facebook-pixel

UK Data Protection Act vs GDPR Explained: Key Differences for 2026

L
Lunyb Security Team
··9 min read

Since Brexit, UK businesses have had to navigate two overlapping data protection regimes: the UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). While the two frameworks share the same DNA, they are no longer identical, and the differences matter for compliance, contracts and international data transfers.

This guide breaks down what each law actually is, how they interact, where they diverge, and what UK organisations need to do in 2026 to stay on the right side of both regulators.

Quick Definitions: DPA 2018, UK GDPR and EU GDPR

Before comparing them, it helps to understand that there are actually three instruments in play, not two. Getting the terminology right avoids most confusion.

EU GDPR

The EU General Data Protection Regulation (Regulation 2016/679) came into force on 25 May 2018. It applies directly across all EU/EEA member states and to any organisation worldwide that offers goods or services to, or monitors, individuals in the EU.

UK GDPR

After Brexit, the EU GDPR was retained in UK law as the "UK GDPR". It is largely a copy-and-paste of the EU version, with technical amendments to reflect that the UK is now a third country. It regulates the processing of personal data of individuals in the UK.

Data Protection Act 2018

The DPA 2018 is the UK statute that supplements the UK GDPR. It fills in the gaps the GDPR intentionally left to member states, covers areas the GDPR does not (such as law enforcement and intelligence services processing), and provides the enforcement powers used by the Information Commissioner's Office (ICO).

In short: in the UK, the UK GDPR and the DPA 2018 must be read together. They are not alternatives.

How the DPA 2018 and GDPR Fit Together

Think of the UK GDPR as the primary rulebook and the DPA 2018 as the UK-specific operating manual. The GDPR sets the principles, rights and obligations; the DPA 2018 tailors them for the UK legal system.

The DPA 2018 is structured in seven parts, but for most businesses only three matter:

  1. Part 2 – General processing, sitting alongside the UK GDPR.
  2. Part 3 – Law enforcement processing (implements the EU Law Enforcement Directive).
  3. Part 4 – Intelligence services processing.

Commercial organisations are almost always dealing with Part 2, which is where the interaction with the UK GDPR happens.

Key Differences Between the UK DPA 2018 and the EU GDPR

The practical differences between the UK regime (UK GDPR + DPA 2018) and the EU GDPR are relatively narrow but important. They cluster around age of consent, exemptions, enforcement and international transfers.

1. Age of Consent for Information Society Services

Under the EU GDPR, the default age of consent for online services is 16, though member states can lower it to 13. The UK has set this at 13 in the DPA 2018, making it one of the lowest ages in Europe.

2. National Security and Immigration Exemptions

The DPA 2018 contains broader exemptions than the EU GDPR, particularly for immigration control and national security. These have been challenged in UK courts and remain a point of divergence.

3. Enforcement Authority

In the UK, the ICO enforces both the UK GDPR and DPA 2018. In the EU, each member state has its own supervisory authority, with the European Data Protection Board coordinating between them.

4. International Data Transfers

The UK has its own adequacy decisions and its own version of Standard Contractual Clauses (the International Data Transfer Agreement, or IDTA, and the UK Addendum). Post-Brexit, transfers from the EU to the UK rely on the EU's adequacy decision for the UK, which is subject to periodic review.

5. Fines and Penalties

The maximum fines are structurally the same but expressed in different currencies. The UK GDPR caps fines at £17.5 million or 4% of global annual turnover, whichever is higher. The EU GDPR caps at €20 million or 4%.

Side-by-Side Comparison Table

Feature UK GDPR + DPA 2018 EU GDPR
Territorial scope Individuals in the UK Individuals in the EU/EEA
Regulator Information Commissioner's Office (ICO) National DPAs + EDPB
Age of digital consent 13 16 (default), can be lowered to 13
Maximum fine £17.5m or 4% global turnover €20m or 4% global turnover
Standard transfer tool IDTA or EU SCCs + UK Addendum EU Standard Contractual Clauses
Representative required? UK representative if based outside UK EU representative if based outside EU
Breach notification deadline 72 hours to ICO 72 hours to lead DPA
Immigration exemption Broader carve-out under DPA 2018 No equivalent

Core Principles That Are the Same

Despite the differences, both regimes share the same seven data protection principles. If you comply with one, you are 90% of the way to complying with the other.

  1. Lawfulness, fairness and transparency – processing must have a legal basis and be explained clearly.
  2. Purpose limitation – data collected for one purpose cannot be repurposed without justification.
  3. Data minimisation – only collect what is genuinely necessary.
  4. Accuracy – keep personal data up to date.
  5. Storage limitation – do not keep data longer than needed.
  6. Integrity and confidentiality – protect data with appropriate security.
  7. Accountability – be able to demonstrate compliance.

Individual Rights Under Both Regimes

Data subjects have essentially the same rights whether they are in the UK or the EU. The mechanics of exercising them are almost identical.

  • Right to be informed
  • Right of access (subject access request)
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling

Response times are also aligned: organisations have one calendar month to respond to most rights requests, extendable by two further months for complex cases.

Who Needs to Comply With Both?

Many UK businesses assume that because they are in the UK, they only need to worry about the UK regime. That is often wrong.

You likely need to comply with both the UK GDPR and the EU GDPR if you:

  1. Offer goods or services (paid or free) to individuals in the EU/EEA.
  2. Monitor the behaviour of individuals in the EU/EEA (e.g. tracking cookies, analytics on EU visitors).
  3. Have EU customers, EU employees, or an EU establishment.
  4. Process personal data on behalf of controllers based in the EU.

If any of the above apply, you may also need to appoint an EU representative under Article 27 of the EU GDPR, and separately a UK representative if you are based outside the UK but target UK customers.

International Data Transfers After Brexit

This is one of the areas where the UK and EU regimes diverge most in practice.

UK to EU Transfers

The UK government has determined that the EU/EEA provides adequate protection, so transfers from the UK to the EU can flow freely without additional safeguards.

EU to UK Transfers

The European Commission granted the UK an adequacy decision in June 2021, which was renewed in 2025. This allows EU-to-UK transfers to continue without SCCs, but the decision is under continuous review and could be revoked if UK data protection standards diverge too far.

UK to "Third Countries"

For transfers from the UK to countries without a UK adequacy decision (such as many non-EU jurisdictions), organisations must use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a transfer risk assessment (TRA).

Practical Compliance Checklist for UK Businesses in 2026

Here is a practical checklist to help align your operations with both the DPA 2018 and UK GDPR, and by extension the EU GDPR where relevant.

  1. Map your data. Know what personal data you hold, where it lives, and who you share it with.
  2. Identify your lawful bases. Document a lawful basis under Article 6 (and Article 9 for special category data) for each processing activity.
  3. Update privacy notices. Make sure they reference UK GDPR and DPA 2018, and disclose international transfers.
  4. Review data processor contracts. Ensure Article 28 clauses are in place with all vendors.
  5. Implement transfer safeguards. Use IDTA or the UK Addendum where required, and complete transfer risk assessments.
  6. Prepare for subject rights requests. Have a documented workflow to respond within one month.
  7. Train staff. Ensure everyone handling personal data understands their obligations.
  8. Maintain a breach response plan. The 72-hour ICO notification clock is unforgiving.
  9. Review cookies and tracking. PECR still applies in the UK alongside the UK GDPR.
  10. Audit your tools. Any URL shortener, analytics platform or marketing tool that touches personal data is in scope. Privacy-focused services like Lunyb can help minimise the personal data footprint of shared links compared to trackers that harvest extensive visitor profiles.

Enforcement Trends: What the ICO Is Focused On

The ICO has signalled clear enforcement priorities for 2025–2026, including:

  • AI and automated decision-making transparency
  • Children's data and age assurance
  • Cookie compliance on the UK's top websites
  • Adtech and real-time bidding
  • Cyber security failures leading to breaches

Fines have been rising steadily, and reputational damage from ICO reprimands can be as painful as the monetary penalty itself. Compliance is now a board-level issue, not just an IT or legal task.

Common Misconceptions

"Brexit means GDPR no longer applies in the UK."

False. The UK GDPR is essentially the EU GDPR retained in domestic law. It is fully in force.

"The DPA 2018 replaced GDPR in the UK."

False. The DPA 2018 sits alongside the UK GDPR. Both apply simultaneously.

"Small businesses are exempt."

Largely false. There is no small-business exemption from the substantive rules. The old £40 fee registration exemption for very small operators does not affect compliance obligations.

"We only process business contact data, so we're fine."

Not necessarily. Business contact data about identifiable individuals (like their work email) is still personal data.

Related Reading

If you found this guide useful, you may also want to check:

Frequently Asked Questions

Is the UK GDPR the same as the EU GDPR?

Almost, but not exactly. The UK GDPR is a retained version of the EU GDPR with technical amendments to work in UK law. The core principles, rights and obligations are effectively identical, but enforcement, transfer rules and some exemptions differ.

Do I need to comply with both UK and EU GDPR?

Yes, if you offer goods or services to, or monitor, individuals in both the UK and the EU/EEA. Many UK businesses with any EU customers, employees or website visitors from the EU are dual-regulated.

What is the maximum fine under the UK Data Protection Act 2018?

The higher tier of fines under the UK GDPR (enforced via the DPA 2018) is £17.5 million or 4% of global annual turnover, whichever is greater. Lower-tier breaches are capped at £8.7 million or 2% of turnover.

Who enforces data protection law in the UK?

The Information Commissioner's Office (ICO) is the sole UK supervisory authority. It has powers to investigate, issue enforcement notices, impose fines and prosecute criminal offences under the DPA 2018.

Does the DPA 2018 apply to CCTV and workplace monitoring?

Yes. Any processing of personal data — including CCTV footage, employee monitoring, biometric access controls and call recordings — falls under the UK GDPR and DPA 2018. Employers need a lawful basis, transparency, and often a Data Protection Impact Assessment.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles