Is UK GDPR the same as EU GDPR?

Substantively yes, structurally no. The UK retained the EU GDPR text at the end of the Brexit transition and renamed it the UK GDPR. The Data Protection Act 2018 supplements it with national derogations, and the Data (Use and Access) Act 2025 has tweaked record-keeping and lawful-basis provisions. For day-to-day website compliance the rules a British SME has to follow are 95% identical to those in Ireland or Germany.

Did the Data (Use and Access) Act 2025 abolish cookie consent in the UK?

No. Cookie consent in the UK lives in PECR (Privacy and Electronic Communications Regulations 2003), specifically Regulation 6, and PECR is still in force. The Data (Use and Access) Act narrowed some lawful-basis interpretations and clarified analytics handling, but it did not remove the consent requirement for non-essential cookies.

Do UK businesses still need an EU representative?

Yes, if they target individuals in the EU/EEA. A UK-only business serving only UK customers does not need an EU representative under Article 27 EU GDPR. A UK business that sells to French, German, or Dutch consumers — or runs targeted advertising into those markets — does need to appoint one. The same logic applies in reverse: EU businesses targeting UK individuals need a UK representative under Article 27 UK GDPR.

What is the UK-US Data Bridge?

The UK-US Data Bridge is the UK extension of the EU-US Data Privacy Framework. It came into force on 12 October 2023 and lets UK controllers transfer personal data to certified US recipients without additional safeguards. It is the UK equivalent of the EU's adequacy decision for certified US firms, and it covers most major US analytics and marketing tools.

Can the ICO fine a small UK business?

Yes. The ICO can issue monetary penalty notices of up to £17.5 million or 4% of global turnover under UK GDPR, and up to £500,000 under PECR. In practice the ICO is more reprimand-led than its French or Italian counterparts, and most SME enforcement takes the form of warnings, public reprimands, and undertakings rather than fines. But the legal exposure is the same on both sides of the Channel.

GDPR & Privacy

UK GDPR vs EU GDPR after Brexit: what actually changed for British businesses

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

If you run a website for a UK business in 2026, the headline answer is the one most people don't believe: GDPR still applies, just under a different name and a different regulator. The substance is largely unchanged. The differences that matter are operational — which authority writes you the letter, which legal citation appears in your privacy notice, and what your obligations look like when you sell into the EU.

This guide is for British SMEs that are tired of being told they're either "still in GDPR" or "free of it" with no explanation of which is true. The real picture is more interesting and a lot more practical.

For a UK-specific compliance scan that picks up the gaps this article describes, run a free scan in 60 seconds.

The legal stack in 2026

The UK left the EU on 31 January 2020 and the Brexit transition period ended on 31 December 2020. From 1 January 2021, the EU GDPR no longer had direct effect in the UK. The UK Parliament had already prepared for this by retaining the text of the EU GDPR as domestic UK law and renaming it the UK GDPR.

Today the UK has four instruments that cover what used to be EU GDPR territory.

The UK GDPR is the retained version of EU Regulation 2016/679, amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and subsequent SIs. It looks and reads like EU GDPR. The lawful bases in Article 6 are identical. The data subject rights in Articles 15-22 are identical. The breach notification obligations in Articles 33-34 are identical.

The Data Protection Act 2018 (legislation.gov.uk) supplements UK GDPR with national-level derogations: age of consent for information society services (13 in the UK; 16 is the EU default), law-enforcement processing, immigration exemptions, certain research and journalism allowances. Most of it doesn't touch a typical small business website.

The Data (Use and Access) Act 2025 (legislation.gov.uk) is the most recent change and the one British SMEs hear about most in headlines. It tightened legitimate-interest tests, formalised certain "recognised legitimate interests" for fraud prevention and emergency processing, and clarified that scientific research processing has its own lawful-basis pathway. Crucially for website operators, it did not abolish cookie consent. The cookie regime still lives in PECR.

The Privacy and Electronic Communications Regulations 2003 (PECR) is the UK's transposition of the EU ePrivacy Directive. PECR Regulation 6 is the cookie rule, PECR Regulation 22 is the electronic-marketing rule, and PECR has its own monetary penalty regime separate from UK GDPR. The ICO can fine up to £500,000 for PECR breaches and up to £17.5 million (or 4% of global turnover) for UK GDPR breaches.

The regulator is the Information Commissioner's Office (ICO), headquartered in Wilmslow. John Edwards has been Information Commissioner since January 2022. The ICO publishes every monetary penalty notice, every reprimand, and every enforcement notice at ico.org.uk.

What stayed identical

For most SME website operations, UK GDPR and EU GDPR ask for the same things.

You need a lawful basis for processing personal data — the same six bases in Article 6, the same special-category bases in Article 9. You need to give people transparent information about what you do with their data — the same Article 13/14 disclosures. People can exercise the same data subject rights — access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. You have the same one-month default response window for subject access requests. You have to report personal data breaches to your supervisory authority within 72 hours where the threshold is met. The fines look broadly similar — £17.5M / 4% of global turnover under UK GDPR matches the EU's €20M / 4%.

If your privacy notice was already written for EU GDPR, the only edits needed for UK GDPR are typically the regulator name (ICO instead of an EU DPA), the legal citation pattern (UK GDPR instead of GDPR), and the right-to-complain reference (ICO instead of "your local supervisory authority"). The substance of your notice doesn't change.

This is why the EU's adequacy decision for the UK (European Commission, 28 June 2021, renewed late 2025) was uncontroversial. The European Commission examined the UK regime, found it broadly equivalent, and granted free flow of personal data from EU to UK. Without that decision, every Irish business with UK customers would need Standard Contractual Clauses with their UK suppliers.

Where the regimes diverge

The differences worth knowing about for a website operator are smaller than the post-Brexit headlines suggested but real. Six of them matter for SME compliance.

Cookies and PECR. The UK cookie regime is in PECR Regulation 6, which predates GDPR by 15 years and survived Brexit unchanged. The substance is identical to EU ePrivacy: prior consent for non-essential cookies, "strictly necessary" exception, no pre-ticked boxes, reject as easy as accept. The Data (Use and Access) Act 2025 narrowed some interpretations around analytics but the core rule is intact. The ICO has been publicly sharper on cookie banners than several EU regulators — its November 2023 letter to the top 100 UK websites named non-compliant sites and required redesign commitments within a deadline.

Imprint / business identification. The UK never had Germany's heavy Impressum tradition. Disclosure obligations come from two places. The Companies (Trading Disclosures) Regulations 2008, made under section 82 of the Companies Act 2006, require limited companies to display the registered name, registered number, place of registration (e.g. "Registered in England and Wales"), and registered office address on their website. The Electronic Commerce (EC Directive) Regulations 2002 (Reg 6) require any provider of online services to display a geographic address and direct contact email. There is no UK equivalent to the German Impressum's regulator-disclosure requirement for non-regulated businesses. The footer of a typical UK SME site is materially shorter than its German counterpart — by design, not oversight.

International data transfers. The UK uses the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, not the raw EU SCCs. The UK has its own adequacy decisions, mostly mirroring the EU list, plus the UK-US Data Bridge — the UK extension of the EU-US Data Privacy Framework, in force since 12 October 2023. If you scan privacy policies for transfer language, references to "Standard Contractual Clauses" alone will pass an EU lens but read as incomplete under UK GDPR. Privacy notices for UK-targeted sites should mention IDTA or the UK Addendum where SCCs are referenced.

Representatives. A non-UK business that targets UK individuals needs a UK Representative under Article 27 UK GDPR. A non-EU business that targets EU individuals needs an EU Representative under Article 27 EU GDPR. These are separate appointments. A single firm based in Dublin doesn't satisfy both for a US controller selling into both markets — they'd need a UK rep and an EU rep, or a single firm with offices in both jurisdictions willing to act in both capacities. Several specialist providers (DataRep, GDPR-Rep.eu, EDPO) offer this as a packaged service for £25-50/month per market.

Email marketing. PECR Regulation 22 governs UK electronic marketing. B2B email to corporate subscribers (UK limited companies and LLPs) doesn't require prior consent — only a clear sender ID and a working unsubscribe. B2C email and email to sole traders or partnerships needs consent, with a soft opt-in for existing customers buying similar products. This structural permission for limited-company B2B is similar to Ireland and the Netherlands but legally distinct. Spain and Germany are stricter — both require consent for B2B in most cases.

Age of consent. UK is 13 for information society services under section 9 of the Data Protection Act 2018. EU default is 16, with member states free to lower it; Ireland sat at 16 until 2018 then dropped to 13, France is 15, Germany is 16. If you operate a service that's likely to be used by children (a tutoring site, a gaming forum), the UK is one of the lower thresholds in Europe.

Accessibility. This is where the UK and EU have genuinely diverged. The EU's European Accessibility Act (EAA) went live on 28 June 2025 and obliges private-sector e-commerce, banking, transport, ebooks, and other consumer-facing online services to meet WCAG 2.1 AA. The UK has no private-sector equivalent. UK accessibility law for the private sector relies on the Equality Act 2010's general duty to make "reasonable adjustments" — which courts have interpreted to cover websites, but it's not a prescriptive WCAG mandate. The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 apply only to public sector. Practical implication: a UK-only e-commerce site has materially less accessibility legal exposure than its French equivalent. A UK site that also sells to EU consumers is back inside the EAA perimeter.

For a deeper look at how these differences translate into specific scanner findings, see GDPR compliance for UK businesses: website checklist 2026.

The Data (Use and Access) Act 2025 in three sentences

The Act passed in early 2025 after the previous Data Protection and Digital Information Bill (DPDI) collapsed in the 2024 dissolution of Parliament. It modernises certain UK GDPR provisions: it formalises a list of "recognised legitimate interests" (fraud prevention, public-interest emergencies, defence), narrows the obligation to maintain Article 30 records of processing for SMEs that aren't doing high-risk processing, and clarifies that scientific research has its own lawful-basis pathway. For a typical small business website, the practical effects are: less paperwork on the records of processing side, slightly clearer rules for analytics and product improvement processing, and no change at all to cookie banner requirements.

Critically, the Act did not remove the cookie consent requirement. Press coverage in 2024-2025 implied otherwise — most of that coverage misread the earlier DPDI proposals, which had floated an analytics exemption that never made it into law. PECR is still the binding instrument, and ICO guidance is unchanged.

What this means in practice for your website

The differences above translate into a small number of concrete website changes. None of them are difficult.

If you operate a UK-only website, your privacy notice should reference UK GDPR rather than (EU) GDPR, name the ICO as the supervisory authority, and link to ico.org.uk/concerns as the complaints route. Your cookie banner should comply with PECR Regulation 6 — reject as easy as accept, no pre-ticked boxes, no analytics before consent. Your footer should display Companies House details if you're a limited company, plus a geographic address and direct email under the E-Commerce Regulations 2002. You don't need to do anything about EU SCCs unless you have non-UK suppliers handling personal data.

If you operate a UK website that also sells into the EU, you need both regimes side by side. Privacy notice references both UK GDPR and EU GDPR, names both the ICO and the relevant lead EU authority, and clarifies which applies to which data subjects. You need an EU representative under Article 27 EU GDPR. EAA accessibility requirements apply to your EU-facing surface. International data transfers from the EU to your UK servers rely on the EU's adequacy decision; transfers from the EU onward to a US processor rely on the EU-US Data Privacy Framework or SCCs.

If you're a non-UK business selling to UK customers, you mirror the second case from the other side. UK rep under Article 27 UK GDPR, privacy notice updated to reference UK GDPR alongside EU GDPR or your home regime, and PECR-compliant cookie behaviour for UK visitors.

For the technical detection, our scanner checks all of this automatically when you select United Kingdom from the country picker.

ICO enforcement: what to actually expect

It's easy to read about £20 million British Airways fines and conclude the ICO is as aggressive as the CNIL. The reality for SMEs is more nuanced.

Big-ticket fines are rare and almost always tied to large-scale breaches: British Airways (£20M, 2020, originally proposed at £183M), Marriott (£18.4M, 2020), TikTok (£12.7M, 2023, children's data). These are the cases that make the news.

Reprimands and undertakings are the actual ICO main lever. The ICO publishes a steady stream of these — a dozen or more per month — covering everything from missed SAR deadlines to inadequate cookie banners to failures around Right to be Forgotten requests. Reprimands are public and stay on the ICO's record but carry no fine. Undertakings are negotiated commitments to fix a specific failure within a deadline.

SME-scale fines do happen, mostly under PECR for unsolicited marketing. Companies that buy or scrape email lists and run cold-email campaigns into B2C addresses get fined regularly — typical PECR fines for SMEs run in the £10,000 to £200,000 range. The ICO publishes them under "monetary penalty notices" on its enforcement page.

The practical takeaway for a typical British SME website: the dominant compliance risk isn't a fine, it's a complaint that lands at the ICO and triggers a formal investigation. Investigations are time-consuming, distract leadership, and can end in a public reprimand. The investments that prevent this — a working cookie banner, a complete privacy notice, a documented SAR procedure, a staff member who knows what to do when a SAR lands — are the same ones EU GDPR demands.

When the differences cost you money

Three places where the divergence between UK and EU regimes has direct financial implications for SMEs.

Selling into Germany. The German Abmahnung (cease-and-desist letter) system has no UK equivalent. A German competitor lawyer who notices your UK-targeted site loading Google Fonts externally won't be able to fire an Abmahnung at you — unless you're targeting Germany, in which case the Abmahnung lands and costs €1,500-3,000 to settle. The cleanest defence for a UK SME selling into Germany is to scan against German rules and self-host every external resource.

EU representative obligations. A UK SaaS company with a single French customer arguably triggers Article 27 EU GDPR. The cost is £25-50/month for an EU rep service; the cost of getting it wrong is a French CNIL letter that, even if it leads to no fine, takes weeks of legal time to handle.

EAA in EU markets. A UK SME e-commerce site that hits the EAA's threshold (effectively any consumer-facing online sales in the EU above the micro-enterprise floor) needs WCAG 2.1 AA on its EU-facing surface from 28 June 2025 onward. Failure exposes the business to enforcement in the relevant member state. The fix is the same as it would be for an EU-native site, but the cost is real if accessibility wasn't designed in from the start.

For a quick view of which divergences affect your specific site, run a free UK-aware scan — it picks the right rule set automatically when you select your country.

The honest summary

Brexit didn't free British businesses from GDPR. It rebranded GDPR, moved the regulator to Wilmslow, and let the UK Parliament tweak around the edges. The Data (Use and Access) Act 2025 is the latest tweak; cookie consent and the bulk of the substantive rules are unchanged. The biggest practical differences for an SME website are operational: which authority you write to, which citations appear in your privacy notice, what your imprint looks like, and whether you also need to comply with the EU regime in parallel because you sell across the Channel.

If you got your house in order for 25 May 2018, the maintenance burden post-Brexit is small. If you've been quietly avoiding the topic since 2018, the ICO's reprimand-and-fine pipeline is just as functional today as the EU DPAs', and you should fix the basics before someone complains.

Sources

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on your situation.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Can You Run Analytics Without Consent in the UK? The ICO's Position

The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in the UK: ICO enforcement in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.