facebook-pixel

UK Data Protection Act vs GDPR Explained: Key Differences in 2026

L
Lunyb Security Team
··10 min read

Since Brexit, UK businesses have had to navigate a slightly more complicated data protection landscape. Two frameworks now sit side by side: the UK Data Protection Act 2018 (DPA 2018) and the UK GDPR, with the EU GDPR still relevant for anyone handling personal data of EU residents. Understanding how these laws interact is essential for lawful marketing, analytics, link tracking, and customer data handling.

This guide breaks down the UK Data Protection Act vs GDPR debate in plain English, explains where each law applies, and gives you a practical compliance checklist you can act on this quarter.

What Is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 is the primary piece of UK legislation governing how personal data is processed. It sits alongside the UK GDPR and effectively tailors the regulation to fit UK law, adding specific provisions for law enforcement, intelligence services, and areas the GDPR left to member states.

The DPA 2018 came into force on 25 May 2018, the same day as the EU GDPR. It was designed from the outset to work in tandem with GDPR, not to replace it. When people casually say "UK data protection law," they usually mean the combined framework of the DPA 2018 plus the UK GDPR.

Key components of the DPA 2018

  • Part 2: General processing (works with UK GDPR).
  • Part 3: Law enforcement processing.
  • Part 4: Intelligence services processing.
  • Part 5: The Information Commissioner's Office (ICO) and its enforcement powers.
  • Schedules: Detailed exemptions covering journalism, research, health, and national security.

What Is the GDPR (and the UK GDPR)?

The General Data Protection Regulation (GDPR) is an EU-wide law that came into effect in May 2018. It sets out rules for how organisations collect, store, use, and share personal data belonging to individuals in the European Economic Area (EEA).

After Brexit, the UK retained the GDPR in domestic law as the UK GDPR. It's almost identical in substance to the EU GDPR but has been amended to remove EU-specific references and give the UK government the ability to diverge over time.

Core GDPR principles

  1. Lawfulness, fairness, and transparency — people must know what you're doing with their data.
  2. Purpose limitation — collect data for specified, explicit reasons only.
  3. Data minimisation — collect only what you actually need.
  4. Accuracy — keep records up to date.
  5. Storage limitation — don't hoard data beyond its useful life.
  6. Integrity and confidentiality — secure the data properly.
  7. Accountability — be able to demonstrate compliance.

UK Data Protection Act vs GDPR: The Core Relationship

The most important thing to grasp is that the DPA 2018 and the UK GDPR are not competitors. They form a single, integrated data protection regime. The UK GDPR sets out the main principles and rights, while the DPA 2018 fills in the gaps, applies UK-specific derogations, and gives the ICO its enforcement teeth.

Think of it like this: the UK GDPR is the engine, and the DPA 2018 is the chassis that lets that engine run legally on UK roads.

Key Differences Between the DPA 2018 and UK GDPR

Although they work together, there are clear structural and substantive differences worth understanding.

AspectUK GDPRData Protection Act 2018
ScopeGeneral personal data processingGeneral + law enforcement + intelligence services
OriginRetained EU law (post-Brexit)UK Act of Parliament
FocusRights, principles, lawful basesExemptions, enforcement, national derogations
Age of consentSets minimum (16)Lowers UK digital consent to 13
Special category dataLists categoriesSets UK-specific conditions in Schedule 1
FinesSets maximumsEnforced by ICO under DPA powers
Criminal offencesNone directlyCreates offences (e.g. unlawful obtaining of data)

1. Age of digital consent

Under EU GDPR, the default age for a child to consent to online services is 16. The DPA 2018 lowered this to 13 in the UK — an important detail for anyone building apps, social platforms, or education products aimed at teens.

2. Criminal offences

The UK GDPR itself doesn't create criminal offences, but the DPA 2018 does. Section 170, for example, makes it a criminal offence to knowingly or recklessly obtain, disclose, or procure personal data without the controller's consent.

3. Exemptions and derogations

The DPA 2018 spells out exemptions the UK GDPR permits — for journalism, academic research, national security, immigration, and more. These are UK-specific and don't exist in identical form in the EU GDPR.

4. Law enforcement and intelligence

Parts 3 and 4 of the DPA 2018 cover data processing by police and intelligence agencies. The UK GDPR doesn't apply here — these areas have their own bespoke regime derived from the EU Law Enforcement Directive.

UK GDPR vs EU GDPR: What Changed After Brexit?

For most businesses, the differences between the UK GDPR and the EU GDPR are minimal in daily practice. However, a few structural changes matter:

  • Regulator: The ICO is now the sole UK supervisory authority; the EU "one-stop-shop" mechanism no longer applies.
  • International transfers: The UK maintains its own adequacy decisions and uses the UK International Data Transfer Agreement (IDTA) instead of the EU Standard Contractual Clauses (though the UK Addendum lets you use EU SCCs with a bolt-on).
  • Representatives: UK organisations without an EU establishment that target EU customers must appoint an EU representative, and vice versa.
  • Divergence potential: The UK can amend the UK GDPR over time. The Data (Use and Access) Act 2025 has already introduced targeted changes around research, cookies, and automated decision-making.

Who Needs to Comply?

Both laws apply broadly. You must comply if you:

  1. Are established in the UK and process personal data (regardless of where your customers are).
  2. Are outside the UK but offer goods or services to people in the UK.
  3. Monitor the behaviour of people in the UK (for example, through analytics, tracking pixels, or profiling).

Small businesses, sole traders, charities, and even individuals processing data outside a purely personal context are all in scope. There is no "small business exemption" — although some obligations (like appointing a Data Protection Officer) only apply above certain thresholds.

Individual Rights Under Both Frameworks

The rights available to UK data subjects sit inside the UK GDPR, with the DPA 2018 modifying how they apply in specific contexts.

  • Right to be informed — clear privacy notices.
  • Right of access — the well-known Subject Access Request (SAR).
  • Right to rectification — correct inaccurate data.
  • Right to erasure — the "right to be forgotten," with exceptions.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object — especially to direct marketing.
  • Rights around automated decision-making and profiling.

Organisations generally have one calendar month to respond to a rights request, extendable by two further months for complex cases.

Fines and Enforcement

The ICO enforces both the UK GDPR and the DPA 2018. Maximum fines mirror the EU GDPR structure:

TierMaximum FineExample Breaches
Standard maximum£8.7 million or 2% of global turnoverRecord-keeping, breach notification failures
Higher maximum£17.5 million or 4% of global turnoverBreach of principles, unlawful international transfers, ignoring rights

The ICO also has non-financial powers: reprimands, enforcement notices, audits, and public naming. In recent years, the regulator has increasingly favoured reprimands for public sector bodies and eye-catching fines for large-scale private sector failures.

Practical Compliance Checklist for UK Businesses

Here's a focused checklist you can walk through this month.

  1. Map your data. Know what personal data you hold, where it lives, and who has access.
  2. Document your lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interests, or public task).
  3. Update privacy notices to reflect UK GDPR language and reference the ICO, not EU authorities.
  4. Review cookie banners and tracking under PECR and UK GDPR — this includes tracking links, pixels, and analytics.
  5. Check international transfers and switch to the UK IDTA or the UK Addendum where needed.
  6. Test your breach response plan. You have 72 hours to notify the ICO of a reportable breach.
  7. Train staff annually on data handling, phishing, and SAR procedures.
  8. Vet processors — every third-party tool touching personal data needs a written contract with the required Article 28 clauses.

Where Link Shorteners and Tracking Fit In

Marketing teams often overlook that shortened URLs, tracking parameters, and click analytics can involve personal data — particularly when combined with identifiers like email addresses or customer IDs. Under UK GDPR, this means:

  • You need a lawful basis for tracking click behaviour tied to identifiable individuals.
  • Cookies and similar technologies used in redirect flows fall under PECR consent rules.
  • Your chosen link platform must offer a Data Processing Agreement (DPA) and clear information on data location.

Choosing a privacy-aware provider matters. Tools like Lunyb focus on clean, minimal-tracking short links, which can make it easier to keep marketing operations aligned with the data minimisation principle. For a broader look at options, see our 2026 URL shortener buyer's guide, our honest review of Lunyb, and our Rebrandly review which discusses enterprise features and data handling.

Common Misconceptions

"GDPR doesn't apply in the UK anymore."

False. The UK GDPR is UK law. Brexit didn't remove GDPR-style obligations; it re-anchored them in domestic legislation.

"The DPA 2018 replaced GDPR."

Also false. They work together. Reading one without the other gives you an incomplete picture.

"Only big companies need to worry."

Wrong. A one-person consultancy holding a mailing list is a data controller with obligations. Size affects proportionality of measures, not whether the law applies.

"Consent is always required."

No. Consent is one of six lawful bases. For many B2B and operational purposes, legitimate interests or contract will be more appropriate.

The Future: Data (Use and Access) Act and Beyond

The UK has been steadily tuning its data regime. The Data (Use and Access) Act 2025 introduced targeted reforms — notably around scientific research, easier cookie rules for low-risk analytics, and clearer routes for automated decision-making outside special category data. Expect further refinement, but the core UK GDPR + DPA 2018 structure is here to stay for the foreseeable future.

Frequently Asked Questions

Is the UK Data Protection Act the same as GDPR?

No. The DPA 2018 is a UK statute that works alongside the UK GDPR. The UK GDPR sets out the main principles, rights, and lawful bases, while the DPA 2018 adds UK-specific exemptions, creates criminal offences, and gives the ICO its enforcement powers.

Does UK GDPR still apply after Brexit?

Yes. The UK retained the GDPR in domestic law as the UK GDPR. It's substantively very similar to the EU GDPR, and UK organisations must comply. If you also handle data of EU residents, you must comply with the EU GDPR too.

What's the maximum fine under UK data protection law?

The higher tier maximum is £17.5 million or 4% of global annual turnover, whichever is greater. The standard tier caps at £8.7 million or 2% of turnover. The ICO also uses reprimands, enforcement notices, and audits alongside fines.

Do I need consent to send marketing emails in the UK?

Usually yes, under the Privacy and Electronic Communications Regulations (PECR). B2C marketing generally requires opt-in consent, while B2B and existing customers (soft opt-in) have narrower routes. The UK GDPR standard of consent — freely given, specific, informed, unambiguous — applies.

Do I need to appoint a Data Protection Officer?

You must appoint a DPO if you are a public authority, if your core activities involve large-scale regular monitoring of individuals, or if you process large volumes of special category data. Many smaller organisations don't need a formal DPO but still benefit from designating a data protection lead.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles