Loading…
If you've ever wondered whether you can copy-paste your EU GDPR programme into the UK, the short answer is: mostly, with three substantive carve-outs. Since 1 January 2021 the UK has operated the UK GDPR alongside the Data Protection Act 2018, with the Information Commissioner's Office (ICO) as the sole authority. The Data (Use and Access) Act 2025 nudged the UK further away from the EU framework — and an EU adequacy decision keeps the EU↔UK data flow open until at least 2025.
| Dimension | 🇬🇧 UK GDPR | 🇪🇺 EU GDPR |
|---|---|---|
| Legal instrument | UK GDPR (the retained EU GDPR as amended) + Data Protection Act 2018 + Data (Use and Access) Act 2025 | Regulation (EU) 2016/679 |
| Effective date in current form | 1 January 2021 (post-Brexit) | 25 May 2018 |
| Regulator | Information Commissioner's Office (ICO) — one authority | 27 EU Member State DPAs + EDPB |
| Maximum fine | £17.5M or 4% global turnover (whichever is higher) | €20M or 4% global turnover |
| Lower-tier fine | £8.7M or 2% global turnover | €10M or 2% global turnover |
| Article 27 Representative | Separate UK Representative required for non-UK controllers/processors | EU Representative required for non-EU controllers/processors |
| International transfers — instruments | UK IDTA, UK Addendum to EU SCCs, BCRs, Adequacy | EU SCCs, BCRs, Adequacy |
| UK adequacy of EU | Yes — EU treated as adequate | EU adequacy of UK is valid until at least 27 June 2025 (with extension provisions) |
| Children's age of consent | 13 (UK) — different from EU default 16 | 16 (Member States may lower to 13) |
| Age Appropriate Design Code | Yes — ICO statutory code (15 standards) | No direct equivalent at EU level |
| PECR / ePrivacy | PECR — UK ePrivacy regime governs cookies, marketing, traffic data | ePrivacy Directive (Member State implementations); ePrivacy Regulation pending |
| DPDI / DUA Act reforms | Data (Use and Access) Act 2025: targeted reforms — automated decision-making, research, charity processing, smart-data schemes, digital ID | Not directly applicable; EU pursues sectoral acts (AI Act, Data Act, DSA, DMA) |
| Right to data portability | Article 20 — same as EU | Article 20 |
| Right to object to automated decisions | Article 22 — DPDI proposed changes never enacted as originally drafted | Article 22 — strict |
| DPO requirements | Article 37 — no separate threshold; senior management responsibility under DUAA | Article 37 — mandatory in defined cases |
| Lead Supervisory Authority | ICO (single) | EDPB one-stop-shop mechanism across 27 SAs |
| Breach notification | 72 hours to ICO (same as EU) | 72 hours to lead SA |
| Subject Access Request response | 1 month + 2-month extension (same as EU) | 1 month + 2-month extension |
| Special category data (Art. 9) | Schedule 1 DPA 2018 adds conditions for processing in employment, public health, research | Article 9 + Member State law |
| Public-sector framework | DPA 2018 Part 3 (law enforcement) + Part 4 (intelligence services) | Law Enforcement Directive 2016/680 (separate from GDPR) |
Yes. Since Brexit the EU and UK are separate jurisdictions for Article 27 purposes. A non-EU/non-UK controller offering services to people in both regions needs both an EU Representative and a UK Representative — they can be coordinated through a single provider but must be legally separate entities.
It's been politically discussed since the DPDI proposals. The current adequacy decision (June 2021) is valid until at least 27 June 2025, with extension provisions. The Commission monitors UK reforms — major divergence (large-scale changes to data subject rights, third-country transfer regime) could trigger review.
Yes, in most cases. Identify the controller for each, name both Representatives, and reference both authorities for complaints. Differences in age-of-consent and the Age Appropriate Design Code may require UK-specific sections for services likely to be accessed by children.
Targeted reforms rather than wholesale rewrite — automated decision-making provisions relaxed for safeguarded cases, research processing clarified, smart-data and digital-identity schemes introduced. Most day-to-day compliance is unchanged.
Yes — must be established in the UK. A natural person resident in the UK or a UK legal entity qualifies. Mailbox-only services have been rejected by the ICO.
Map controls once, comply twice. RegulatoryBridge gives you a single DSAR pipeline, single DPO, single breach runbook — covering both frameworks.