UK Data Protection Act vs GDPR Explained: Key Differences for 2026
Since Brexit, UK businesses have had to navigate two overlapping data protection regimes: the UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). While the two frameworks share the same DNA, they are no longer identical, and the differences matter for compliance, contracts and international data transfers.
This guide breaks down what each law actually is, how they interact, where they diverge, and what UK organisations need to do in 2026 to stay on the right side of both regulators.
Quick Definitions: DPA 2018, UK GDPR and EU GDPR
Before comparing them, it helps to understand that there are actually three instruments in play, not two. Getting the terminology right avoids most confusion.
EU GDPR
The EU General Data Protection Regulation (Regulation 2016/679) came into force on 25 May 2018. It applies directly across all EU/EEA member states and to any organisation worldwide that offers goods or services to, or monitors, individuals in the EU.
UK GDPR
After Brexit, the EU GDPR was retained in UK law as the "UK GDPR". It is largely a copy-and-paste of the EU version, with technical amendments to reflect that the UK is now a third country. It regulates the processing of personal data of individuals in the UK.
Data Protection Act 2018
The DPA 2018 is the UK statute that supplements the UK GDPR. It fills in the gaps the GDPR intentionally left to member states, covers areas the GDPR does not (such as law enforcement and intelligence services processing), and provides the enforcement powers used by the Information Commissioner's Office (ICO).
In short: in the UK, the UK GDPR and the DPA 2018 must be read together. They are not alternatives.
How the DPA 2018 and GDPR Fit Together
Think of the UK GDPR as the primary rulebook and the DPA 2018 as the UK-specific operating manual. The GDPR sets the principles, rights and obligations; the DPA 2018 tailors them for the UK legal system.
The DPA 2018 is structured in seven parts, but for most businesses only three matter:
- Part 2 – General processing, sitting alongside the UK GDPR.
- Part 3 – Law enforcement processing (implements the EU Law Enforcement Directive).
- Part 4 – Intelligence services processing.
Commercial organisations are almost always dealing with Part 2, which is where the interaction with the UK GDPR happens.
Key Differences Between the UK DPA 2018 and the EU GDPR
The practical differences between the UK regime (UK GDPR + DPA 2018) and the EU GDPR are relatively narrow but important. They cluster around age of consent, exemptions, enforcement and international transfers.
1. Age of Consent for Information Society Services
Under the EU GDPR, the default age of consent for online services is 16, though member states can lower it to 13. The UK has set this at 13 in the DPA 2018, making it one of the lowest ages in Europe.
2. National Security and Immigration Exemptions
The DPA 2018 contains broader exemptions than the EU GDPR, particularly for immigration control and national security. These have been challenged in UK courts and remain a point of divergence.
3. Enforcement Authority
In the UK, the ICO enforces both the UK GDPR and DPA 2018. In the EU, each member state has its own supervisory authority, with the European Data Protection Board coordinating between them.
4. International Data Transfers
The UK has its own adequacy decisions and its own version of Standard Contractual Clauses (the International Data Transfer Agreement, or IDTA, and the UK Addendum). Post-Brexit, transfers from the EU to the UK rely on the EU's adequacy decision for the UK, which is subject to periodic review.
5. Fines and Penalties
The maximum fines are structurally the same but expressed in different currencies. The UK GDPR caps fines at £17.5 million or 4% of global annual turnover, whichever is higher. The EU GDPR caps at €20 million or 4%.
Side-by-Side Comparison Table
| Feature | UK GDPR + DPA 2018 | EU GDPR |
|---|---|---|
| Territorial scope | Individuals in the UK | Individuals in the EU/EEA |
| Regulator | Information Commissioner's Office (ICO) | National DPAs + EDPB |
| Age of digital consent | 13 | 16 (default), can be lowered to 13 |
| Maximum fine | £17.5m or 4% global turnover | €20m or 4% global turnover |
| Standard transfer tool | IDTA or EU SCCs + UK Addendum | EU Standard Contractual Clauses |
| Representative required? | UK representative if based outside UK | EU representative if based outside EU |
| Breach notification deadline | 72 hours to ICO | 72 hours to lead DPA |
| Immigration exemption | Broader carve-out under DPA 2018 | No equivalent |
Core Principles That Are the Same
Despite the differences, both regimes share the same seven data protection principles. If you comply with one, you are 90% of the way to complying with the other.
- Lawfulness, fairness and transparency – processing must have a legal basis and be explained clearly.
- Purpose limitation – data collected for one purpose cannot be repurposed without justification.
- Data minimisation – only collect what is genuinely necessary.
- Accuracy – keep personal data up to date.
- Storage limitation – do not keep data longer than needed.
- Integrity and confidentiality – protect data with appropriate security.
- Accountability – be able to demonstrate compliance.
Individual Rights Under Both Regimes
Data subjects have essentially the same rights whether they are in the UK or the EU. The mechanics of exercising them are almost identical.
- Right to be informed
- Right of access (subject access request)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
Response times are also aligned: organisations have one calendar month to respond to most rights requests, extendable by two further months for complex cases.
Who Needs to Comply With Both?
Many UK businesses assume that because they are in the UK, they only need to worry about the UK regime. That is often wrong.
You likely need to comply with both the UK GDPR and the EU GDPR if you:
- Offer goods or services (paid or free) to individuals in the EU/EEA.
- Monitor the behaviour of individuals in the EU/EEA (e.g. tracking cookies, analytics on EU visitors).
- Have EU customers, EU employees, or an EU establishment.
- Process personal data on behalf of controllers based in the EU.
If any of the above apply, you may also need to appoint an EU representative under Article 27 of the EU GDPR, and separately a UK representative if you are based outside the UK but target UK customers.
International Data Transfers After Brexit
This is one of the areas where the UK and EU regimes diverge most in practice.
UK to EU Transfers
The UK government has determined that the EU/EEA provides adequate protection, so transfers from the UK to the EU can flow freely without additional safeguards.
EU to UK Transfers
The European Commission granted the UK an adequacy decision in June 2021, which was renewed in 2025. This allows EU-to-UK transfers to continue without SCCs, but the decision is under continuous review and could be revoked if UK data protection standards diverge too far.
UK to "Third Countries"
For transfers from the UK to countries without a UK adequacy decision (such as many non-EU jurisdictions), organisations must use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a transfer risk assessment (TRA).
Practical Compliance Checklist for UK Businesses in 2026
Here is a practical checklist to help align your operations with both the DPA 2018 and UK GDPR, and by extension the EU GDPR where relevant.
- Map your data. Know what personal data you hold, where it lives, and who you share it with.
- Identify your lawful bases. Document a lawful basis under Article 6 (and Article 9 for special category data) for each processing activity.
- Update privacy notices. Make sure they reference UK GDPR and DPA 2018, and disclose international transfers.
- Review data processor contracts. Ensure Article 28 clauses are in place with all vendors.
- Implement transfer safeguards. Use IDTA or the UK Addendum where required, and complete transfer risk assessments.
- Prepare for subject rights requests. Have a documented workflow to respond within one month.
- Train staff. Ensure everyone handling personal data understands their obligations.
- Maintain a breach response plan. The 72-hour ICO notification clock is unforgiving.
- Review cookies and tracking. PECR still applies in the UK alongside the UK GDPR.
- Audit your tools. Any URL shortener, analytics platform or marketing tool that touches personal data is in scope. Privacy-focused services like Lunyb can help minimise the personal data footprint of shared links compared to trackers that harvest extensive visitor profiles.
Enforcement Trends: What the ICO Is Focused On
The ICO has signalled clear enforcement priorities for 2025–2026, including:
- AI and automated decision-making transparency
- Children's data and age assurance
- Cookie compliance on the UK's top websites
- Adtech and real-time bidding
- Cyber security failures leading to breaches
Fines have been rising steadily, and reputational damage from ICO reprimands can be as painful as the monetary penalty itself. Compliance is now a board-level issue, not just an IT or legal task.
Common Misconceptions
"Brexit means GDPR no longer applies in the UK."
False. The UK GDPR is essentially the EU GDPR retained in domestic law. It is fully in force.
"The DPA 2018 replaced GDPR in the UK."
False. The DPA 2018 sits alongside the UK GDPR. Both apply simultaneously.
"Small businesses are exempt."
Largely false. There is no small-business exemption from the substantive rules. The old £40 fee registration exemption for very small operators does not affect compliance obligations.
"We only process business contact data, so we're fine."
Not necessarily. Business contact data about identifiable individuals (like their work email) is still personal data.
Related Reading
If you found this guide useful, you may also want to check:
- Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide
- Is Lunyb Legit? An Honest Review of the URL Shortener in 2026
- Rebrandly Review 2026: Is It Worth the Price?
Frequently Asked Questions
Is the UK GDPR the same as the EU GDPR?
Almost, but not exactly. The UK GDPR is a retained version of the EU GDPR with technical amendments to work in UK law. The core principles, rights and obligations are effectively identical, but enforcement, transfer rules and some exemptions differ.
Do I need to comply with both UK and EU GDPR?
Yes, if you offer goods or services to, or monitor, individuals in both the UK and the EU/EEA. Many UK businesses with any EU customers, employees or website visitors from the EU are dual-regulated.
What is the maximum fine under the UK Data Protection Act 2018?
The higher tier of fines under the UK GDPR (enforced via the DPA 2018) is £17.5 million or 4% of global annual turnover, whichever is greater. Lower-tier breaches are capped at £8.7 million or 2% of turnover.
Who enforces data protection law in the UK?
The Information Commissioner's Office (ICO) is the sole UK supervisory authority. It has powers to investigate, issue enforcement notices, impose fines and prosecute criminal offences under the DPA 2018.
Does the DPA 2018 apply to CCTV and workplace monitoring?
Yes. Any processing of personal data — including CCTV footage, employee monitoring, biometric access controls and call recordings — falls under the UK GDPR and DPA 2018. Employers need a lawful basis, transparency, and often a Data Protection Impact Assessment.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, breach reporting, and penalties. This guide compares Canada's PIPEDA with the EU's GDPR and explains what Canadian businesses need to do to stay compliant with both.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a rapidly evolving privacy landscape shaped by PIPEDA, Quebec's Law 25, and Bill C-27. This practical 2026 guide walks through compliance essentials, breach response, cross-border transfers, and a 90-day action plan.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
ICO enforcement in 2026 has reached record levels, with multi-million-pound fines targeting ransomware failures, AI recruitment tools, and deceptive cookie banners. This guide breaks down the biggest UK data protection penalties of the year and gives businesses a practical checklist to avoid becoming the next case study.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 delivers the biggest overhaul of national data protection law in decades. Learn your new rights, the tougher penalties for businesses, and the practical steps individuals and organisations should take this year.