UK GDPR vs EU GDPR: What Actually Differs Post-Brexit and After the DUAA 2025

The relationship between UK GDPR and EU GDPR is one of the more practically important questions for UK businesses in 2026 and one of the more persistently misunderstood ones. The short version: both regimes derive from the same 2016 EU text, they have diverged modestly since Brexit and UK businesses with EU customers need to comply with both simultaneously.

This article breaks down where they differ, what changed with the Data (Use and Access) Act 2025 and what dual compliance looks like in practice.

For a technical scan that applies the correct rule set for your market, run a free compliance check at /uk/en/scan.

When each regime applies

UK GDPR and EU GDPR both use an extraterritorial scope rule modelled on the same Article 3 from the 2016 EU Regulation.

UK GDPR applies when a controller or processor is established in the UK, regardless of whether the processing takes place in the UK. It also applies to non-UK controllers who either offer goods or services to individuals in the UK, or monitor the behaviour of individuals in the UK. The ICO is the relevant supervisory authority.

EU GDPR applies when a controller or processor is established in the EU, or when a non-EU controller offers goods or services to EU data subjects, or monitors their behaviour. The relevant supervisory authority is the lead DPA of the member state where the controller has its main EU establishment, or the DPA in whichever member state the data subject is located if the controller has no EU establishment.

A UK-based SaaS business with paying customers in Germany, France and the Netherlands is simultaneously subject to UK GDPR (because it's UK-established) and EU GDPR (because it's targeting EU individuals). It needs a compliant privacy notice referencing both regimes, an EU representative under Article 27 EU GDPR and a clear position on which supervisory authority is its lead EU authority if it has an EU establishment.

A US-based business with UK and EU customers needs both a UK representative (Article 27 UK GDPR) and an EU representative (Article 27 EU GDPR), separate appointments, since they serve different regulatory roles in different jurisdictions.

What the regimes share

The substantive content of UK GDPR and EU GDPR is nearly identical at the point of reading, because the UK retained the EU GDPR text verbatim at the end of the Brexit transition on 31 December 2020.

Both require a lawful basis under Article 6 for processing personal data. Both use the same six bases: consent, contract, legal obligation, protection of life (Article 6(1)(d)), public task and legitimate interests.

Both give individuals the same data subject rights under Articles 15 to 22: access, rectification, erasure, restriction, portability, objection and rights around automated decision-making. Both require a one-month response deadline for subject access requests.

Both require breach notification to the supervisory authority within 72 hours where a breach is likely to result in risk to individuals (Article 33). Both require notification to individuals where the risk to them is high (Article 34).

Both carry equivalent fine tiers: UK GDPR's £17.5 million / 4% turnover matches EU GDPR's €20 million / 4% in structure if not precisely in amounts.

If you have a GDPR-compliant privacy notice written for your EU customers, the changes needed for UK GDPR compliance are primarily editorial: substitute the ICO for your EU supervisory authority, reference UK GDPR / DPA 2018 instead of EU GDPR and update the complaints pathway to point to ico.org.uk/concerns.

Where the regimes diverge

Supervisory authority. EU GDPR uses a one-stop-shop mechanism under Article 60: a business with cross-border EU processing has a lead supervisory authority in the member state of its main EU establishment. The ICO does not participate in this mechanism. UK regulatee complaints are handled by the ICO. EU regulatee complaints involving the same underlying facts go through the EU lead DPA.

Age of consent. UK sets the minimum age for information society services at 13 under Section 9 of the Data Protection Act 2018. The EU GDPR default is 16, with individual member states permitted to lower it to 13 (several have, including Ireland and Denmark). If you run a service aimed at young people, the UK threshold is one of the lower ones in the UK-EU comparison.

International transfers. UK GDPR uses the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses as its transfer mechanisms, not the raw EU SCCs. The UK also has its own equivalents to EU adequacy decisions. The UK-US Data Bridge, in force since 12 October 2023, serves the same function as the EU-US Data Privacy Framework for transfers to certified US organisations. Privacy notices that reference only "Standard Contractual Clauses" without mentioning the UK equivalents technically fail the UK disclosure standard.

Records of processing. The Data (Use and Access) Act 2025 narrowed the record-keeping obligation for certain low-risk SMB processing under the UK regime. Very small organisations doing limited, non-high-risk processing may be exempt from maintaining full Article 30 records under UK GDPR. The EU GDPR Article 30 obligation remains unchanged for equivalent EU processing.

Legitimate interests, recognised categories. The DUAA 2025 created a category of "recognised legitimate interests" in UK GDPR that allows certain processing, fraud prevention, public-health emergencies, safeguarding, to rely on legitimate interests without requiring the full balancing test. EU GDPR does not have an equivalent statutory list. The legitimate interests assessment under EU GDPR remains fully case-by-case.

Accessibility. This is the starkest policy divergence and the one most relevant for e-commerce. The EU's European Accessibility Act 2019 went live on 28 June 2025, imposing mandatory WCAG 2.1 AA requirements on private-sector e-commerce, banking, transport and media services across EU member states. The UK has no private-sector equivalent. UK private-sector accessibility obligations under the Equality Act 2010 require "reasonable adjustments" but do not specify a WCAG standard. A UK e-commerce site selling only to UK customers has materially different accessibility legal exposure from an equivalent French site.

Cookie consent. Cookie law in the UK sits in PECR, not UK GDPR directly. The EU equivalent is the ePrivacy Directive 2002/58/EC (implemented differently across member states). The substantive requirement, prior consent for non-essential cookies, is the same, but the statutory route and the enforcement ceiling differ. PECR fines are capped at £500,000. EU ePrivacy fines vary by member state and France's CNIL has fined companies €100 million plus under the equivalent French law.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025, the DUAA, is the most significant update to UK data protection law since the DPA 2018 itself. It passed in early 2025 after the earlier DPDI Bill collapsed when Parliament was dissolved for the 2024 general election.

Three changes matter for typical SMB websites.

Recognised legitimate interests. The DUAA created a statutory list of processing activities that can rely on legitimate interests without requiring the controller to conduct an explicit balancing test. Fraud prevention, public-health emergencies, democratic engagement and safeguarding are on the list. This is more administratively convenient for the covered activities, but it doesn't change anything for standard commercial processing like analytics or marketing.

SME record-keeping relief. Article 30 records of processing, the internal documentation of what data you process, why and for how long, are no longer mandatory for organisations whose processing is "unlikely to result in a risk to the rights and freedoms of individuals" and who have fewer than a threshold number of employees. The ICO published updated guidance on which organisations qualify. This reduces paperwork for genuinely low-risk small businesses without changing their substantive obligations.

Scientific research pathway. Research processing now has a clearer dedicated lawful-basis route under UK law, with specific safeguards. This matters mainly for universities, health research organisations and market research companies, not typically for SMB websites.

What the DUAA did not change: the core rights in Articles 15-22, the consent standard for cookies under PECR, the breach notification timeline, the fine ceiling, the international transfer rules, or the requirement for a privacy notice.

Dual compliance for UK businesses with EU customers

If you sell to EU customers and are established only in the UK, your compliance position covers both regimes simultaneously.

Your privacy notice should reference both UK GDPR and EU GDPR, name both the ICO and the relevant lead EU supervisory authority (or note that EU complainants can go to their local DPA) and explain data transfers in terms of both the UK Data Bridge (for UK-to-US flows) and the EU-US Data Privacy Framework (for EU-to-US flows via your US processors).

You need an EU representative under Article 27 EU GDPR if you have EU customers and no EU establishment. This is a written appointment of a named individual or organisation in an EU member state who can receive correspondence from EU DPAs and data subjects. Several specialist services (DataRep, EDPO, GDPR-Rep.eu) offer this as a subscription service at around £25-50 per month.

On the UK side, the ICO's enforcement of UK GDPR against non-UK companies is illustrated by the £12.7 million penalty against TikTok Inc [ICO 2023], a US-registered entity fined for misuse of children's data. Non-EU companies with UK customers are not shielded by their non-UK establishment.

Your cookie banner must satisfy PECR for UK visitors and the national ePrivacy implementation for EU visitors. In practice, a PECR-compliant banner that requires prior consent before scripts load will also satisfy most EU national implementations, since the substantive standard is the same.

The EAA accessibility requirements apply to your EU-facing surface from 28 June 2025. Your UK-only pages don't trigger the EAA, but any pages marketed to EU consumers in sectors covered by the EAA do. See our EU guide on EAA penalties for what the enforcement exposure looks like in practice.

---

This is technical analysis, not legal advice. Consult a solicitor for guidance on your specific compliance position.