Research · UK/EU divergence

UK GDPR vs EU GDPR — what changed after Brexit

Updated April 2026UK GDPR · EU GDPR 2016/679Post-Brexit

UK GDPR and EU GDPR are separate regimes operating in parallel since Brexit. They share the same foundational structure but are supervised by different authorities and are diverging following DUAA 2025 reforms. Organisations operating in both the UK and EU must address both frameworks separately.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

ℹ Research note

This page is derived from published regulatory guidance, the text of UK GDPR, EU GDPR 2016/679, DUAA 2025, and ICO and EDPB published positions as at April 2026. Adequacy status and regulatory divergences are subject to change.

The two regimes

When the UK left the EU, it retained EU GDPR 2016/679 in domestic law as UK GDPR, given effect by the Data Protection Act 2018. Both regimes share the same foundational structure — the six principles, lawful bases, data subject rights, breach notification, and accountability obligations — but regulatory interpretation, enforcement priorities, and legislative amendments are creating growing differences.

Adequacy — the critical status

The European Commission renewed its adequacy decision for the UK in December 2025, valid to December 2031 as at April 2026, subject to ongoing review. Personal data can flow from the EU to the UK without additional transfer mechanisms while adequacy holds. UK organisations transferring data to the EU do not need additional mechanisms under UK GDPR, as the EEA is on the UK adequacy list. The adequacy decision can be reviewed or suspended if UK law diverges sufficiently from EU standards.

Source: EC adequacy decision December 2025; UK GDPR Chapter V

DUAA 2025 divergences

The Data (Use and Access) Act 2025 introduced reforms creating growing divergence from EU GDPR. The most significant areas are: an expanded list of recognised legitimate interests (no EU equivalent); changes to ICO enforcement powers and governance; and new smart data sharing frameworks for specific sectors. These have not yet threatened adequacy but are monitored by the European Commission.

Practical implications for organisations

Organisations operating in both the UK and EU must comply with both regimes separately. The same processing activity must comply with UK GDPR (ICO supervision) and EU GDPR (relevant national data protection authority). UK organisations with EU customers or employees may need to appoint an EU representative under Article 27 EU GDPR. EU GDPR fines up to €20 million or 4% of global turnover apply in addition to ICO fines.

US transfers — divergent frameworks

The EU-US Data Privacy Framework and the UK-US Data Bridge are separate arrangements requiring separate self-certification. The DPF’s stability was affected by PCLOB quorum changes in January 2025. Organisations relying on either arrangement should maintain contingency mechanisms.

Source: ICO guidance; EDPB guidance; UK-US Data Bridge documentation

Record this. If operating in both the UK and EU, maintain separate documentation of UK GDPR compliance and EU GDPR compliance. Adequacy decisions and transfer mechanisms must be monitored — changes require prompt action to ensure ongoing lawful data flows.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.