facebook-pixel

UK Data Protection Act vs GDPR Explained: Key Differences for 2026

L
Lunyb Security Team
··11 min read

If you run a website, process customer data or market to people in the United Kingdom or the European Union, you have almost certainly heard of both the UK Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR). The two frameworks are closely related, share most of their DNA, and yet they are not identical. Since Brexit, the UK has operated its own version of the GDPR alongside the DPA 2018, and understanding how the pieces fit together is essential for lawful data processing.

This guide breaks down the UK Data Protection Act vs GDPR in plain English: what each law does, where they overlap, where they diverge, who enforces them, and what UK organisations actually need to do in 2026.

Quick Definitions: DPA 2018, UK GDPR and EU GDPR

Before comparing them, it helps to define the three instruments people usually mix up.

  • EU GDPR – The General Data Protection Regulation (Regulation (EU) 2016/679), applied across the European Economic Area from 25 May 2018.
  • UK GDPR – The retained UK version of the GDPR that took effect on 1 January 2021 after Brexit. It mirrors the EU GDPR but is enforced under UK law.
  • Data Protection Act 2018 (DPA 2018) – A UK statute that sits alongside the UK GDPR. It fills in gaps the GDPR leaves to member states, and covers areas the GDPR doesn't (like law enforcement and intelligence services processing).

In short: in the UK, the DPA 2018 and the UK GDPR are read together. When people ask about "the UK Data Protection Act vs GDPR", they usually mean the UK GDPR + DPA 2018 combination compared against the original EU GDPR.

How the UK Data Protection Act 2018 and GDPR Work Together

The DPA 2018 does not replace the GDPR in the UK — it supplements it. Think of the UK GDPR as the main rulebook, and the DPA 2018 as the UK-specific appendix.

What the UK GDPR covers

The UK GDPR sets out the core data protection principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality and accountability. It also defines the rights of individuals (access, rectification, erasure, portability, objection and more) and the obligations of controllers and processors.

What the DPA 2018 adds

The DPA 2018 is structured in seven parts and does several things the GDPR alone cannot:

  1. Applies UK-specific derogations (for example, the age of consent for information society services is 13 in the UK, versus 16 by default in the EU).
  2. Governs law enforcement processing (Part 3), transposing the EU Law Enforcement Directive.
  3. Governs intelligence services processing (Part 4).
  4. Sets out the powers, duties and enforcement regime of the Information Commissioner's Office (ICO).
  5. Creates specific criminal offences, such as unlawfully obtaining personal data.

UK Data Protection Act vs GDPR: Side-by-Side Comparison

The table below summarises the practical differences most UK businesses care about.

FeatureEU GDPRUK GDPR + DPA 2018
Territorial scopeEEA-based controllers/processors, plus non-EEA orgs targeting EEA residentsUK-based controllers/processors, plus non-UK orgs targeting UK residents
Lead regulatorRelevant EU supervisory authority (one-stop-shop)Information Commissioner's Office (ICO)
Age of digital consent16 (member states may lower to 13)13
Maximum fine€20 million or 4% of global annual turnover£17.5 million or 4% of global annual turnover
International data transfersEU adequacy decisions, SCCs, BCRsUK adequacy regulations, UK IDTA, UK Addendum to EU SCCs
Law enforcement processingGoverned by separate Law Enforcement DirectiveDirectly included in DPA 2018 Part 3
Intelligence servicesOutside GDPR scopeCovered by DPA 2018 Part 4
Representative requirementNon-EEA orgs targeting EEA need an EU representativeNon-UK orgs targeting UK need a UK representative
Breach notification72 hours to supervisory authority72 hours to the ICO

Key Differences Explained

1. Territorial scope and "targeting"

Both laws apply extraterritorially. The difference is which residents they protect. If your website markets to consumers in both London and Berlin, you almost certainly need to comply with both the UK GDPR/DPA 2018 and the EU GDPR. A shop in Manchester selling only to UK customers generally only needs to comply with the UK regime — but the moment it ships to Ireland or France, EU GDPR applies too.

2. Enforcement and fines

The ICO enforces the UK regime. Under the EU GDPR, enforcement is handled by the supervisory authority in the country where the controller has its main establishment (the "one-stop-shop" mechanism). After Brexit, UK organisations lost access to this one-stop-shop, meaning EU-facing UK businesses may face multiple EU regulators.

Fine ceilings are functionally equivalent — €20m/4% in the EU and £17.5m/4% in the UK — but they are calculated independently. In theory, a serious cross-border breach could attract fines under both regimes.

3. Age of consent for online services

The UK set the age of digital consent at 13, one of the lowest in Europe. Many EU member states set it at 16. If you run a service popular with teenagers, this matters for how you design sign-up flows, parental consent and age assurance.

4. International data transfers

This is where post-Brexit divergence bites hardest. The UK has its own list of "adequate" countries (largely inherited from the EU but now maintained separately), its own International Data Transfer Agreement (IDTA), and a UK Addendum that can be bolted onto the EU Standard Contractual Clauses. Data flows between the UK and the EEA are currently permitted under an EU adequacy decision granted in 2021, but that decision is subject to periodic review.

5. Exemptions and derogations

The DPA 2018 contains specific UK exemptions — for journalism, research, immigration control, national security and more. Several have been legally challenged (notably the immigration exemption), so organisations relying on them should track case law carefully.

Compliance Duties That Apply Under Both Regimes

Despite the differences, the day-to-day compliance obligations look remarkably similar. If you already meet EU GDPR requirements, you are 90% of the way to UK compliance and vice versa.

Core obligations

  1. Have a lawful basis for every processing activity (consent, contract, legal obligation, vital interests, public task or legitimate interests).
  2. Publish a clear privacy notice explaining what data you collect, why, how long you keep it and who you share it with.
  3. Honour data subject rights — access, rectification, erasure, restriction, portability and objection — usually within one month.
  4. Maintain records of processing activities (ROPAs) if you have 250+ employees or process sensitive data.
  5. Carry out Data Protection Impact Assessments (DPIAs) for high-risk processing such as large-scale profiling or biometric identification.
  6. Appoint a Data Protection Officer (DPO) if you are a public authority or your core activities involve large-scale monitoring or special category data.
  7. Report qualifying breaches to the ICO within 72 hours, and notify affected individuals when the risk to them is high.
  8. Use appropriate technical and organisational measures — encryption, access controls, pseudonymisation, staff training.

Practical Steps for UK Businesses in 2026

Whether you're a solo founder, a marketing team or a large enterprise, the following checklist helps you stay on the right side of both regimes.

1. Map your data flows

You cannot protect what you cannot see. Document every category of personal data you process, where it comes from, where it is stored, who it is shared with, and where it goes internationally. Pay special attention to third-party tools — analytics, CRM, email marketing, link tracking and advertising pixels.

2. Audit your third-party tools

Every SaaS vendor that touches personal data is a processor and needs a data processing agreement (DPA) in place. When choosing tools for tracking marketing links, for example, favour providers that publish transparent privacy policies, host data in the UK or EEA, and offer clear DPAs. Privacy-respecting URL shorteners such as Lunyb minimise the personal data collected on link clicks, which reduces your compliance surface area. See our honest review of Lunyb and our wider 2026 buyer's guide to URL shorteners for more detail.

3. Refresh your privacy notice

Since Brexit, the identity of the lead regulator has changed for UK-only organisations, and international transfer language needs updating to reference the UK IDTA where relevant. Check that your privacy notice names the ICO, describes both UK and EU rights where applicable, and lists your representative in the other jurisdiction if you need one.

4. Get transfer mechanisms right

If you send UK personal data outside the UK to a non-adequate country, you need the IDTA, the UK Addendum to the EU SCCs, or another approved mechanism, plus a transfer risk assessment. The same logic applies in reverse for EEA-to-third-country flows.

5. Train your team

Most data breaches come from human error — a misdirected email, a lost laptop, a phishing click. Annual training that covers the DPA 2018, UK GDPR and your internal incident response playbook is one of the highest-ROI compliance investments you can make.

Common Misconceptions

"Brexit means GDPR no longer applies in the UK."

False. GDPR was retained in UK law as the UK GDPR. The rules changed in name and enforcement mechanism, not in substance.

"The DPA 2018 replaced the Data Protection Act 1998."

True. The 1998 Act was repealed and replaced by the DPA 2018, which was drafted specifically to work alongside GDPR.

"Small businesses are exempt."

Mostly false. There is a limited exemption from record-keeping for organisations with fewer than 250 staff, but only if their processing is occasional and low-risk. Everyone else must comply fully, regardless of size.

"We only need to worry about one regime."

Only if your customers and staff are all located in one jurisdiction. Any cross-border activity — an EU customer, an EU supplier, a cloud host in Frankfurt — can pull you into the EU regime as well.

Divergence to Watch in 2026

The UK government has signalled ongoing reform through the Data (Use and Access) Act and related proposals, aimed at reducing perceived compliance burdens on business. Areas to monitor include:

  • Changes to the legitimate interests balancing test and cookie rules.
  • Reforms to how the ICO operates and prioritises enforcement.
  • New rules on automated decision-making and AI.
  • Potential impact on the EU–UK adequacy decision, which underpins frictionless data flows.

If the EU decides UK reforms have gone too far, adequacy could be revoked — forcing UK businesses to rely on SCCs and IDTAs for every EEA data flow. That would be one of the biggest compliance shifts since GDPR itself.

Frequently Asked Questions

Is the UK GDPR the same as the EU GDPR?

They are almost identical in substance but legally separate. The UK GDPR is enforced by the ICO under UK law, while the EU GDPR is enforced by EU supervisory authorities. Minor differences include the age of digital consent (13 in the UK, up to 16 in the EU) and the currency of maximum fines.

Do I need to comply with both the DPA 2018 and the UK GDPR?

Yes. In the UK they operate together. The UK GDPR is the primary framework, and the DPA 2018 fills in UK-specific rules, exemptions and enforcement powers. You cannot comply with one and ignore the other.

What are the maximum fines under the UK Data Protection Act?

The ICO can impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for the most serious infringements. Lower-tier infringements carry a cap of £8.7 million or 2% of turnover.

Do UK businesses need an EU representative after Brexit?

If your UK business offers goods or services to individuals in the EEA, or monitors their behaviour, you generally need to appoint an EU representative under Article 27 of the EU GDPR. Similarly, EU businesses targeting UK residents need a UK representative.

Does the DPA 2018 apply to personal data collected before it came into force?

Yes. The DPA 2018 and UK GDPR apply to all personal data you hold, regardless of when it was collected. Legacy data must meet current standards for lawful basis, retention and security, or be deleted.

Final Thoughts

The UK Data Protection Act vs GDPR comparison is less a battle and more a partnership. In the UK, the DPA 2018 and UK GDPR are two halves of the same compliance whole, closely aligned with the EU GDPR but increasingly on their own trajectory. For most organisations, the smart approach is to build one robust privacy programme that satisfies the stricter of the two regimes for each obligation — that way, wherever your customers are, you are covered.

Keep your data map up to date, audit your vendors, use privacy-respecting tools where you can, and watch for the reform agenda that will continue to shape UK data protection through 2026 and beyond.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles