%201.svg)
A current comparison of the UK and EU versions of GDPR, including the divergence created by the Data (Use and Access) Act 2025 and what it means for UK and EU businesses.
For most of the period after Brexit, UK GDPR and EU GDPR were so similar that compliance with one was effectively compliance with the other. That changed in 2025. The Data (Use and Access) Act 2025 has introduced UK-specific reforms that, while not radical, mark the first real divergence between the two regimes.
This guide covers where the differences sit today, what they mean in practice, and what to watch for as the rest of the DUAA comes into force through 2026.
The short answer
UK GDPR and EU GDPR remain very similar in their fundamentals. Both have the same seven principles, the same definition of personal data, the same controller/processor framework, and most of the same individual rights. If your compliance programme is built around these, you are covering most of what each regime requires.
The differences sit in specific areas: a new UK lawful basis, automated decision-making rules, cookie consent under PECR, the test for international data transfers, and a rename of the regulator. These are real, but they are mostly additive — the UK has loosened a few obligations rather than tightening them.
The European Commission renewed the UK's adequacy decision on 19 December 2025, valid until 27 December 2031. That means personal data can continue to flow freely from the EU to the UK without further safeguards, and the EU has signalled — at least for now — that UK divergence is within tolerable limits.
Why the UK has its own GDPR
When the UK left the European Union, EU regulations stopped applying directly. To avoid losing the protection of GDPR overnight, the UK retained it as part of domestic law under the European Union (Withdrawal) Act 2018. The retained version became known as the UK GDPR. It came into effect on 1 January 2021, alongside the Data Protection Act 2018 — which had been passed back in 2018 to supplement the original EU GDPR.
So today, UK data protection law has three main pillars:
- UK GDPR — the core rules on processing personal data.
- Data Protection Act 2018 — UK-specific provisions, including law enforcement processing and exemptions.
- Privacy and Electronic Communications Regulations 2003 (PECR) — rules on cookies, electronic marketing, and certain telecoms-specific data protections.
The Data (Use and Access) Act 2025 amended all three. It did not replace any of them.
Where the two regimes differ today
The substantive differences as of early 2026:
A new UK lawful basis: recognised legitimate interests
The DUAA introduced a seventh lawful basis for processing under Article 6(1)(ea) of the UK GDPR. It covers specific public-interest activities — crime prevention, safeguarding vulnerable people, responding to emergencies, safeguarding national security, and helping public-interest tasks set by law. Organisations relying on this basis do not need to carry out a legitimate interests assessment.
The EU GDPR has no equivalent. EU controllers in the same situations rely on the standard legitimate interests basis with the full balancing test.
Automated decision-making
The EU GDPR's Article 22 prohibits solely automated decisions that produce legal or similarly significant effects, with narrow exceptions. The UK has gone further: the DUAA repealed Article 22 and replaced it with Articles 22A to 22D, which permit solely automated decisions under any UK GDPR lawful basis, provided the decision doesn't rely on special category data and certain safeguards are in place. Controllers must tell people about significant automated decisions, allow representations, and provide human intervention on request.
This is the largest single divergence the DUAA has created.
Cookie consent and PECR exemptions
From 5 February 2026, certain low-risk cookies and similar technologies no longer require consent under PECR. The new exemption categories include cookies used purely for statistical purposes, those used to improve website functionality, and a handful of other narrow uses. The ICO's finalised Storage and Access Technologies guidance (29 April 2026) sets out the detail.
The EU's ePrivacy regime — the equivalent of PECR — still requires consent for most non-essential cookies. The proposed ePrivacy Regulation, which would have aligned the EU framework with GDPR, was formally withdrawn by the European Commission in 2025.
International data transfers
For transfers of personal data outside the UK, the DUAA replaced the EU-derived "essential equivalence" test with a UK-specific "not materially lower" test. Controllers and processors relying on safeguards like the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, now assess whether the destination country's protection is "not materially lower" than UK standards.
The phrasing matters. "Materially lower" is a more flexible standard than "essential equivalence" — it gives the UK government and UK organisations more room to characterise a destination as adequate.
PECR penalties
Before 5 February 2026, the maximum PECR fine was £500,000. The DUAA aligned PECR penalties with UK GDPR: up to £17.5 million or 4% of global annual turnover, whichever is higher. That's a 35-fold increase on the previous cap, and it makes cookie and direct marketing compliance significantly higher-stakes.
The EU equivalent regime in each member state varies, but most have lower caps than the new UK figure.
The regulator
The Information Commissioner's Office is being renamed the Information Commission under the DUAA. Its powers and governance structure have also been modernised — the regulator now has a board and chief executive rather than a single Commissioner. The substantive enforcement powers remain similar; the structural change matters more to organisations dealing with the regulator directly.
Scientific research
UK GDPR now contains explicit provisions facilitating scientific research, including a clearer definition of "broad consent" and an exemption from the Article 14 privacy notice obligation where providing the notice would require disproportionate effort. The EU GDPR has narrower research carve-outs.
Children's online services
The DUAA codifies expectations for online services likely to be accessed by children, requiring controllers to take account of "children's higher protection matters" when designing those services. This formalises what was previously in the ICO's Age Appropriate Design Code. The EU has similar protections, but the UK provisions are now statutory.
Practical implications for UK businesses
If your operations are entirely UK-facing, the DUAA gives you more flexibility in specific areas — automated decisions, certain analytics cookies, scientific research, recognised legitimate interests — but doesn't change the underlying compliance burden. The principles still apply. Subject access requests still need to be handled in a month. Breach notifications are still due within 72 hours.
The two practical changes most UK organisations should plan for:
- A formal complaints procedure. From June 2026, individuals have a statutory right to complain directly to a controller. Controllers must acknowledge complaints within 30 days. You need a documented process, not just an email inbox.
- PECR penalty exposure. If your cookie banner is non-compliant, or your marketing list management is loose, the maximum fine is now the same as a serious data breach. The ICO has said it is actively monitoring the top 1,000 UK websites for cookie compliance.
Practical implications for businesses with EU customers
If you offer goods or services to people in the EU, or monitor their behaviour, both UK GDPR and EU GDPR apply to your processing. You will need to comply with the stricter of the two for each activity. In practice, that often means following EU GDPR — particularly for automated decisions and cookie consent, where the EU framework is now the more demanding.
You may also need to appoint an EU representative under Article 27 of the EU GDPR if you don't have an establishment in an EU member state. The same requirement runs in the opposite direction: EU-only organisations targeting UK customers need a UK representative.
Adequacy works both ways for now. Personal data can move from the EU to the UK without additional safeguards thanks to the adequacy decision renewed in December 2025. Transfers from the UK to the EU were never restricted under UK rules.
What to watch over the next year
Several DUAA provisions are still rolling out through commencement regulations. The most significant remaining items:
- The complaints procedure obligation — in force from June 2026.
- Further ICO guidance — the regulator has flagged additional guidance on automated decision-making, recognised legitimate interests, and the new transfer test.
- The Information Commission rename — the structural change to the regulator takes effect as commencement regulations are made.
The next political review point for the adequacy decision is 2031, but a major UK divergence — or a politically charged reform like reopening the question of GDPR data subject rights — could trigger earlier scrutiny.
For deeper context, our hub guide to UK GDPR covers the basics, our seven principles guide covers what's shared between the two regimes, and our cookie consent guide covers the PECR-specific changes in detail.
Frequently asked questions
Are UK GDPR and EU GDPR the same?
They are very similar in fundamentals but not identical. The DUAA has introduced UK-specific reforms in 2025–2026, including a new lawful basis, changes to automated decision-making, and cookie consent flexibilities.
Do I need to comply with both?
Only if you operate in or target both jurisdictions. UK GDPR applies to UK establishments and to organisations targeting UK residents; EU GDPR applies to EU establishments and to organisations targeting EU residents. Many UK businesses doing online commerce in the EU need to comply with both.
Will the UK lose EU adequacy?
Not in the immediate term. The adequacy decision was renewed in December 2025 and runs until 27 December 2031. The European Commission said the renewal indicates the UK's current direction is not, for now, considered to undermine the EU framework.
What's the biggest difference between UK GDPR and EU GDPR?
The rewrite of Article 22 on automated decision-making. The UK now permits solely automated decisions with legal effects under any lawful basis (subject to safeguards), while the EU still restricts them to narrow exceptions.
How does the DUAA change UK GDPR?
By adding new flexibility in several areas — a seventh lawful basis, automated decision-making, cookies, scientific research — and introducing some new obligations, particularly the direct right to complain to controllers from June 2026. It amends UK GDPR rather than replacing it.
