GDPR vs UK GDPR: How the Data (Use and Access) Act 2025 Is Creating Real Divergence
The EU GDPR and UK GDPR started as identical texts after Brexit. The Data (Use and Access) Act 2025, in force from February 2026, created the first material divergence: recognised legitimate interests, reformed automated decision-making rules, a SAR stop-the-clock mechanism, and analytics cookie exemptions now apply only under the UK framework.
When the United Kingdom left the European Union on 31 January 2020, the EU GDPR did not simply stop applying. The European Union (Withdrawal) Act 2018 retained it in UK domestic law, creating the UK GDPR. Supplemented by the Data Protection Act 2018, the UK GDPR initially mirrored the EU GDPR almost word for word.
For four years, the comparison was largely academic. Then came the Data (Use and Access) Act 2025 (DUAA). Receiving Royal Assent on 19 June 2025 and commenced in phases through early 2026, the DUAA has introduced structural changes to legitimate interest processing, automated decision-making, subject access rights, cookie consent, and the ICO's own governance. The two regimes no longer look the same.
This guide explains how the UK GDPR came to exist, what the DUAA has changed, the state of the EU adequacy decision, and what dual-compliance looks like in 2026.
How the UK GDPR Came to Exist
The EU GDPR applied directly in the UK from 25 May 2018 through 31 December 2020, when the UK was a member state and then in the transition period after departure. On 1 January 2021, the retained GDPR became the UK GDPR.
The technical mechanism was straightforward. The Withdrawal Act incorporated the GDPR into UK domestic law and authorised statutory instruments to fix references that no longer made sense: "the Union" became "the United Kingdom," EU institutions became UK equivalents, and the Information Commissioner's Office (ICO) became the sole supervisory authority for the entire country rather than the UK national DPA within a network of 30+ European DPAs.
The Data Protection Act 2018 sits alongside the UK GDPR in a relationship that mirrors the EU structure: the DPA 2018 provides UK-specific provisions and derogations in the same way EU member states passed national implementing legislation. The combined UK GDPR and DPA 2018 framework, as of 1 January 2021, was substantively identical to the EU GDPR.
The UK government announced early on that it intended to reform this framework. After several false starts, the Data Protection and Digital Information (DPDI) Act received Royal Assent on 24 October 2024, making modest changes. The DUAA 2025, a larger and more ambitious statute, followed eight months later.
The Historical Near-Identity
From 2021 through most of 2025, the UK GDPR and EU GDPR were functionally equivalent for almost all practical purposes. The six lawful bases for processing were identical. Data subject rights (access, rectification, erasure, portability, restriction, objection) were the same. The 72-hour breach notification obligation was the same. Data protection by design, impact assessments, DPO requirements, processor contracts, and special category data rules all tracked the EU text.
The main practical differences during this period were structural: the ICO as sole supervisory authority (versus 30+ EU DPAs), the UK's own adequacy decisions for international transfers, the UK International Data Transfer Agreement (IDTA) as the domestic equivalent of the EU Standard Contractual Clauses, and the use of sterling rather than euros for fines.
That near-identity was the basis on which the European Commission granted the UK an adequacy decision in June 2021.
The Data (Use and Access) Act 2025: Where Divergence Begins
The DUAA was enacted on 19 June 2025. The UK government framed it as a pro-innovation reform that retains high data protection standards while reducing unnecessary compliance burdens. Critics, including the EDPB, noted that some changes move meaningfully away from EU GDPR principles.
Most of the Act's data protection provisions commenced on 5 February 2026. The complaints handling requirement commences 19 June 2026. ICO governance restructuring follows once the new board is appointed, expected in late 2026.
Recognised Legitimate Interests
The most structurally significant change is the creation of a new lawful basis: "recognised legitimate interests" under Article 6 UK GDPR (inserted by section 70 and Schedule 4 of the DUAA).
Under the EU GDPR, every reliance on legitimate interests as a lawful basis requires a Legitimate Interests Assessment (LIA) that balances the controller's interest against the data subject's rights and freedoms. There are no shortcuts. The UK GDPR retains this full balancing requirement for general legitimate interest claims.
However, Schedule 4 of the DUAA inserts an annex of specific "recognised legitimate interests" for which no balancing test is required. The listed categories are:
- Crime prevention and detection, including fraud prevention
- Safeguarding vulnerable people (protecting a person from neglect, or physical, mental, or emotional harm)
- Responding to emergencies as defined under the Civil Contingencies Act 2004
- National security, public security, and defence
- Assisting public bodies with law-sanctioned public interest tasks
- Intra-group transmission of personal data for internal administrative purposes
For these specific categories, a controller can rely on the recognised legitimate interest ground without conducting or documenting a balancing test. The data subject still retains the right to object under Article 21, but the processing is presumptively lawful.
The EU GDPR has no equivalent provision. Processing for legitimate interests in the EU always requires a balancing test, regardless of the purpose. This is an area of real substantive divergence.
Automated Decision-Making
GDPR Article 22 gives EU data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, with limited exceptions. This has historically been a significant constraint on fully automated profiling, credit scoring, and similar systems.
The DUAA replaces UK GDPR Article 22 with new Articles 22A through 22D (section 80 and Schedule 6). The reformed UK framework is described by the government as "more permissive." Key changes:
- The prohibition on solely automated decision-making (ADM) now applies only where the decision is based entirely or partly on special category data and produces legal or similarly significant effects.
- For other ADM decisions, organisations must provide transparency, enable the data subject to make representations, and offer a route to human intervention on request.
- For law enforcement contexts, a new "active human review exemption" allows adverse automated decisions without immediate human review if doing so would obstruct an investigation or safeguard national security, provided human reconsideration follows as soon as reasonably practicable.
The practical effect is that a wider range of automated decisions become lawful in the UK without triggering the full Article 22 protections. A system built under the more permissive UK framework may not comply with the EU GDPR for EU data subjects. The ICO opened a consultation on updated ADM guidance in early 2026.
SAR Stop-the-Clock
Sections 75 to 78 of the DUAA introduce a "stop-the-clock" mechanism for subject access requests (SARs) that has no equivalent in the EU GDPR.
Under both frameworks, controllers must respond to SARs within one calendar month (extendable by two further months for complex or numerous requests). Under the EU GDPR, this period runs continuously once the SAR is received.
Under the amended UK GDPR, the response period is paused when the controller needs the data subject to clarify or refine their request or to provide additional information to locate the relevant data. The clock stops when clarification is requested and restarts when the clarification arrives.
The same sections also codify that SAR searches need only be "reasonable and proportionate" -- a principle previously established only through UK case law.
The stop-the-clock mechanism gives UK controllers more flexibility in handling complex SARs. EU controllers have no equivalent tool; any clarification request must be managed within the running one-month period.
Cookie and PECR Reforms
The Privacy and Electronic Communications Regulations 2003 (PECR) implement the EU's ePrivacy Directive in UK law and govern cookies and similar tracking technologies. PECR has historically required prior consent for all non-essential cookies, producing the familiar cookie consent banners on websites across the UK and EU.
The DUAA amends PECR to create three new categories of storage and access technologies that are exempt from consent (in force 5 February 2026):
- Statistical cookies: analytics cookies used to measure and improve website performance, provided the data is not used for other purposes and a free opt-out is available to users.
- Appearance cookies: cookies that remember user preferences such as language or display settings, where a free opt-out is available.
- Emergency assistance cookies: cookies necessary to enable an emergency assistance service.
For statistical and appearance cookies, the exemption applies only if the controller provides a free and easy mechanism for users to opt out. The ICO published draft guidance in autumn 2025; finalised guidance is expected in spring 2026.
In the EU, the ePrivacy Directive has not been amended. All non-essential cookies still require prior opt-in consent. The long-debated ePrivacy Regulation remains unenacted. UK websites can now use analytics cookies without a consent banner (subject to offering opt-out), while the same cookies on an EU-facing page still require prior consent.
Separately, the DUAA raises the maximum PECR fine from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher), matching UK GDPR penalty levels. This brings electronic communications enforcement in line with data protection enforcement.
Scientific Research Provisions
Sections 67 and 68 of the DUAA clarify and expand the UK's research provisions. Two changes matter.
First, the definition of "scientific research" is written into primary legislation (previously it sat in recitals) and explicitly includes commercial scientific research -- for example, a pharmaceutical company conducting clinical trials. This removes ambiguity about whether commercial research entities benefit from research processing flexibilities.
Second, the DUAA enables "broad consent" for scientific research: where it is not reasonably possible to define specific research purposes at the outset, a broader consent covering related research areas is valid. This reflects common practice in longitudinal studies and biobanks.
Under EU GDPR, these principles exist in recitals and Article 89 but have been interpreted more restrictively in some member states. The UK codification provides greater legal certainty.
Smart Data Schemes
Part 1 of the DUAA establishes a statutory framework for "smart data schemes." This is separate from the core UK GDPR changes but relevant to data practitioners.
Smart data schemes expand the UK's Open Banking model -- which allows customers to share financial data with authorised third parties via APIs -- to other sectors. The Secretary of State and HM Treasury can designate "data holders" in any sector (energy, mortgages, insurance, pensions, and others) to make customer data available on request to authorised third parties.
As of 2025, approximately one in five UK consumers and businesses use Open Banking services. The DUAA puts Open Banking on a statutory footing and creates the legal infrastructure to extend the model across the economy. The government's target is more than 20 new smart data schemes by 2035.
Smart data schemes do not modify the UK GDPR directly, but data shared through a smart data scheme must comply with UK GDPR requirements for each controller involved.
ICO Becomes the Information Commission
Part 6 of the DUAA renames the Information Commissioner's Office as the Information Commission (IC) and restructures its governance. The ICO will be led by a board with a separate chair and chief executive rather than a sole Information Commissioner.
The Information Commission will also carry a statutory duty to have regard to the desirability of promoting innovation when exercising its functions. Critics note this creates a tension with the EU GDPR requirement that supervisory authorities act with "complete independence" (Article 52) and without competing commercial objectives.
The full governance transition depends on new board appointments, expected in the second half of 2026. Until then, the existing ICO structure operates under the new name.
The DUAA also gave the ICO enhanced enforcement tools: the power to require controllers to commission independent audits at their own expense, and the power to compel witness interviews through information notices.
The EU Adequacy Decision: Renewed Through 2031
When the UK left the EU single market on 1 January 2021, EU GDPR Article 46 required organisations to have an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism before transferring personal data from the EU to the UK.
The European Commission adopted an adequacy decision for the UK in June 2021, determining that the UK's framework provided essentially equivalent protection. The original decision included a four-year sunset clause, expiring in June 2025 unless renewed.
The December 2025 Renewal
The Commission renewed both UK adequacy decisions -- one under the EU GDPR, one under the Law Enforcement Directive -- on 19 December 2025. The renewed decisions extend through 27 December 2031: a six-year extension.
In renewing, the Commission assessed the UK's data protection framework including the newly enacted DUAA 2025 and concluded that protection remains "essentially equivalent" to EU standards, notwithstanding the DUAA reforms.
The EDPB had adopted its opinions on the draft adequacy decisions on 20 October 2025, supporting the extension while raising specific concerns:
- Secretary of State powers: the authority to amend automated decision-making rules, international transfer mechanisms, and ICO governance through secondary legislation with limited Parliamentary scrutiny should be monitored.
- UK onward adequacy test: the new UK standard for third-country adequacy assessments ("not materially lower" protection) omits elements that featured in the previous UK test, potentially enabling onward transfers to countries that would not meet EU adequacy standards.
- ICO structure and independence: changes to the ICO's governance and its new duty to consider innovation require ongoing assessment.
- National security exemptions: Technical Capability Notices allowing encryption circumvention, and national security exemptions from data protection principles, warrant close monitoring.
EDPB Chair Anu Talus stated that the Board "welcomes the continuing alignment between the UK and Europe's data protection framework" while calling for effective monitoring over the six-year period.
What Adequacy Means Practically
The adequacy decision covers transfers of personal data from EU and EEA member states to the UK. In practice:
- UK organisations receiving personal data from EU/EEA controllers do not need SCCs, Binding Corporate Rules, or other transfer safeguards.
- EU controllers sending data to UK processors or joint controllers can do so freely.
- If the decision were revoked or suspended, every such transfer would immediately require an alternative mechanism.
UK-to-EU transfers are handled separately: the UK has recognised the EU/EEA as adequate under UK adequacy regulations, so those transfers also flow without additional safeguards.
Enforcement: ICO vs EU DPAs
| ICO / Information Commission (UK) | EU DPAs | |
|---|---|---|
| Number of authorities | 1 (national) | 30+ (one per member state) |
| Lead authority model | Not applicable | One-stop-shop: lead DPA for cross-border processing |
| Max fine under GDPR / UK GDPR | £17.5m or 4% global turnover | €20m or 4% global turnover |
| Max PECR fine (from Feb 2026) | £17.5m or 4% global turnover | ePrivacy Directive: varies by member state |
| DPA independence | Statutory duty to consider innovation | "Complete independence" (Art. 52) |
| Audit powers post-DUAA | Can require external audits at controller's expense | Varies by member state |
The penalty tiers are broadly equivalent in monetary terms. For organisations subject to both regulators, a breach affecting both UK and EU data subjects requires separate notification to both the ICO and the relevant EU lead DPA within 72 hours of awareness.
Does Divergence Threaten Adequacy?
The December 2025 renewal confirms that current levels of divergence fall within the Commission's "essentially equivalent" tolerance. The six areas most likely to attract scrutiny over the 2025-2031 period are:
Onward transfers: The UK's new "not materially lower" standard for third-country adequacy could allow UK-side onward transfers to countries the EU has not recognised. EU data flowing into the UK and then onward to a lower-protection country could undermine the adequacy rationale.
Secondary legislation powers: The Secretary of State can further amend the UK GDPR framework -- including ADM rules and international transfer mechanisms -- without primary legislation. Any exercise of those powers that reduces data subject protections could trigger Commission review.
ICO independence: If the Information Commission's enforcement patterns appear shaped by commercial or innovation considerations rather than data protection law, that could draw EDPB comment.
ADM practices: If UK organisations begin operating automated decision-making systems that would be unlawful under EU GDPR Article 22 but are permitted under the UK's Articles 22A-D, and those decisions affect EU residents, adequacy friction could arise.
The adequacy decision can be suspended or revoked at any time before 2031. Organisations with significant EU-to-UK data flows should maintain contingency SCCs or IDTAs as a precaution.
Side-by-Side Comparison
| Feature | EU GDPR | UK GDPR (post-DUAA, 2026) |
|---|---|---|
| Effective since | 25 May 2018 | 1 Jan 2021 (retained); DUAA: 5 Feb 2026 |
| Supervisory authority | National DPAs (30+) | ICO (becoming Information Commission) |
| Recognised legitimate interests | No equivalent; full LIA always required | Schedule 4 list (crime, safeguarding, emergencies, national security, intra-group): no LIA needed |
| Automated decisions (Art. 22) | Right not to be subject to solely automated ADM (with exceptions) | Replaced by Arts. 22A-D; prohibition narrowed to special category data; transparency and challenge rights apply broadly |
| SAR response deadline | 1 month (running continuously) | 1 month (stop-the-clock during clarification requests) |
| Analytics cookies | Prior consent required | Exempt if free opt-out provided |
| Appearance cookies | Prior consent required | Exempt if free opt-out provided |
| PECR max fine | N/A (ePrivacy varies by member state) | £17.5m or 4% global turnover (from Feb 2026) |
| Scientific research scope | Art. 89, recital-based; commercial research debated | Codified; commercial research explicitly included; broad consent permitted |
| Adequacy test for onward transfers | "Essentially equivalent" | "Not materially lower" |
| DPA independence | "Complete independence" (Art. 52) | Duty to consider innovation |
| Max fine (GDPR / UK GDPR) | €20m or 4% global turnover | £17.5m or 4% global turnover |
| Data breach notification | 72 hours to DPA | 72 hours to ICO |
| DPO requirement | Yes (certain organisations) | Yes (certain organisations) |
| Transfer mechanisms | Adequacy decisions, SCCs, BCRs | Same mechanisms; new "not materially lower" adequacy test |
| Data portability / smart data | GDPR Art. 20 (individual right only) | Art. 20 plus DUAA smart data schemes (sector-level portability) |
Dual Compliance: Running Both Frameworks in 2026
Organisations that collect personal data from both UK and EU residents must satisfy both frameworks simultaneously. Key practical steps following the DUAA coming into force:
Privacy notices: Update to reflect both UK GDPR and EU GDPR lawful bases where they differ. Processing relying on recognised legitimate interests under UK law still requires a full LIA for EU-facing processing. Notices should be clear about which supervisory authority (ICO or relevant EU DPA) applies to which processing.
Legitimate interest assessments: Maintain separate LIAs for EU-facing processing even where the equivalent UK processing relies on recognised legitimate interest. The absence of a UK LIA requirement does not remove the EU obligation.
Automated decision-making: Review all fully automated decision-making against both Article 22 (EU) and the new UK Articles 22A-D. Systems lawful under the more permissive UK framework must still comply with the stricter EU rules for EU data subjects.
SAR procedures: The stop-the-clock mechanism applies only to UK GDPR SARs. EU GDPR SARs run on a continuous one-month deadline. Where a single SAR spans both UK and EU personal data, treat the EU GDPR deadline as binding.
Cookie consent: EU-facing pages continue to require full opt-in consent for analytics and appearance cookies. UK-facing pages may move to an opt-out model for those cookie categories under the PECR exemptions. Consider geolocation or preference-based approaches for mixed audiences.
International transfers: EU-to-UK transfers are covered by the adequacy decision. UK-to-EU transfers are covered by UK adequacy regulations. Maintain contingency SCCs for EU-to-UK flows as a hedge against adequacy suspension.
Representatives: Organisations established only in the UK (not in the EU) need an EU representative for EU-facing processing under EU GDPR Article 27. Organisations established only in the EU need a UK representative under UK GDPR Article 27. These can be different entities.
Breach notification: A single incident affecting both UK and EU data subjects requires notification to both the ICO and the relevant EU lead DPA within 72 hours of awareness.
For a detailed look at the UK framework alone, see our guide to United Kingdom data privacy laws. For the EU side, see our EU data privacy laws guide.
Recent Developments (2024-2026)
May 2026: ICO finalised cookies guidance expected imminently. ICO consultation on ADM guidance ongoing.
February 2026: Main DUAA data protection provisions in force. Recognised legitimate interests, new ADM framework, SAR stop-the-clock, and cookie exemptions now operative. PECR fines rise to £17.5m tier.
December 2025: European Commission renews UK adequacy decisions for GDPR and the Law Enforcement Directive, valid until 27 December 2031.
October 2025: EDPB adopts opinions supporting adequacy renewal while flagging monitoring concerns on Secretary of State powers, the UK onward transfer test, and ICO independence.
June 2025: DUAA receives Royal Assent (19 June 2025). ICO announces proportionate and supportive approach as new provisions come into force.
October 2024: DPDI Act receives Royal Assent, introducing an initial round of post-Brexit UK GDPR reforms preceding the DUAA.
June 2021: European Commission adopts original UK adequacy decisions.
January 2021: UK GDPR comes into existence as retained EU law.
Frequently Asked Questions
Is the UK still covered by the GDPR after Brexit?
The EU GDPR no longer applies directly in the UK. Instead, the UK has its own UK GDPR, retained in domestic law through the European Union (Withdrawal) Act 2018 and supplemented by the Data Protection Act 2018. The two laws started nearly word-for-word identical, but the Data (Use and Access) Act 2025, in force from February 2026, has introduced material differences in legitimate interests, automated decision-making, SAR handling, and cookie consent.
What is the Data (Use and Access) Act 2025 and when did it come into force?
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. Its main data protection provisions came into force on 5 February 2026. The Act amends the UK GDPR and DPA 2018 to introduce recognised legitimate interests (no LIA required for listed categories), reformed automated decision-making rules, a SAR stop-the-clock mechanism, new cookie exemptions under PECR, higher PECR fines, broadened scientific research provisions, and the ICO transition to become the Information Commission.
Can personal data still flow freely between the EU and UK?
Yes. The European Commission renewed both UK adequacy decisions on 19 December 2025, covering transfers under the EU GDPR and the Law Enforcement Directive. The renewed decisions are valid until 27 December 2031. EU-to-UK personal data transfers do not require Standard Contractual Clauses or other transfer mechanisms during that period, provided the underlying processing otherwise complies with the EU GDPR.
What are recognised legitimate interests under the UK GDPR?
Recognised legitimate interests are a new lawful processing category inserted by Schedule 4 of the DUAA into UK GDPR Article 6. They cover crime prevention and detection, safeguarding vulnerable people, responding to emergencies, national security and public security, assisting law-sanctioned public interest tasks, and intra-group data transfers. Unlike ordinary legitimate interest processing, these categories do not require a Legitimate Interests Assessment. The EU GDPR has no equivalent -- all legitimate interest reliance in the EU requires a full balancing test.
What changed for subject access requests under the DUAA?
The DUAA introduced a stop-the-clock mechanism: the one-month SAR response deadline pauses when a controller requests clarification or additional information from the data subject, and resumes when that clarification arrives. The Act also codifies that SAR searches need only be reasonable and proportionate. These changes apply only to UK GDPR SARs. EU GDPR SARs still run on a continuous one-month deadline regardless of clarification exchanges.
Do businesses need to comply with both the UK GDPR and EU GDPR?
Yes, if they process personal data of both UK and EU residents. A UK-based company selling to EU customers must comply with the EU GDPR for those customers and the UK GDPR for UK residents. This now requires separate management of recognised legitimate interest assessments (full LIA for EU, potentially no LIA for UK), SAR timelines, automated decision-making logic, and cookie consent approaches for UK versus EU audiences.
Does the DUAA threaten the EU adequacy decision?
Not immediately. The Commission renewed adequacy in December 2025 having assessed the DUAA, and found current divergence acceptable. However, the EDPB flagged areas for ongoing monitoring: the UK's new onward adequacy test, Secretary of State powers to further amend the framework through secondary legislation, and the ICO's duty to consider innovation. If those powers are exercised to weaken data subject protections, adequacy could be reviewed before the 2031 expiry.
Sources and References
- Data (Use and Access) Act 2025, c.18(legislation.gov.uk).gov
- Data Protection Act 2018(legislation.gov.uk).gov
- Data (Use and Access) Act 2025: data protection and privacy changes — GOV.UK(gov.uk).gov
- Data (Use and Access) Act factsheet: UK GDPR and DPA — GOV.UK(gov.uk).gov
- Data (Use and Access) Act 2025 — ICO(ico.org.uk).gov
- Statement on the commencement of the DUAA — ICO, February 2026(ico.org.uk).gov
- Recognised legitimate interest — ICO(ico.org.uk).gov
- Commission renews decisions to allow for the free and safe flow of personal data with the UK — European Commission, December 2025(ec.europa.eu).gov
- Draft UK adequacy decisions: EDPB adopts opinions — EDPB, October 2025(edpb.europa.eu).gov
- EU adequacy decisions — European Commission(commission.europa.eu).gov
- Receiving personal information from the EEA — ICO(ico.org.uk).gov
- UK International Data Transfer Agreement — ICO(ico.org.uk).gov