facebook-pixel

UK Data Protection Act vs GDPR Explained: A 2026 Compliance Guide

L
Lunyb Security Team
··9 min read

Since Brexit, one of the most common questions British organisations ask is whether they still need to follow the GDPR, or whether the UK Data Protection Act now stands alone. The short answer is that both frameworks apply in overlapping ways, and understanding how they interact is essential for lawful data handling in 2026.

This guide breaks down the UK Data Protection Act vs GDPR in plain English, covering scope, definitions, individual rights, enforcement, and the practical steps organisations must take to remain compliant on both sides of the Channel.

The Short Definition: UK DPA 2018 and GDPR at a Glance

The UK Data Protection Act 2018 (DPA 2018) is the primary piece of UK legislation governing the processing of personal data. The General Data Protection Regulation (GDPR) is the EU regulation that established a harmonised data protection standard across all EU/EEA member states in May 2018.

After Brexit, the UK adopted a domestic version called the UK GDPR, which sits alongside the DPA 2018. The EU GDPR still applies to UK organisations that offer goods or services to individuals in the EU, or monitor their behaviour.

A Brief History: How We Got Here

To understand the relationship, it helps to look at the timeline:

  1. 1998 — The original UK Data Protection Act was passed, implementing the earlier EU Data Protection Directive.
  2. 25 May 2018 — The EU GDPR came into force, replacing the 1995 Directive.
  3. 23 May 2018 — The UK Data Protection Act 2018 received Royal Assent, tailoring GDPR provisions for UK law and adding domestic rules.
  4. 31 January 2020 — The UK formally left the EU, entering a transition period.
  5. 1 January 2021 — The UK GDPR came into effect, mirroring EU GDPR but with the UK as the geographic reference point.
  6. 2023–2026 — The Data Protection and Digital Information Bill has been debated to reform aspects of UK data law, though core principles remain aligned with GDPR.

Key Similarities Between the DPA 2018 and GDPR

Because the DPA 2018 was drafted to work alongside the GDPR, the two frameworks share most core concepts. This is intentional — the UK wanted continuity for businesses and to secure an EU adequacy decision, which was granted in June 2021.

Shared Principles

Both regulations require personal data to be:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what is necessary
  • Accurate and kept up to date
  • Kept in a form permitting identification for no longer than necessary
  • Processed in a manner that ensures appropriate security

Shared Individual Rights

Data subjects enjoy the same eight rights under both frameworks: the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making.

Key Differences Between the UK DPA 2018 and the EU GDPR

Although the frameworks are highly aligned, meaningful differences do exist. These matter especially for organisations operating cross-border.

AspectUK DPA 2018 / UK GDPREU GDPR
Geographic scopeUnited KingdomEU/EEA member states
RegulatorInformation Commissioner's Office (ICO)National DPAs (e.g. CNIL, BfDI) + EDPB
Age of consent (children)13 years16 (member states can lower to 13)
Maximum fine (higher tier)£17.5 million or 4% of global turnover€20 million or 4% of global turnover
Law enforcement processingGoverned by Part 3 of DPA 2018Governed by separate Law Enforcement Directive
Intelligence servicesGoverned by Part 4 of DPA 2018Outside scope of GDPR
International transfersUK adequacy list + IDTA / UK AddendumEU adequacy decisions + SCCs
Representative requirementUK representative for non-UK controllersEU representative for non-EU controllers

Structural Difference: What the DPA 2018 Adds

The DPA 2018 is broader than just GDPR implementation. It is divided into seven parts:

  1. Part 1 — Preliminary provisions
  2. Part 2 — General processing (this is where UK GDPR sits)
  3. Part 3 — Law enforcement processing
  4. Part 4 — Intelligence services processing
  5. Part 5 — The Information Commissioner
  6. Part 6 — Enforcement
  7. Part 7 — Supplementary and final provisions

Parts 3 and 4 address areas the EU GDPR does not cover directly, which is why the DPA is essential even for organisations already familiar with GDPR.

The UK GDPR: A Third Framework to Know

The UK GDPR is essentially the EU GDPR text as retained in UK law after Brexit, with references to EU institutions replaced by UK equivalents. It functions through the DPA 2018 rather than as a separate act.

In practice, this means:

  • UK GDPR sets the substantive rules (principles, rights, obligations)
  • DPA 2018 provides the domestic legal machinery (exemptions, offences, ICO powers)
  • Together they form the UK's general data protection regime

Territorial Scope: When Does Each Law Apply?

UK GDPR / DPA 2018 Applies When:

  • Your organisation is established in the UK and processes personal data (regardless of where the processing happens)
  • You are outside the UK but offer goods or services to individuals in the UK
  • You are outside the UK but monitor the behaviour of individuals in the UK

EU GDPR Applies When:

  • Your organisation is established in the EU/EEA
  • You are outside the EU but offer goods or services to individuals in the EU
  • You are outside the EU but monitor behaviour of EU-based individuals

A UK-based e-commerce shop selling to French and German customers, for example, must comply with both UK GDPR and EU GDPR simultaneously.

Penalties and Enforcement

Both regimes use a two-tier fine structure, but the amounts differ slightly due to currency.

UK Enforcement

The Information Commissioner's Office (ICO) can issue:

  • Standard maximum fine: £8.7 million or 2% of global annual turnover, whichever is higher
  • Higher maximum fine: £17.5 million or 4% of global annual turnover, whichever is higher
  • Enforcement notices, assessment notices, and information notices
  • Criminal prosecution for offences such as unlawful obtaining of personal data

EU Enforcement

National DPAs can issue equivalent fines in euros (up to €10m/2% and €20m/4%), coordinated through the European Data Protection Board (EDPB) for cross-border cases via the one-stop-shop mechanism — a mechanism the UK is no longer part of.

International Data Transfers After Brexit

This is the area where the DPA/UK GDPR and EU GDPR diverge most operationally.

Transfers from the UK

To transfer personal data from the UK to a third country, organisations must rely on:

  1. A UK adequacy regulation (the EU/EEA is currently covered)
  2. The International Data Transfer Agreement (IDTA)
  3. The UK Addendum to the EU Standard Contractual Clauses
  4. Binding Corporate Rules approved by the ICO
  5. A specific derogation under Article 49

Transfers from the EU to the UK

The EU granted the UK adequacy in June 2021, meaning EU-to-UK transfers can flow without additional safeguards. This decision is due for renewal in June 2025 and again in 2027 — a source of ongoing regulatory uncertainty.

Practical Compliance Steps for UK Organisations

If you handle personal data in the UK, particularly customer or employee data collected through websites, marketing links, or analytics platforms, take the following steps:

  1. Map your data flows. Document what personal data you collect, where it is stored, and who it is shared with.
  2. Identify your lawful bases. Every processing activity needs a lawful basis under Article 6 (and Article 9 for special category data).
  3. Update privacy notices. Reference both UK GDPR and, where relevant, EU GDPR.
  4. Review vendor contracts. Ensure Article 28 processor terms are in place and reflect UK requirements.
  5. Address international transfers. Use the IDTA or UK Addendum where transferring outside the UK.
  6. Appoint representatives if needed. Non-UK organisations processing UK data may need a UK representative; UK organisations processing EU data may need an EU representative.
  7. Train staff and document accountability. The accountability principle means you must be able to demonstrate compliance, not just claim it.

Data Minimisation in Everyday Tools

Compliance does not stop at policy documents. The tools you use for marketing, analytics, and link management can also create personal data — IP addresses, referrer strings, timestamps, and device information are all in scope.

When choosing services like link shorteners, prefer providers that minimise data collection, offer clear retention settings, and let you control what analytics are captured. Privacy-aware platforms such as Lunyb are designed with data minimisation in mind, which reduces the compliance burden compared with heavier analytics-first alternatives. For a broader look at options, see our 2026 buyer's guide to URL shorteners or the Rebrandly review for a competitor comparison.

The Future: UK Data Reform

The UK Government has signalled its intention to diverge somewhat from the EU model through the Data Protection and Digital Information Bill (and successor proposals). Anticipated changes include:

  • A slightly narrower definition of personal data in some contexts
  • Reduced record-keeping requirements for smaller organisations
  • Reform of the ICO's governance structure
  • New rules on automated decision-making
  • Streamlined international transfer mechanisms

Any significant divergence risks the EU adequacy decision, so reforms have so far been cautious. Organisations should monitor developments but not assume that GDPR-style obligations are going away.

Which Framework Do You Need to Follow?

To summarise the practical position for 2026:

  • UK-only operations: Follow the UK GDPR and DPA 2018.
  • UK + EU operations: Comply with both the UK GDPR/DPA 2018 and the EU GDPR.
  • Non-UK organisation targeting UK customers: UK GDPR/DPA 2018 applies extraterritorially; appoint a UK representative.
  • Non-EU organisation targeting EU customers: EU GDPR applies; appoint an EU representative.

Frequently Asked Questions

Is the UK still under GDPR after Brexit?

Yes. The UK retained the GDPR in domestic law as the "UK GDPR" from 1 January 2021. It operates alongside the Data Protection Act 2018. UK organisations must comply with UK GDPR, and if they process data of individuals in the EU, they must also comply with the EU GDPR.

What is the main difference between the DPA 2018 and the UK GDPR?

The UK GDPR sets out the core data protection principles, rights, and obligations. The DPA 2018 is the enabling UK statute that gives the UK GDPR legal effect, adds exemptions, and covers areas outside the UK GDPR's scope — most notably law enforcement processing (Part 3) and intelligence services processing (Part 4).

Do I need to comply with both UK GDPR and EU GDPR?

If your organisation is established in the UK and offers goods or services to, or monitors, individuals in the EU/EEA, yes — both regimes apply simultaneously. You may need to appoint an EU representative and use appropriate transfer mechanisms for data moving between the two jurisdictions.

What are the maximum fines under the UK Data Protection Act?

The ICO can impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious breaches, such as violations of core principles or data subject rights. Lesser breaches carry a maximum fine of £8.7 million or 2% of global turnover.

Does the DPA 2018 apply to small businesses?

Yes. There is no general small-business exemption. However, some obligations — such as maintaining records of processing activities under Article 30 — have limited exemptions for organisations with fewer than 250 employees, provided processing is occasional and low-risk. All core principles and data subject rights still apply.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles