GDPR vs UK GDPR: What Changed After Brexit (2026)
When the United Kingdom left the European Union on January 31, 2020, the GDPR did not simply stop applying to the UK. Instead, the European Union (Withdrawal) Act 2018 "retained" the GDPR in UK domestic law, creating what is commonly called the "UK GDPR." Supplemented by the Data Protection Act 2018 (DPA 2018), the UK GDPR initially mirrored the EU GDPR almost word for word.
Since Brexit, however, the UK government has pursued regulatory reforms that are creating measurable divergence between the two frameworks. This guide tracks every significant area where the UK GDPR and EU GDPR now differ, and where they remain aligned.
How the UK GDPR Came to Exist
The EU GDPR applied directly in the UK from May 25, 2018, through January 31, 2020, when the UK was still an EU member state. During the transition period that followed (until December 31, 2020), the GDPR continued to apply.
On January 1, 2021, the retained version of the GDPR became the UK GDPR. References to "the Union" were replaced with "the United Kingdom," references to EU institutions were replaced with UK equivalents, and the Information Commissioner's Office (ICO) became the sole supervisory authority. The Data Protection Act 2018 supplements the UK GDPR with UK-specific provisions, much as individual EU member states have national implementing legislation.
The UK government then embarked on a reform process, first through the Data Protection and Digital Information (No. 2) Bill, which eventually became the Data Protection and Digital Information Act (DPDI Act), receiving Royal Assent on October 24, 2024. This Act introduces the most significant changes to the UK data protection framework since Brexit.
The EU Adequacy Decision: A Fragile Bridge
In June 2021, the European Commission adopted an adequacy decision for the UK under GDPR Article 45. This decision allows personal data to flow freely from the EU/EEA to the UK without the need for Standard Contractual Clauses or other transfer mechanisms.
The adequacy decision contains a sunset clause: it expires in June 2025 unless the Commission renews it. As of March 2026, the European Commission has extended the adequacy finding, though this remains subject to ongoing review. The Commission can revoke or suspend the decision at any time if UK data protection standards no longer provide an "essentially equivalent" level of protection.
This adequacy decision is the single most consequential link between the two frameworks. If revoked, every organization transferring personal data from the EU to the UK would need to implement alternative transfer mechanisms, creating significant compliance burdens for hundreds of thousands of businesses.
Areas of Continued Alignment
Despite post-Brexit reforms, the core architecture of the two frameworks remains substantially similar.
| Area | Status |
|---|---|
| Core data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, accountability) | Aligned |
| Six lawful bases for processing | Aligned (with UK modifications to legitimate interests) |
| Data subject rights (access, rectification, erasure, portability, objection) | Aligned |
| Special categories of data | Aligned |
| Data protection by design and by default | Aligned |
| Records of processing activities | Aligned |
| Data breach notification (72 hours to supervisory authority) | Aligned |
| Data Protection Impact Assessments | Aligned |
| Processor and controller obligations | Aligned |
For most day-to-day processing activities, a business compliant with the EU GDPR will also be compliant with the UK GDPR, and vice versa.
Areas of Divergence
Legitimate Interests
The DPDI Act introduces a list of "recognized legitimate interests" for which organizations do not need to conduct a full balancing test against the data subject's rights. These recognized interests include:
- Processing necessary for direct marketing
- Intra-group transfers for internal administrative purposes
- Processing necessary for network and information security
- Processing necessary to safeguard an individual in an emergency
- Processing for the purposes of democratic engagement
Under the EU GDPR, every reliance on legitimate interests requires a Legitimate Interest Assessment (LIA) that balances the controller's interest against the data subject's rights and freedoms. The UK reform simplifies this for the recognized categories, potentially reducing compliance burdens but also reducing individual protections.
Cookie Consent and Electronic Communications
The EU's ePrivacy Directive, implemented in the UK through the Privacy and Electronic Communications Regulations 2003 (PECR), requires prior consent before placing non-essential cookies or similar technologies. This is the legal basis for the cookie consent banners that appear on virtually every European website.
The DPDI Act signals a shift toward allowing certain analytics and functionality cookies without prior consent, provided they have a low privacy impact. The UK government has indicated it wants to reduce "consent fatigue" from excessive cookie pop-ups.
In the EU, the ePrivacy Directive remains unchanged, and the proposed ePrivacy Regulation (which would replace the Directive) has been in development for years without reaching final adoption. Cookie consent requirements remain strict.
| Cookie/Tracking Aspect | EU GDPR + ePrivacy | UK GDPR + DPDI Act |
|---|---|---|
| Non-essential cookies | Prior consent required | Consent required, with planned exemptions for low-impact analytics |
| Essential cookies | No consent needed | No consent needed |
| Consent model | Opt-in (prior, informed) | Opt-in, with broadened exemptions |
| Analytics cookies | Consent required | Planned exemption under DPDI Act |
International Data Transfers
The UK has pursued its own international transfer framework, independent of EU adequacy decisions.
Under the EU GDPR, international transfers require an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another mechanism under Articles 46-49. The European Commission has granted adequacy decisions to a limited number of countries.
The UK has adopted its own transfer mechanisms:
- UK adequacy regulations: The Secretary of State (not the ICO) assesses whether a country provides adequate protection. As of 2026, the UK has recognized the EU/EEA countries and several additional countries.
- UK International Data Transfer Agreement (IDTA): The UK equivalent of Standard Contractual Clauses, issued by the ICO.
- UK Addendum to EU SCCs: Organizations can use the EU SCCs with a UK-specific addendum.
The DPDI Act introduces a new "data protection test" that replaces the "essentially equivalent" standard for adequacy assessments. The new test asks whether the receiving country's protections cause an unacceptable risk of harm to data subjects, rather than whether they mirror UK standards. Critics argue this lower threshold could enable transfers to countries that would not receive EU adequacy.
| Transfer Mechanism | EU GDPR | UK GDPR (post-DPDI) |
|---|---|---|
| Adequacy standard | "Essentially equivalent" level of protection | "No unacceptable risk" to data subjects |
| Adequacy decision body | European Commission | UK Secretary of State |
| Standard clauses | EU SCCs (2021) | UK IDTA or UK Addendum to EU SCCs |
| Binding Corporate Rules | Approved by lead DPA | Approved by ICO |
| Transfer impact assessments | Required per EDPB guidance | Required (with potentially lighter approach) |
Automated Decision-Making
GDPR Article 22 provides data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Data subjects can request human review.
The DPDI Act modifies this framework for the UK. It narrows the scope of the automated decision-making provisions and introduces new safeguards focused on meaningful human involvement. The UK approach emphasizes ensuring that automated systems have adequate human oversight rather than providing an absolute right to avoid automated decisions.
Research Exemptions
The DPDI Act broadens the UK's research exemptions, making it easier for organizations to reuse personal data for research purposes without obtaining fresh consent, provided certain safeguards are in place. The EU GDPR's research provisions under Article 89 are more restrictive, requiring appropriate technical and organizational measures and compliance with the purpose limitation principle.
The Role of the ICO
The DPDI Act restructures the ICO's governance and objectives. Key changes include:
- A new principal objective to "secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers, and the wider public"
- A statutory duty to consider the impact of regulation on innovation and competition
- New governance structure with a chair, chief executive, and board replacing the sole Commissioner model
Critics of these reforms argue that requiring the ICO to balance data protection against innovation and competition dilutes its independence. The EU GDPR requires DPAs to act with "complete independence" (Article 52) and does not impose competing objectives.
Subject Access Request (SAR) Fees and Thresholds
The DPDI Act introduces changes to subject access requests that create practical differences:
- Controllers can refuse or charge a reasonable fee for requests that are "vexatious or excessive" (replacing the EU GDPR's "manifestly unfounded or excessive" standard)
- The threshold for refusing requests is modestly lower under the UK framework
Dual Compliance: Practical Considerations
Organizations that operate in both the UK and EU need to maintain compliance with both frameworks. Key practical steps include:
- Dual privacy notices: Notices should reference both the UK GDPR and EU GDPR where applicable, noting the UK ICO and relevant EU DPA as supervisory authorities.
- Dual representatives: Organizations not established in the UK need a UK representative under UK GDPR Article 27. Organizations not established in the EU need an EU representative under EU GDPR Article 27. These can be different entities.
- Transfer mechanisms in both directions: EU-to-UK transfers rely on the EU's adequacy decision. UK-to-EU transfers are permitted because the UK recognizes the EU as adequate. If the EU adequacy decision were revoked, EU-to-UK transfers would need SCCs or other mechanisms.
- Breach notification to multiple authorities: A breach involving both UK and EU data subjects requires notification to both the ICO and the relevant EU DPA(s) within 72 hours.
- Monitor divergence: The areas of divergence noted above require ongoing monitoring. The UK's DPDI Act provisions will be implemented through secondary legislation over time, creating a rolling compliance landscape.
For a deeper look at the UK framework, see our [United Kingdom data privacy laws guide](/world-laws/world-data-privacy-laws/united-kingdom-data-privacy-laws). For the EU GDPR, see our complete GDPR guide and GDPR compliance checklist.
Summary Comparison Table
| Feature | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| Effective since | May 25, 2018 | Jan 1, 2021 (retained); DPDI Act: Oct 2024 |
| Supervisory authority | National DPAs (30+) | ICO (single authority) |
| Legitimate interests | Full LIA balancing test required | Recognized interests exempted from full LIA |
| Cookie consent | Strict opt-in for non-essential cookies | Opt-in with planned exemptions for analytics |
| Adequacy standard | "Essentially equivalent" | "No unacceptable risk" |
| Automated decisions | Right not to be subject to solely automated decisions (Art. 22) | Narrower scope with meaningful human involvement focus |
| Research exemptions | Art. 89 with purpose limitation | Broadened under DPDI Act |
| DPA independence | "Complete independence" (Art. 52) | Must balance data protection with innovation/competition |
| Maximum fine | EUR 20M or 4% global revenue | GBP 17.5M or 4% global revenue |
| Data breach notification | 72 hours to DPA | 72 hours to ICO |
| DPO requirement | Yes (certain organizations) | Yes (certain organizations) |
| Data subject rights | Full suite (Arts. 15-22) | Full suite with modifications |
| SAR refusal threshold | "Manifestly unfounded or excessive" | "Vexatious or excessive" |
This information reflects the law as of March 2026. The UK's DPDI Act is being implemented in phases, and some provisions await secondary legislation. The EU adequacy decision for the UK remains subject to ongoing review. Consult an attorney for advice specific to your situation.
Sources and References
- UK Data Protection Act 2018(legislation.gov.uk).gov
- UK Data Protection and Digital Information Act 2024(legislation.gov.uk).gov
- EU Adequacy Decisions - European Commission(commission.europa.eu).gov
- ICO Guide to the UK GDPR(ico.org.uk).gov
- GDPR Article 45 - Transfers on the Basis of an Adequacy Decision(gdpr-info.eu)
- GDPR Article 52 - Independence of Supervisory Authorities(gdpr-info.eu)
- UK ICO International Data Transfer Agreement(ico.org.uk).gov
- European Commission - Data Protection in the EU(commission.europa.eu).gov