Last updated: March 29, 2026
Quick Summary: EU GDPR vs UK GDPR
| Aspect | EU GDPR | UK GDPR | Source |
|---|---|---|---|
| Legal basis | Regulation (EU) 2016/679 | EU GDPR as retained and amended by UK DPA 2018 + Data Protection and Digital Information Act 2024 | EUR-Lex / UK Legislation |
| Territorial scope | EU/EEA | United Kingdom | Art. 3, GDPR / UK GDPR, Art. 3 |
| Supervisory authority | National DPAs (CNIL, BfDI, AEPD, etc.) + EDPB coordination | ICO (Information Commissioner's Office) | Art. 51, GDPR / UK DPA 2018 |
| Max fine | EUR 20 million or 4% of global annual turnover | GBP 17.5 million or 4% of global annual turnover | Art. 83, GDPR / UK DPA 2018, s.157 |
| EU adequacy for UK | Granted June 28, 2021 (originally 4-year sunset) | N/A β UK is the beneficiary | Commission Decision (EU) 2021/1772 |
| UK adequacy for EU/EEA | N/A | UK recognises EEA as adequate | UK GDPR, Art. 45 / ICO |
| One-stop shop | Yes β lead supervisory authority mechanism | No β single DPA (ICO only) | Arts. 56-60, GDPR |
Table of Contents
- Executive Summary
- Background: How the UK Got Its Own GDPR
- The Legal Architecture: Two Parallel Regimes
- Key Differences Between EU GDPR and UK GDPR
- The EU Adequacy Decision for the UK: Status and Risks
- Data Transfers Between the UK and EU
- International Data Transfers: Diverging Approaches
- ICO vs EU Data Protection Authorities
- The UK Data Protection and Digital Information Act 2024
- Practical Implications for Dual-Jurisdiction Organisations
- UK GDPR and the EU AI Act
- Enforcement Trends: ICO vs EU DPAs
- Building a Dual-Compliance Framework
- Conclusion: Navigating Two Regimes
- Frequently Asked Questions
- Related Insights & Our Courses
Reading time: 27 min read
Need to understand your data protection obligations? Browse our GDPR and data protection courses or contact us for compliance advice.
Executive Summary
Since the United Kingdom's departure from the European Union on January 31, 2020 (with the transition period ending December 31, 2020), organisations operating across both jurisdictions have been required to navigate two parallel data protection regimes that are substantially similar but not identical β and are diverging further over time.
The EU GDPR (Regulation (EU) 2016/679) continues to apply across the EU/EEA. The UK GDPR β the EU GDPR as "retained EU law" in the UK, amended by the Data Protection Act 2018 and subsequently by the Data Protection and Digital Information Act 2024 β governs data protection within the United Kingdom.
For the first years post-Brexit, the two regimes remained nearly identical, and the European Commission's adequacy decision (Decision (EU) 2021/1772) of June 28, 2021 enabled free-flowing data transfers from the EU to the UK. However, the landscape is now shifting:
- The UK's Data Protection and Digital Information Act 2024 (DPDI Act) introduced amendments to the UK GDPR that create substantive divergence from the EU regime
- The EU adequacy decision was adopted with a sunset clause and is subject to ongoing review by the European Commission, with the adequacy assessment being a continuing process
- The UK is developing its own international transfer framework with different adequacy assessments and transfer mechanisms
- Enforcement approaches between the ICO and EU data protection authorities are diverging in practice and priority
For organisations operating in both jurisdictions β which includes any UK company with EU customers or EU companies with UK operations β understanding where the two regimes differ, where they converge, and how to structure compliance efficiently is now a critical operational requirement.
"Data protection is not a zero-sum game between the UK and the EU. Both regimes share the same fundamental objective β protecting individuals' personal data β and both are rooted in the same foundational principles. But the practical differences that have emerged since Brexit, and which will continue to evolve, require organisations to be deliberate and informed about their compliance approach in each jurisdiction."
β John Edwards, UK Information Commissioner, speaking at the IAPP Europe Data Protection Congress, November 2025
This guide provides a detailed comparison of the EU GDPR and UK GDPR as they stand in 2026, with particular focus on the practical differences that affect organisations operating across both regimes.
Background: How the UK Got Its Own GDPR
The Brexit Data Protection Timeline
| Date | Event |
|---|---|
| June 23, 2016 | UK votes to leave the EU |
| May 25, 2018 | EU GDPR becomes applicable β UK is still an EU member |
| November 23, 2018 | UK Data Protection Act 2018 receives Royal Assent |
| January 31, 2020 | UK formally leaves the EU |
| December 31, 2020 | Transition period ends; UK GDPR comes into existence as retained EU law via the European Union (Withdrawal) Act 2018 |
| June 28, 2021 | European Commission adopts adequacy decision for the UK |
| September 21, 2023 | UK-US data bridge agreement enters into force |
| October 24, 2024 | Data Protection and Digital Information Act 2024 receives Royal Assent |
| 2025-2026 | DPDI Act provisions progressively come into force |
The Retained EU Law Mechanism
When the transition period ended, the EU GDPR was "onshored" into UK domestic law through the European Union (Withdrawal) Act 2018. This created a UK-specific version of the GDPR β often called the "UK GDPR" β that was identical to the EU GDPR in substance but with modifications to remove EU-specific references (replacing "Union" with "United Kingdom," replacing references to EU institutions with UK equivalents, etc.).
The Data Protection Act 2018 (DPA 2018) supplements the UK GDPR, providing additional provisions on law enforcement processing, intelligence services processing, exemptions, and the ICO's powers and functions.
The Legal Architecture: Two Parallel Regimes
EU Data Protection Framework
| Component | Description |
|---|---|
| EU GDPR (Regulation 2016/679) | The core data protection regulation, directly applicable in all EU/EEA states |
| ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) | Rules on electronic communications, cookies, direct marketing |
| National implementing laws | Member state legislation supplementing the GDPR (e.g. Germany's BDSG, France's Loi Informatique et LibertΓ©s) |
| EDPB (European Data Protection Board) | EU-level coordination body issuing binding decisions and guidelines |
| National DPAs | Supervisory authorities in each member state |
UK Data Protection Framework
| Component | Description |
|---|---|
| UK GDPR (retained EU law, as amended) | The UK's version of the GDPR |
| Data Protection Act 2018 | Supplementary provisions (law enforcement, intelligence services, exemptions, ICO) |
| Data Protection and Digital Information Act 2024 | Amendments to UK GDPR and DPA 2018 |
| Privacy and Electronic Communications Regulations 2003 (PECR) | UK equivalent of the ePrivacy Directive |
| ICO (Information Commissioner's Office) | The UK's sole data protection supervisory authority |
Key Differences Between EU GDPR and UK GDPR
While the two regimes share the same foundational text, several substantive differences have emerged β particularly following the DPDI Act 2024. These differences fall into three categories: differences that existed from day one of the UK GDPR, differences introduced by the DPDI Act, and differences in interpretation and enforcement practice.
1. Territorial Scope and Establishment
| Aspect | EU GDPR | UK GDPR |
|---|---|---|
| Territorial scope | EU/EEA establishment; or monitoring/offering goods and services to EU data subjects | UK establishment; or monitoring/offering goods and services to UK data subjects |
| Representative requirement | Non-EU controllers/processors must appoint an EU representative (Art. 27) | Non-UK controllers/processors must appoint a UK representative (UK GDPR Art. 27) |
| Dual obligation | An organisation with both EU and UK presence may need to comply with both | Same |
Practical impact: A company with customers in both the UK and EU must comply with both regimes. A US company selling to EU customers needs an EU representative; if it also sells to UK customers, it needs a separate UK representative.
2. Lawful Basis: Legitimate Interest
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| Legitimate interest | Three-part test required: (1) legitimate interest, (2) necessity, (3) balancing against data subject rights (Art. 6(1)(f)) | Recognised "legitimate interests" list in new Schedule A1 added by DPDI Act β no balancing test required for specified activities |
| Listed activities | N/A | Includes: national security, defence, emergencies, crime prevention, safeguarding, democratic engagement, direct marketing (existing customers), intra-group transmissions, network security |
| DPIA required? | May be required if balancing test indicates high risk | Not required for listed legitimate interests |
Practical impact: The UK's "recognised legitimate interests" list simplifies processing for certain specified purposes but creates divergence. Organisations relying on this list in the UK cannot assume the same processing is lawful under the EU GDPR, where the full balancing test remains required.
3. Data Protection Impact Assessments (DPIAs)
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| When required | Processing "likely to result in a high risk" to rights and freedoms of natural persons (Art. 35) | Same threshold but renamed "assessment of high risk processing" |
| Consultation threshold | Must consult DPA if DPIA indicates residual high risk (Art. 36) | Consultation obligation removed by DPDI Act β entities must still conduct assessments but no mandatory consultation with ICO |
Practical impact: Under the EU GDPR, high-residual-risk processing requires prior consultation with the DPA. Under the UK regime post-DPDI, this consultation obligation has been removed, reducing regulatory interaction but also reducing the safeguard.
4. Data Protection Officers (DPOs)
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| DPO required | Mandatory for public authorities, large-scale monitoring, large-scale sensitive data processing (Art. 37) | DPO requirement replaced with "senior responsible individual" (SRI) requirement |
| SRI role | N/A | Senior management member responsible for data protection oversight |
| DPO protections | Cannot be dismissed or penalised for performing DPO tasks (Art. 38(3)) | SRI is a management role β different employment protection model |
| DPO expertise | Expert knowledge of data protection law required (Art. 37(5)) | No specific expertise requirement for SRI (though ICO guidance recommends knowledge) |
Practical impact: Organisations operating in both jurisdictions will likely maintain a DPO (to satisfy the EU requirement) and designate them or another person as the UK SRI. The different protections and expertise requirements create complexity in role design.
5. Subject Access Requests (SARs)
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| Right of access | Comprehensive right under Art. 15 | Same foundational right, with clarifications |
| Refusing or restricting | Can refuse if "manifestly unfounded or excessive" (Art. 12(5)) | DPDI Act adds: can refuse if request is "vexatious" or "excessive"; cost threshold potentially applicable |
| Response deadline | 1 month (extendable to 3 months for complex requests) | Same |
Practical impact: The UK regime gives controllers slightly more latitude to refuse burdensome SARs, but the core right of access remains substantively the same.
6. Automated Decision-Making
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| Art. 22 rights | Right not to be subject to solely automated decisions with legal/significant effects; exceptions for contract, consent, and member state law | Similar rights maintained, with modifications to safeguards |
| Meaningful information | Must provide "meaningful information about the logic involved" (Art. 13(2)(f)) | Similar, but DPDI Act acknowledges that explanation of logic may be limited by trade secrets and IP |
Practical impact: Both regimes protect individuals from harmful automated decisions, but the UK approach gives slightly more weight to controllers' commercial interests in the detail of explanations provided.
7. Research Exemptions
| Aspect | EU GDPR | UK GDPR (post-DPDI Act) |
|---|---|---|
| Scientific research | Broad exemption in Art. 89; member states may derogate from certain rights | DPDI Act broadens the definition of scientific research and eases conditions for re-use of personal data for research |
| Purpose limitation | Further processing for research is compatible under Art. 5(1)(b) | Same principle, with DPDI Act clarifying that research includes commercial research |
Practical impact: The UK is positioning itself as more research-friendly, which may benefit pharmaceutical, biotech, and AI companies but creates additional divergence from the EU position.
8. Cookies and Electronic Marketing
| Aspect | EU ePrivacy | UK PECR |
|---|---|---|
| Cookie consent | Required for non-essential cookies (ePrivacy Directive + GDPR consent standards) | Same under PECR, but DPDI Act may introduce changes (analytics cookies potentially exempt) |
| Soft opt-in | Exists in EU ePrivacy Directive for existing customer marketing | Exists in PECR; DPDI Act broadens to include non-commercial organisations |
The EU Adequacy Decision for the UK: Status and Risks
What the Adequacy Decision Is
On June 28, 2021, the European Commission adopted an implementing decision recognising the UK as providing an adequate level of data protection (Decision (EU) 2021/1772). This decision allows personal data to flow freely from the EU/EEA to the UK without requiring additional transfer mechanisms (Standard Contractual Clauses, Binding Corporate Rules, etc.).
The Sunset Clause
The UK adequacy decision was adopted with a sunset clause β initially set to expire after four years (June 27, 2025) unless renewed. The European Commission must continuously monitor the UK's data protection landscape and can amend, suspend, or revoke the decision at any time if the level of protection is no longer adequate.
Current Status (March 2026)
The adequacy assessment is an ongoing process. As of March 2026:
- The European Commission has been conducting its review of the UK adequacy decision, assessing whether the UK continues to provide an essentially equivalent level of data protection
- The DPDI Act 2024 has been a central focus of the Commission's assessment, given its amendments to the UK GDPR
- The European Data Protection Board (EDPB) has provided its opinion to the Commission as part of the review process
- The UK government and ICO have engaged in dialogue with the Commission to demonstrate continued adequacy
The adequacy outcome remains consequential. If adequacy were not maintained, organisations transferring personal data from the EU to the UK would need to implement Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other Article 46 transfer mechanisms β a significant operational and legal burden.
"The adequacy decision is not a permanent arrangement β it is a continuous assessment. The European Commission must be satisfied that the UK provides an essentially equivalent level of data protection. Legislative changes in the UK, enforcement practice, and government access to data are all factors that the Commission monitors. Organisations should plan for both scenarios: continued adequacy and potential lapse."
β Andrea Jelinek, former Chair of the European Data Protection Board (EDPB), at the IAPP Europe Data Protection Intensive, May 2025
What Organisations Should Do
Regardless of the adequacy outcome, organisations should:
- Monitor developments β follow European Commission announcements and EDPB opinions
- Have contingency plans β be ready to implement SCCs for UK-EU transfers if adequacy is not maintained
- Document your transfer mechanisms β maintain records showing which mechanism applies to each transfer
- Conduct Transfer Impact Assessments (TIAs) β even under adequacy, best practice is to assess the risks of transfers
Data Transfers Between the UK and EU
EU to UK Transfers
| Scenario | Mechanism Required |
|---|---|
| While adequacy decision is in force | No additional mechanism required β free flow |
| If adequacy lapses | SCCs (EU 2021 version), BCRs, derogations under Art. 49, or approved codes/certifications |
UK to EU/EEA Transfers
The UK recognises all EEA countries as providing adequate data protection. Transfers from the UK to the EU/EEA require no additional mechanism.
UK to Third Country Transfers
The UK is developing its own adequacy framework, independent of the EU's:
| UK Adequacy Decisions | Status |
|---|---|
| EEA countries | Recognised as adequate |
| United States (via UK Extension to the EU-US Data Privacy Framework β "UK-US Data Bridge") | In force since October 12, 2023 |
| Other countries with EU adequacy | Transitionally recognised; UK conducting own assessments |
| UK International Data Transfer Agreement (IDTA) | UK alternative to EU SCCs for transfers to non-adequate countries |
| UK Addendum to EU SCCs | Allows use of EU SCCs with a UK addendum for UK transfers |
Key divergence: The UK has adopted its own transfer risk assessment approach that is less prescriptive than the EU's post-Schrems II framework. The ICO's Transfer Risk Assessment tool provides a structured but more pragmatic approach compared to the EDPB's recommendations.
International Data Transfers: Diverging Approaches
The Post-Schrems II Landscape
The CJEU's Schrems II judgment (Case C-311/18, July 16, 2020) invalidated the EU-US Privacy Shield and required data exporters to conduct transfer impact assessments (TIAs) for SCC-based transfers. The EDPB issued Recommendations 01/2020 on supplementary measures providing detailed guidance.
| Aspect | EU Approach | UK Approach |
|---|---|---|
| Transfer impact assessment | Required for SCC/BCR transfers (EDPB Recommendations 01/2020) | Required but ICO takes a more "risk-based, proportionate" approach |
| Government access assessment | Must assess whether destination country laws undermine data protection | Similar requirement but ICO guidance is less prescriptive |
| Supplementary measures | May be needed to bring protection to "essential equivalence" | May be needed but threshold is practical effectiveness |
| Standard Contractual Clauses | EU SCCs (Commission Implementing Decision 2021/914) | UK IDTA or UK Addendum to EU SCCs |
| Adequacy approach | Based on "essential equivalence" to EU GDPR | UK applies "data protection test" β not required to be equivalent to UK GDPR, but must not "materially lower" protection |
UK's "Data Protection Test" for Adequacy
The DPDI Act 2024 introduced a new test for UK adequacy regulations. Rather than requiring the destination country to have "essentially equivalent" protection (the EU standard), the UK applies a "data protection test" that asks whether the standard of data protection in the destination country would "materially lower" the level of protection for UK data subjects.
This is a subtly but significantly different standard. Critics argue it could lead to the UK recognising countries as adequate that the EU would not β which, in turn, could threaten the UK's own adequacy status with the EU (if the Commission perceives the UK as enabling "onward transfers" to insufficiently protective jurisdictions).
ICO vs EU Data Protection Authorities
Structural Differences
| Aspect | EU DPAs | ICO |
|---|---|---|
| Number | 30+ DPAs across the EU/EEA | Single authority |
| Coordination | EDPB consistency mechanism, one-stop shop for cross-border cases | No coordination needed β sole authority |
| Independence | Required by Art. 52 GDPR; concerns raised about some national DPAs | Independent public authority; concerns about government influence via DPDI Act |
| Resources | Varies widely β German DPAs and CNIL well-resourced; some smaller DPAs under-resourced | Budget of approximately GBP 75 million (2024-25) |
| Enforcement style | Varies β CNIL and DPC issue large fines; some DPAs prefer guidance-first | Historically guidance-focused; increasing enforcement but lower fine levels than some EU DPAs |
Enforcement Comparison (2024-2025)
| Metric | EU DPAs (aggregate) | ICO |
|---|---|---|
| Total fines issued (2024) | EUR 2.1+ billion | GBP 41 million |
| Largest single fine (2023) | EUR 1.2 billion (Meta, by Irish DPC) | GBP 12.7 million (Clearview AI) |
| Enforcement actions | 900+ formal decisions | ~100 formal actions (enforcement notices, fines, reprimands) |
| Focus areas | Big tech, cross-border transfers, cookie consent, consent, transparency | Direct marketing (PECR), cyber security, public sector, nuisance calls |
Sources: EDPB Annual Report 2024, ICO Annual Report 2024-25
The One-Stop Shop Mechanism
Under the EU GDPR, organisations with establishments in multiple EU member states benefit from the one-stop shop mechanism (Articles 56-60): a single lead supervisory authority handles cross-border cases, coordinating with concerned DPAs through the EDPB consistency mechanism.
The UK has no equivalent. The ICO is the sole authority, so there is no coordination needed within the UK. However, this means organisations cannot use a single DPA for both EU and UK compliance β they will interact with the ICO for UK matters and a lead EU DPA for EU matters.
The UK Data Protection and Digital Information Act 2024
The DPDI Act (Data Protection and Digital Information Act 2024) received Royal Assent on October 24, 2024 and introduces the most significant changes to the UK's data protection framework since Brexit. Key provisions are being brought into force progressively.
Major Changes Introduced by the DPDI Act
| Change | Description | EU GDPR Equivalent |
|---|---|---|
| Recognised legitimate interests | Schedule A1 lists activities where no balancing test is needed | No equivalent β full balancing test always required |
| Senior responsible individual | Replaces DPO requirement for certain organisations | DPO remains mandatory under Art. 37 |
| Consultation obligation removed | No mandatory consultation with ICO for high-risk processing | Art. 36 consultation with DPA remains |
| Research broadened | Scientific research includes commercial research; purpose limitation eased | Narrower research exemptions |
| Automated decision-making reforms | Modified safeguards; acknowledgment of trade secrets | Art. 22 rights with full logic explanation |
| International transfers | New "data protection test" for adequacy; IDTA | Essential equivalence test |
| Cookie reform | Potential exemptions for analytics and similar cookies | Strict consent for non-essential cookies |
| Trust services | New framework for UK trust services post-eIDAS | EU eIDAS Regulation |
| Digital verification services | New regulatory framework | No direct equivalent |
Assessment: Does the DPDI Act Risk EU Adequacy?
This is the central question for dual-jurisdiction organisations. The DPDI Act was designed to reduce compliance burdens while maintaining "high standards of data protection" β but the EU's adequacy assessment depends on whether the Commission considers the UK's regime to be "essentially equivalent" in the protection it provides.
Areas of potential concern:
- Recognised legitimate interests without balancing tests could be seen as lowering individual protections
- Removal of DPA consultation for high-risk processing reduces an important safeguard
- Lower adequacy threshold for UK international transfers could enable data flows to countries the EU considers inadequate
- Reduced DPO protections (SRI vs DPO) could be viewed as weakening internal accountability
Areas supporting continued adequacy:
- The core data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability) remain intact
- Individual rights (access, rectification, erasure, portability, objection) are preserved
- ICO enforcement powers are maintained and in some areas enhanced
- The Human Rights Act 1998 (incorporating ECHR Art. 8, right to privacy) continues to provide constitutional-level privacy protection
Practical Implications for Dual-Jurisdiction Organisations
Scenario: UK Company With EU Customers
| Obligation | What You Must Do |
|---|---|
| Comply with EU GDPR | For processing of EU data subjects' personal data (Art. 3(2) GDPR) |
| Comply with UK GDPR | For processing within the UK |
| Appoint EU representative | Required under Art. 27 GDPR if no EU establishment |
| Data transfers | UK to EU: no issue (UK recognises EU as adequate). EU to UK: depends on adequacy decision status |
| DPO | Required under EU GDPR if criteria met; UK SRI also required |
| DPIA | Must follow EU GDPR DPIA rules for EU processing; UK rules for UK processing |
| Breach notification | 72 hours to relevant DPA β ICO for UK breaches, lead EU DPA for EU breaches |
Scenario: EU Company With UK Customers
| Obligation | What You Must Do |
|---|---|
| Comply with UK GDPR | For processing of UK data subjects' personal data (UK GDPR Art. 3(2)) |
| Comply with EU GDPR | For processing within the EU |
| Appoint UK representative | Required under UK GDPR Art. 27 if no UK establishment |
| Data transfers | EU to UK: depends on adequacy decision status. UK to EU: no issue |
| DPO/SRI | DPO under EU GDPR; SRI for UK operations |
| Breach notification | To both ICO (for UK breaches) and relevant EU DPA (for EU breaches) |
Scenario: Multinational With EU and UK Establishments
| Obligation | What You Must Do |
|---|---|
| Dual compliance | Full compliance with both regimes for respective processing |
| Lead DPA (EU) | Determined by main establishment under one-stop shop |
| ICO | Separate relationship for UK processing |
| Records of processing | May need dual records or a single register covering both regimes |
| Privacy policies | Must address requirements of both regimes β consider dual-layered notices |
| Contracts | Data processing agreements must satisfy both Art. 28 GDPR and UK GDPR Art. 28 |
UK GDPR and the EU AI Act
The intersection of data protection and AI regulation creates additional complexity for organisations operating across jurisdictions.
EU Position
The EU AI Act (Regulation 2024/1689) and the EU GDPR apply simultaneously when AI systems process personal data. Key intersections include automated decision-making (GDPR Art. 22 + AI Act risk classification), data governance (GDPR data quality principles + AI Act Art. 10), transparency (GDPR Art. 13-14 + AI Act Art. 13), and data protection impact assessments (GDPR Art. 35 + AI Act fundamental rights impact assessment Art. 27).
UK Position
The UK has not adopted equivalent AI legislation to the EU AI Act. Instead, it has pursued a sector-specific, principles-based approach through the AI Regulation White Paper (2023) and guidance from existing regulators (ICO, FCA, CMA, Ofcom, etc.). The ICO has published guidance on AI and data protection that applies GDPR principles to AI but does not create new AI-specific legal obligations.
| Aspect | EU | UK |
|---|---|---|
| AI-specific legislation | EU AI Act (mandatory) | No equivalent (principles-based guidance) |
| Data protection + AI | GDPR + AI Act (dual regime) | UK GDPR only (single regime, guidance-based) |
| High-risk AI obligations | Mandatory conformity assessment, documentation, oversight | No equivalent mandatory requirements |
| AI literacy | Mandatory under AI Act Art. 4 | No legal requirement |
Practical impact: UK organisations using AI face lighter regulatory obligations than EU counterparts, but those selling AI into the EU market must still comply with the AI Act. Organisations operating in both jurisdictions must plan for the higher (EU) standard.
Enforcement Trends: ICO vs EU DPAs
ICO Enforcement (2024-2025)
The ICO's enforcement priorities have focused on:
- Direct marketing violations (PECR enforcement, nuisance calls and texts)
- Public sector data breaches (police forces, government departments)
- Cyber security failings (ransomware incidents where security was inadequate)
- Biometric and surveillance technologies (Clearview AI, facial recognition)
- Children's privacy (Age-Appropriate Design Code enforcement)
The ICO has historically favoured engagement and guidance over punitive enforcement, though this approach has been criticised by privacy advocates as insufficiently deterrent.
EU DPA Enforcement (2024-2025)
EU DPA enforcement has been characterised by:
- Large technology company fines β Meta, Google, Amazon, TikTok
- Cross-border enforcement through the one-stop shop mechanism (Irish DPC as lead for many tech companies)
- Cookie consent enforcement β particularly by CNIL in France
- International transfer enforcement β post-Schrems II scrutiny
- AI and automated decision-making β emerging focus area
- Employee monitoring β growing area of enforcement
Key Differences in Approach
| Dimension | ICO | EU DPAs (general trend) |
|---|---|---|
| Fine levels | Lower (median fine ~GBP 100K-500K) | Higher (median varies but billion-euro fines for tech) |
| Big tech enforcement | Limited (most big tech headquartered in Ireland/EU for data purposes) | Extensive through one-stop shop |
| Guidance vs enforcement | Guidance-first approach | Increasingly enforcement-first, especially CNIL, Spanish AEPD |
| Public sector | Active enforcement against government bodies | Varies by member state |
| Proactive audits | Increasing use of assessment notices | Varies β some DPAs very active (Baden-WΓΌrttemberg DPA) |
Building a Dual-Compliance Framework
Strategic Approach: Comply to the Higher Standard
For most organisations, the most efficient approach is to build a compliance framework that satisfies the stricter of the two regimes for each specific obligation, then document where the UK's lighter requirements allow flexibility.
Framework Architecture
| Component | Approach |
|---|---|
| Data protection principles | Identical in both regimes β single set of principles |
| Lawful basis | Document lawful basis under both regimes; note where UK recognised legitimate interests apply |
| Individual rights | Implement to EU standard; note UK SAR flexibilities |
| DPO/SRI | Appoint DPO satisfying EU requirements; designate as SRI for UK |
| DPIAs | Conduct DPIAs for high-risk processing under both regimes; note UK consultation exemption |
| Breach notification | Dual notification to ICO and lead EU DPA as appropriate |
| International transfers | Maintain EU SCCs and/or UK IDTA as needed; TIA under both frameworks |
| Records of processing | Single register covering both regimes |
| Privacy notices | Dual-purpose notices addressing both EU and UK requirements |
| Data processing agreements | Ensure contracts satisfy both Art. 28 GDPR and UK GDPR Art. 28 |
| Training | Train staff on both regimes, highlighting differences |
Common Mistakes
- Assuming the two regimes are identical β they are diverging, and the differences matter
- Ignoring UK representative requirements β EU companies need a UK representative if they have no UK establishment but process UK data
- Using the wrong SCCs β EU SCCs cannot be used alone for UK transfers; the UK IDTA or UK Addendum is needed
- Failing to monitor the adequacy decision β organisations need contingency plans
- Applying UK relaxations to EU processing β the recognised legitimate interests list only applies under UK GDPR, not EU GDPR
Conclusion: Navigating Two Regimes
The EU GDPR and UK GDPR began as the same law and are still more similar than different. The core principles, individual rights, and accountability framework remain substantially aligned. For most processing activities, a single well-designed compliance programme will satisfy both regimes.
But the divergence is real and growing. The DPDI Act 2024 has introduced meaningful differences in legitimate interests, DPO requirements, DPIA consultation, and international transfer standards. The adequacy decision review adds uncertainty. And the different enforcement cultures β the ICO's pragmatic approach versus the increasingly assertive posture of some EU DPAs β mean that the same compliance posture may produce different regulatory outcomes in each jurisdiction.
Organisations operating across both jurisdictions should:
- Understand the specific differences outlined in this guide
- Build to the higher standard as a baseline, with documented UK-specific flexibilities
- Monitor the adequacy decision and have contingency plans for transfers
- Train staff on both regimes, not just "GDPR" in the generic sense
- Maintain separate regulatory relationships with the ICO and relevant EU DPA(s)
- Review contracts and privacy notices to ensure they address both frameworks
Need Help With Dual-Jurisdiction Data Protection?
CompliQuest provides GDPR training and compliance guidance designed for organisations operating across the UK and EU β covering both regimes and the practical differences that matter.
Browse Our GDPR & Data Protection Courses Β· Contact Us for Compliance Support
Frequently Asked Questions
Is the UK GDPR the same as the EU GDPR?
Not anymore. At the point of Brexit (December 31, 2020), the UK GDPR was substantively identical to the EU GDPR, having been "onshored" into UK law through the European Union (Withdrawal) Act 2018. However, the UK's Data Protection and Digital Information Act 2024 introduced meaningful amendments including: a list of "recognised legitimate interests" that do not require a balancing test, replacement of the DPO with a "senior responsible individual," removal of the mandatory DPA consultation for high-risk processing, broadened research exemptions, and a different standard for international transfer adequacy assessments. The core data protection principles and individual rights remain substantially aligned, but the operational requirements are diverging.
What are the key differences between EU GDPR and UK GDPR?
The most significant differences as of 2026 are: (1) Legitimate interests β the UK has a list of recognised legitimate interests not requiring a balancing test (Schedule A1, DPDI Act); the EU requires the full three-part test for all legitimate interest processing. (2) DPO vs SRI β the EU requires a Data Protection Officer; the UK has replaced this with a "senior responsible individual" with different expertise requirements and protections. (3) DPIA consultation β the EU requires prior consultation with the DPA for high-residual-risk processing; the UK has removed this obligation. (4) International transfers β the UK uses a "data protection test" for adequacy (whether protection is "materially lowered"); the EU uses "essential equivalence." (5) Enforcement β the ICO and EU DPAs have different enforcement priorities and fine levels. (6) AI regulation β the EU has the AI Act alongside GDPR; the UK has no equivalent AI legislation.
Do I need to comply with both the EU GDPR and UK GDPR?
Yes, if you process personal data of individuals in both jurisdictions. Under the EU GDPR's Article 3 and the UK GDPR's corresponding provision, both regimes have extraterritorial reach. If you are a UK company offering goods or services to EU individuals, or monitoring their behaviour, the EU GDPR applies. If you are an EU company offering goods or services to UK individuals, the UK GDPR applies. If you have establishments in both jurisdictions, both apply to processing carried out in the context of those establishments. Non-EU companies must appoint an EU representative (Art. 27 GDPR); non-UK companies must appoint a UK representative (UK GDPR Art. 27).
What is the status of the EU adequacy decision for the UK?
The European Commission adopted an adequacy decision for the UK on June 28, 2021 (Decision (EU) 2021/1772), enabling free data flows from the EU/EEA to the UK. The decision was adopted with a sunset clause and is subject to continuous monitoring by the Commission. The UK's Data Protection and Digital Information Act 2024 introduced changes that the Commission is assessing as part of its ongoing review. The Commission has the power to amend, suspend, or revoke the adequacy decision at any time if it determines the UK no longer provides essentially equivalent protection. Organisations should monitor the adequacy review and have contingency plans (such as implementing SCCs) ready in case adequacy is not maintained.
What transfer mechanisms exist between the UK and EU?
EU to UK: While the adequacy decision is in force, no additional mechanism is required. If adequacy lapses, organisations must use EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Binding Corporate Rules (Art. 47 GDPR), or Article 49 derogations. UK to EU: The UK recognises all EEA countries as adequate, so no additional mechanism is needed. UK to third countries: The UK has its own transfer mechanisms β the International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs. The UK has also established the "UK-US Data Bridge" extending the EU-US Data Privacy Framework to UK transfers.
Which regime is stricter β EU GDPR or UK GDPR?
The EU GDPR is generally considered stricter following the UK's DPDI Act amendments. Key areas where the EU is more demanding include: the full legitimate interest balancing test (vs UK recognised interests list), mandatory DPA consultation for high-risk processing (removed in UK), stricter DPO requirements with employment protections (vs UK SRI), the "essential equivalence" test for adequacy decisions (vs UK "data protection test"), and the enforcement posture of some EU DPAs (larger fines, more proactive audits). However, the UK retains strong data protection standards, and the ICO is an active regulator. For practical purposes, organisations that comply with the EU GDPR will generally satisfy the UK GDPR, but not necessarily vice versa β particularly in areas where the DPDI Act has introduced UK-specific flexibilities.
Related Insights
- GDPR Training for Employees: Complete Guide 2026 β Building effective data protection training programmes.
- 7 GDPR Mistakes That Could Cost Your Company Millions in 2025 β Common compliance failures and how to avoid them.
- What Is a Privacy Impact Assessment? Guide 2026 β DPIAs under both EU and UK frameworks.
- CCPA Data Breach Requirements Guide 2026 β US data protection alongside GDPR and UK GDPR.
Our Data Protection & GDPR Courses
- Compliance & Regulatory Training β GDPR, UK GDPR, and international data protection training programmes.
- Contact us for dual-jurisdiction compliance support and tailored training.