EU GDPR vs UK GDPR
After Brexit, the UK retained GDPR as domestic law but is gradually diverging. Understanding the differences is essential for companies serving both EU and UK markets.
At a Glance
Key differences between EU GDPR vs UK GDPR for mid-market companies (<200 employees).
Detailed Comparison
| Comparison Point | EU GDPR | UK GDPR |
|---|---|---|
| Jurisdiction | EU/EEA (27 member states) | United Kingdom |
| Legal Basis | Regulation (EU) 2016/679 | Retained EU law via European Union (Withdrawal) Act 2018 |
| DSAR Response Deadline | 1 month | 1 month (identical) |
| DSAR Extension | +2 months | +2 months (identical) |
| Maximum Fine | €20M or 4% of global turnover | £17.5M or 4% of global turnover |
| Supervisory Authority | National DPAs (one per member state) | Information Commissioner's Office (ICO) |
| Representative Requirement | EU representative for non-EU controllers | UK representative for non-UK controllers |
| International Transfers | SCCs, BCRs, adequacy decisions | International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs |
| Adequacy Status | N/A (source jurisdiction) | EU adequacy decision for UK (expires June 2025, expected renewal) |
| Data Bridge | Not applicable | UK Extension to EU adequacy decisions for third countries |
| Age of Consent (Children) | 16 (member states may lower to 13) | 13 years |
| DPO Requirement | Required in specific cases | Required in specific cases (identical criteria) |
| Breach Notification | 72 hours to supervisory authority | 72 hours to ICO |
Post-Brexit Data Protection
When the UK left the EU on January 31, 2020, it incorporated GDPR into domestic law through the European Union (Withdrawal) Act 2018, creating what is commonly known as "UK GDPR." The Data Protection Act 2018 supplements it, much as member state laws supplement EU GDPR.
Initially, EU GDPR and UK GDPR were identical. However, the UK is gradually introducing divergences through the Data Protection and Digital Information Act, which received Royal Assent in 2024.
Adequacy and Data Transfers
The EU granted the UK an adequacy decision in June 2021, valid until June 2025. This means data can flow freely from the EU to the UK without additional safeguards — for now. The decision is expected to be renewed, but companies should monitor this closely and have contingency plans.
For transfers in the other direction (UK to third countries), the UK has established its own "Data Bridge" framework. Rather than creating entirely new adequacy assessments, the UK extends existing EU adequacy decisions to cover UK data transfers. The UK has also developed the International Data Transfer Agreement (IDTA) as its own alternative to EU Standard Contractual Clauses.
Key Divergences
Fines: EU GDPR fines are denominated in euros (€20M), while UK GDPR fines are in pounds (£17.5M). At current exchange rates, the UK cap is slightly lower.
Children's consent age: The UK set the age of consent for data processing at 13, while EU GDPR defaults to 16 (though member states can lower it to 13).
ICO approach: The ICO has generally taken a more pragmatic, business-friendly enforcement approach compared to some EU DPAs. The ICO focuses on outcomes and proportionality, which can result in different enforcement priorities.
Emerging divergences: The Data Protection and Digital Information Act introduces changes around legitimate interest processing, automated decision-making, and research provisions that create meaningful differences from EU GDPR.
Practical Impact for Mid-Market Companies
For most mid-market companies serving both EU and UK customers, the practical differences remain small. The core compliance requirements — lawful basis, DSAR handling, breach notification, DPIAs — are functionally identical. The main action items are: (1) appoint both an EU representative and a UK representative if you lack an establishment in each jurisdiction, (2) use the appropriate transfer mechanism (EU SCCs for EU data, IDTA or UK Addendum for UK data), and (3) monitor the adequacy decision renewal in 2025.
Which Law Applies to You?
EU GDPR applies if: You process personal data of individuals in the EU/EEA.
UK GDPR applies if: You process personal data of individuals in the UK.
Both apply if: You serve both EU and UK customers (very common). The good news: compliance requirements are still nearly identical. Appoint representatives in both jurisdictions and use the appropriate transfer mechanisms.
Related Resources
EU GDPR Compliance Guide
Full compliance guide for General Data Protection Regulation
UK GDPR Compliance Guide
Full compliance guide for UK General Data Protection Regulation
DSAR Deadline Calculator
Calculate exact response deadlines for 69 jurisdictions
Enforcement Actions
Real fines and enforcement cases from privacy authorities
Privacy Blog
Practical guides and analysis for mid-market companies
Frequently Asked Questions
Is UK GDPR the same as EU GDPR?
Can I transfer data between the EU and UK after Brexit?
What is the maximum fine under UK GDPR?
Do I need separate compliance for EU GDPR and UK GDPR?
What age of consent applies under UK GDPR?
Get the full EU GDPR vs UK GDPR comparison checklist
A printable checklist covering every compliance requirement from both laws, organized by priority for mid-market companies.
See how these laws are enforced in practice
Browse real enforcement actions and fines from privacy authorities worldwide. Learn what violations cost companies like yours.
Browse Enforcement ActionsDisclaimer: This comparison is maintained independently by PrivacyCache for informational purposes. We strive for accuracy but laws evolve and specific requirements may change. This is not legal advice. Consult qualified legal counsel for compliance decisions. Last updated: 4/2/2026.