Back to Blog

PolicifyAI

Published July 2026 · 9 min read

GDPR

UK GDPR vs EU GDPR: What Actually Changed

Same rules, different regulators? Not quite. From the Data (Use and Access) Act 2025 to transfer paperwork and dual representation, here is where the two regimes now genuinely differ.

Why there are two GDPRs at all

When the UK left the EU, it copied the EU GDPR into domestic law. The result - the "UK GDPR", sitting alongside the Data Protection Act 2018 - started life as a near-identical twin of the EU regulation. If you learned GDPR before Brexit, the core of what you know still applies on both sides: the same principles, the same six lawful bases, the same data subject rights, the same 72-hour breach notification rule.

But "near-identical" is no longer the whole story. The regimes have been drifting apart - slowly at first, and then more noticeably since the UK's Data (Use and Access) Act 2025. Here is what actually differs today, and what it means if you serve customers on both sides of the Channel.

Difference 1: Regulators, fines - and no one-stop shop

UK GDPR is enforced by the ICO, with maximum fines of £17.5 million or 4% of global annual turnover. EU GDPR is enforced by each member state's authority (the CNIL in France, the DPC in Ireland, and so on), with maximums of €20 million or 4%.

The practical sting for businesses operating in both markets: the EU's "one-stop shop"- where one lead authority handles a business across all member states - no longer covers the UK. A UK company processing EU data answers to both the ICO and an EU authority, with two sets of potential fines for the same incident.

Difference 2: You may need a representative (or two)

Under Article 27 of each regime, a business with no establishment in the other's territory - but which offers goods or services to people there, or monitors their behaviour - generally must appoint a local representative. A UK online shop actively targeting EU customers needs an EU representative; an EU SaaS company targeting UK users needs a UK one. Many small businesses discover this obligation late, usually from a customer's lawyer.

Difference 3: Different transfer paperwork

Both regimes restrict sending personal data to third countries, but the paperwork diverged:

  • EU: Standard Contractual Clauses (SCCs), plus the EU–US Data Privacy Framework for certified US companies
  • UK: the International Data Transfer Agreement (IDTA) or the UK Addendum bolted onto EU SCCs, plus the UK–US "Data Bridge" (the UK extension to the Data Privacy Framework)

If you signed SCCs with a vendor for EU data, they do not automatically cover your UK transfers - you need the UK Addendum or IDTA alongside them.

Difference 4: The age of digital consent

For online services relying on a child's consent, the UK set the threshold at 13. EU member states range from 13 to 16 (Germany uses 16, France 15, Spain 14). A kids-adjacent product serving several countries has to handle each threshold.

The big divergence: the Data (Use and Access) Act 2025

The DUAA received Royal Assent in June 2025 and is the first deliberate UK departure from the inherited EU text, with provisions being phased in through 2025 and 2026. The headlines for ordinary businesses:

  • "Recognised legitimate interests": a new list of activities (such as crime prevention and safeguarding) where you can rely on legitimate interests without running the full balancing test
  • Subject access requests: searches now need only be "reasonable and proportionate", and the response clock can pause while you clarify a request or verify identity
  • Automated decision-making: the near-ban in Article 22 is relaxed for most data (with safeguards); the strict rule remains for special category data
  • Cookies: PECR gains exemptions from the consent requirement for narrow low-risk purposes such as first-party statistics - while PECR fines jump from the old £500,000 cap to UK GDPR levels (£17.5m/4%), so the stakes for email and cookie compliance went up sharply
  • Charity soft opt-in: charities can now use the soft opt-in for marketing emails to previous supporters
  • The regulator itself is restructuring, with the ICO's functions moving to a new Information Commission

None of this changes EU GDPR, so a business serving both markets now has to comply with the stricter of the two on each point - in most cases, the EU version.

What about adequacy - can data still flow from the EU to the UK?

Yes. The European Commission's adequacy decisions for the UK, originally due to expire in 2025, were renewed in December 2025, so personal data continues to flow freely from the EEA to the UK without extra paperwork. The renewal came with a warning attached: the Commission monitors UK divergence, and adequacy can be withdrawn if the UK strays too far. Sensible businesses keep their EU-facing practices at EU standard for exactly this reason.

What a small business should actually do

  • One privacy policy is fine- but it should name both regimes and both regulators, and state your transfer safeguards for each
  • Check whether you need a representative in the market where you have no office
  • Pair your transfer documents: EU SCCs for EU data, UK IDTA/Addendum for UK data
  • Follow the stricter rule where they differ- it keeps you safe in both markets and future-proofs you against adequacy wobbles

Our privacy policy generator produces policies that reference both UK and EU GDPR from a single questionnaire, which handles the dual-regime problem for most small businesses.

Frequently asked questions

Is UK GDPR stricter or more relaxed than EU GDPR?

Mostly slightly more relaxed since the DUAA 2025 - easier DSAR handling, more room for automated decisions, and narrow cookie exemptions. But PECR enforcement got sharper teeth, so "relaxed" does not mean low-risk.

Do I need two privacy policies?

No - one well-drafted policy covering both regimes is standard practice. It should mention both the ICO and the relevant EU authority and describe transfer safeguards for both.

Can EU customer data still be sent to the UK?

Yes. The EU renewed the UK's adequacy decisions in December 2025, so EEA-to-UK data flows remain free - subject to ongoing monitoring of UK divergence.

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy

Keep reading

All articles