When the UK left the EU, it transposed the GDPR into domestic law as the “UK GDPR”, sitting alongside the Data Protection Act 2018. The text is almost identical to the EU GDPR, so the principles, lawful bases and rights are the same — but there are now two separate legal regimes, two regulators, and several practical differences that matter for anyone pursuing GDPR compliance on both sides of the Channel.
This guide explains what actually changed, what stayed the same, and how to run a single efficient programme that satisfies both regimes without duplicating work.
The short answer
UK GDPR and EU GDPR are substantively the same law. The seven principles, the six lawful bases, the eight data subject rights, the 72-hour breach-notification rule and the accountability obligations all carry across unchanged. If you are compliant with one, you are most of the way to the other.
The differences are about jurisdiction, supervision, representatives and international transfers rather than the day-to-day rules. The “what you must do” is shared; the “who oversees it and how data leaves the country” is where they diverge.
Key differences at a glance
The table below summarises where the two regimes part company. Use it as a quick reference, then read on for the practical implications.
| Area | EU GDPR | UK GDPR |
|---|---|---|
| Applies to | Processing of EU/EEA residents’ data | Processing of UK residents’ data |
| Regulator | National DPAs, coordinated by the EDPB | The Information Commissioner’s Office (ICO) |
| Representative | EU representative if outside the EU but in scope | UK representative if outside the UK but in scope |
| Maximum fine | €20m or 4% of global turnover | £17.5m or 4% of global turnover |
| Transfers out | EU SCCs & EU adequacy decisions | UK IDTA / UK Addendum & UK adequacy regulations |
| EU–UK data flow | Permitted under the EU’s adequacy decision for the UK (subject to periodic review) | |
Free resource
The Ultimate Guide to GDPR
Scope, implement and prove compliance across both the EU and UK regimes.
What stayed the same
Almost everything substantive. The seven principles, the lawful bases, the standard for valid consent, the data subject rights, DPIAs, records of processing, the rules on when you need a Data Protection Officer and the 72-hour breach-notification duty are effectively identical between the two regimes.
This continuity is deliberate: the UK wanted to preserve frictionless data flows with Europe. For most organisations it means your existing policies, privacy notices and controls remain valid — they simply need to reference both regimes where your processing touches both populations.
Who needs to comply with both
If you handle the personal data of both EU and UK residents — the norm for any business serving customers across the Channel — you fall under both regimes at once. That has two practical consequences.
First, your documentation should acknowledge both the ICO and the relevant EU authority. Second, if you are established outside both territories but in scope, you may need to appoint two representatives — one in the EU and one in the UK — as a local point of contact for individuals and regulators.
Who enforces each regime
In the EU, enforcement is handled by national data protection authorities — such as Ireland’s DPC, France’s CNIL or Germany’s state regulators — coordinated through the European Data Protection Board, which issues guidance and resolves cross-border cases via the one-stop-shop mechanism.
In the UK, there is a single regulator: the Information Commissioner’s Office (ICO). That means one point of contact and one set of guidance, which many UK-focused organisations find simpler to navigate than the EU’s multi-authority structure.
International transfers after Brexit
This is the area that changed most. Transfers of personal data out of the EU to a non-adequate country rely on EU Standard Contractual Clauses or an EU adequacy decision. Transfers out of the UK use the UK’s International Data Transfer Agreement (IDTA), or the UK Addendum bolted onto the EU SCCs, plus the UK’s own adequacy regulations.
The crucial point for most businesses is the EU–UK flow itself. The European Commission granted the UK an adequacy decision, so personal data can move from the EU to the UK without extra safeguards. That decision is reviewed periodically, so it is worth monitoring — but for now, EU–UK transfers are straightforward.
Handled well, this is one more building block of practical GDPR compliance.
Representatives: do you need one (or two)?
If your organisation is established outside the EU but processes EU residents’ data in scope of Article 3, you generally need an EU representative. The UK GDPR mirrors this: an organisation outside the UK that targets or monitors UK residents generally needs a UK representative.
A business based in, say, the United States that serves customers in both the EU and the UK could therefore need both. The representative is a local contact point, named in your privacy notice, that individuals and regulators can approach directly.
Practical steps if you operate in both
Start by mapping which of your processing activities touch EU residents, UK residents, or both — you cannot manage what you haven’t identified. Update privacy notices to reference both regimes where relevant, appoint EU and/or UK representatives if required, and make sure your transfer paperwork uses the correct mechanism for each direction of travel.
The good news is that you do not need two separate compliance programmes. Because the substance is shared, the efficient approach is one programme with a thin jurisdictional layer on top. ISpectra Technologies helps organisations design exactly that — satisfying both the EU and UK regimes from a single set of policies, controls and evidence.
Keeping an eye on the future
The two regimes started identical, but they can drift apart over time as the UK consults on reforms to its data protection laws and the EU updates its guidance. None of the changes proposed so far alter the fundamentals, but they are worth tracking if you operate in both markets.
The practical takeaway is to build your programme around the shared core and treat the jurisdictional details — regulator, representative, transfer tool — as configurable settings you can adjust if the law evolves, rather than rebuilding from scratch.
How the Data Protection Act 2018 fits in
The UK GDPR does not stand alone: it works together with the Data Protection Act 2018 (DPA 2018), which fills in the detail the GDPR leaves to member states — exemptions, special category conditions, and rules for law enforcement and intelligence processing. So when people say “UK GDPR” in practice they usually mean the combination of the retained GDPR and the DPA 2018.
The EU equivalent is each member state’s own implementing law alongside the GDPR. The upshot is the same in both places: the GDPR sets the framework, and national legislation tailors the edges, so always check the local implementing act for specifics.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Cookies and marketing in both regimes
Rules on cookies and electronic marketing come from the ePrivacy regime, not the GDPR itself — the EU’s ePrivacy Directive (and national implementations) and, in the UK, the Privacy and Electronic Communications Regulations (PECR). Both sit on top of GDPR and both still require consent for non-essential cookies and most direct marketing.
For businesses operating across the Channel this means broadly aligned obligations: clear cookie consent, a lawful basis for marketing, and an easy opt-out. Aligning your consent banner and marketing permissions to the stricter of the two keeps you compliant in both markets at once.