office (ICO)
Age of digital consent16 (member states may lower to 13)13
Maximum fine€20 million or 4% of global turnover£17.5 million or 4% of global turnover
International transfersEU adequacy decisions and SCCsUK adequacy regulations and the UK IDTA
Law enforcement processingCovered by the Law Enforcement DirectiveCovered by Part 3 of the DPA 2018
Intelligence servicesOutside GDPR scopeCovered by Part 4 of the DPA 2018
RepresentativesNon-EU controllers may need an EU representativeNon-UK controllers targeting UK may need a UK representative

1. Regulator and enforcement

The ICO is the sole UK supervisory authority. Under the EU GDPR, you may deal with a lead supervisory authority in one member state under the "one-stop-shop" mechanism — but this no longer applies to the UK. UK companies with an EU presence will need to appoint or engage with an EU lead authority separately.

2. Age of consent for information society services

The DPA 2018 sets the age at which a child can consent to online services at 13. In many EU countries, this is 16 (though some, like Spain and Denmark, opted for 14). Anyone offering online services to children in both jurisdictions must accommodate the stricter of the two.

3. Fines expressed in pounds

The UK GDPR converts the maximum fines into sterling — £17.5 million or 4% of global annual turnover, whichever is higher. The ICO has been actively using these powers, including significant enforcement action against companies for cookie violations and unlawful marketing.

4. International data transfers

Post-Brexit, the UK and EU each maintain their own list of "adequate" countries. The UK has adopted a slightly more flexible approach with the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU Standard Contractual Clauses. Businesses transferring data from the UK to third countries need to use UK-approved mechanisms — EU SCCs alone are no longer enough.

5. Exemptions and derogations

The DPA 2018 contains a longer list of specific UK exemptions than the EU GDPR — for example, around immigration control, national security, and certain journalism activities. These exemptions have been challenged in UK courts and are periodically refined.

What UK Businesses Must Do in 2026

Compliance is not a one-off exercise. In practice, most UK organisations should treat the UK GDPR and DPA 2018 as a combined operational framework and layer in EU GDPR obligations where relevant.

A practical compliance checklist

  1. Map your data. Know what personal data you hold, where it comes from, where it goes, and how long you keep it.
  2. Confirm your lawful bases. For each processing activity, document which of the six lawful bases you rely on under Article 6.
  3. Update privacy notices. Ensure they meet the transparency requirements of Articles 13 and 14 of the UK GDPR.
  4. Review consent mechanisms. Cookie banners and marketing opt-ins must meet PECR and ICO guidance.
  5. Manage international transfers. Replace legacy EU SCCs with the UK IDTA or UK Addendum where you transfer data out of the UK.
  6. Handle data subject requests. Have a documented process to respond within one month.
  7. Prepare for breaches. Maintain an internal register and a 72-hour notification process to the ICO.
  8. Appoint a DPO if required. This is mandatory for public authorities and organisations doing large-scale monitoring or processing of special category data.
  9. Train your staff. Human error remains the most common source of data breaches.

Dual compliance: UK and EU

If your organisation processes data of both UK and EU residents, you effectively need to satisfy both regimes. In most cases this means:

  • Appointing a UK representative if you're based outside the UK but target UK users.
  • Appointing an EU representative if you're based outside the EU but target EU users.
  • Maintaining separate transfer mechanisms for UK-to-third-country and EU-to-third-country flows.
  • Coordinating with both the ICO and your EU lead supervisory authority for cross-border incidents.

Privacy and Security Beyond Legal Compliance

Regulations set the floor, not the ceiling. Genuinely protecting personal data requires solid technical practices: encryption in transit and at rest, strong access controls, least-privilege permissions, and minimising the data you collect in the first place.

Even seemingly minor tools can have privacy implications. Marketing links, tracking pixels, and shortened URLs often capture click data, referrer information, and approximate location. If you rely on shortened links for campaigns, choose a provider that is transparent about what it logs and how long it retains it. Privacy-conscious services like Lunyb aim to minimise tracking while still giving you the analytics you need — see our honest review of Lunyb for a detailed breakdown, or compare options in our 2026 buyer's guide to URL shorteners.

Technical measures that support compliance

  • Encrypted DNS and HTTPS everywhere: reduces the risk of network-level interception.
  • Multi-factor authentication: required for admin access to any system holding personal data.
  • Data minimisation by design: collect only what you need, and delete it when the purpose is served.
  • Pseudonymisation: where full data isn't needed, work with pseudonymised versions.
  • Regular audits and penetration testing: particularly for public-facing services.

Common Misunderstandings

"Brexit means GDPR no longer applies in the UK."

Wrong. The EU GDPR was retained as the UK GDPR. The rights and obligations are almost identical.

"The DPA 2018 replaced the GDPR in the UK."

Also wrong. The DPA 2018 supplements the UK GDPR — it doesn't replace it. You must comply with both.

"Small businesses are exempt."

There is no blanket small-business exemption. Some record-keeping obligations are lighter for organisations with fewer than 250 employees, but the core rules apply to everyone.

"We only need to worry about the ICO."

If you process EU residents' data, EU regulators can also take enforcement action against you, regardless of where you are based.

Looking Ahead: The Data (Use and Access) Act

The UK has been progressively reforming its data laws through the Data (Use and Access) Act and related legislation. Key themes include streamlining subject access requests, clarifying legitimate interests, adjusting cookie rules for low-risk analytics, and updating rules on automated decision-making. Organisations should keep an eye on ICO guidance updates, because operational obligations may shift even where the underlying principles remain the same.

The overarching direction is a UK regime that stays broadly aligned with the EU (to preserve adequacy) but that trims some of the more prescriptive requirements. Adequacy status is critical: if the EU ever decided the UK's regime had diverged too far, cross-border data flows would become significantly more complex.

Conclusion

The UK Data Protection Act 2018 and the GDPR are not rivals — they are two parts of a linked system. The EU GDPR governs processing of EU residents' data. The UK GDPR, sitting alongside the DPA 2018, governs UK processing. The differences are relatively narrow in principle but meaningful in practice: separate regulators, different transfer mechanisms, distinct fine currencies, and specific UK exemptions.

For any UK organisation in 2026, the winning strategy is the same as it always has been: know your data, document your reasoning, be transparent with users, and treat security as a first-class engineering concern rather than a compliance afterthought.

Frequently Asked Questions

Is the UK GDPR the same as the EU GDPR?

They are almost identical in substance. The UK GDPR is the version of the EU GDPR that was retained in UK law after Brexit. Fines are expressed in pounds, references to EU institutions have been swapped for UK equivalents, and the ICO is the sole regulator, but the core rights and obligations are the same.

Do UK businesses still need to comply with the EU GDPR?

Yes, if they offer goods or services to individuals in the EU, or monitor the behaviour of people in the EU. In those cases, you must comply with both the UK regime and the EU GDPR, and you may need to appoint an EU representative.

What is the maximum fine under the UK Data Protection Act?

The ICO can issue fines of up to £17.5 million or 4% of a company's global annual turnover, whichever is higher, for the most serious breaches of the UK GDPR and DPA 2018.

Does the DPA 2018 require a Data Protection Officer?

The requirement to appoint a DPO comes from the UK GDPR, not the DPA 2018 itself. A DPO is mandatory for public authorities and for organisations whose core activities involve large-scale, regular monitoring or processing of special category data.

How should we handle data transfers from the UK to other countries?

You need a valid transfer mechanism — an adequacy regulation, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, binding corporate rules, or a specific derogation. You should also carry out a transfer risk assessment to check that the destination country provides an adequate level of protection in practice.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles