UK Data Protection Post-Brexit: GDPR vs UK GDPR

Brexit fundamentally changed the UK's data protection landscape. From January 1, 2021, the UK left the EU's legal framework and the EU GDPR ceased to apply directly. The UK retained EU GDPR in domestic law as the "UK GDPR" (under the European Union (Withdrawal) Act 2018), supplemented by the Data Protection Act 2018 (DPA 2018). The result is a framework that is substantially similar to EU GDPR but with important differences — and a fragile adequacy relationship between the UK and EU that businesses must monitor closely.

Understanding the exact differences between UK GDPR and EU GDPR, and managing dual compliance for businesses operating in both jurisdictions, is essential for UK-based businesses and international companies with UK and EU exposure.

Key Takeaways

• UK GDPR is derived from EU GDPR but is now a separate domestic law — the EU GDPR no longer applies directly in the UK
• The EU granted the UK adequacy decisions in June 2021, permitting EU→UK data flows — but they are subject to a sunset clause and periodic review
• UK→EU data flows: the UK also granted EU countries adequacy under UK law, permitting EU→UK flows under UK GDPR
• Key differences: UK GDPR has different SCCs, different transfer mechanisms, ICO (not EDPB) supervision, and evolving UK-specific positions
• The Data Protection and Digital Information (DPDI) Act 2025 reformed UK GDPR — changes include relaxed legitimate interests, new recognised legitimate interests, and simplified record-keeping
• ICO fines reach £17.5 million or 4% of global turnover — same structure as EU GDPR
• Businesses subject to both UK GDPR and EU GDPR must satisfy both frameworks independently

---

The UK Data Protection Framework Post-Brexit

UK GDPR and the Data Protection Act 2018

The UK's data protection framework comprises two primary instruments:

UK GDPR: The EU GDPR as retained in UK law, modified by the DPA 2018 and subsequent statutory instruments. It preserves the six lawful bases, data subject rights, controller/processor framework, DPIA requirements, and DPO obligations from EU GDPR with some UK-specific modifications.

Data Protection Act 2018: Supplements UK GDPR by:

• Implementing UK-specific derogations (e.g., for law enforcement, national security, journalism)
• Establishing the ICO's powers and role
• Providing additional conditions for processing special categories of data
• Setting DPO requirements for public authorities
• Creating the framework for criminal offences and enforcement

Data Protection and Digital Information (DPDI) Act 2025: A significant reform that amended UK GDPR, introducing more flexible provisions for business processing, relaxed legitimate interests provisions, "recognised legitimate interests" (new category avoiding the balancing test), simplified DPIA requirements, and a new regulatory framework for digital identity services.

---

Key Differences: UK GDPR vs EU GDPR

---

UK Adequacy Status and EU→UK Data Transfers

EU Adequacy Decisions for the UK (June 2021)

The European Commission granted the UK two adequacy decisions on June 28, 2021:

1. Adequacy decision under EU GDPR: Permits free flow of personal data from EU/EEA to UK without requiring additional transfer mechanisms
2. Adequacy decision under Law Enforcement Directive: Permits law enforcement data sharing

The sunset clause: The EU adequacy decisions for the UK contain a four-year sunset clause — they expire on June 27, 2025, unless renewed. The European Commission conducted a review and has indicated its intention to renew, but the renewal process and any conditions attached are subject to political and legal developments.

Risks to the EU→UK adequacy relationship:

• Divergence of UK data protection law from GDPR (through DPDI Act and future reform) could trigger Commission review
• UK government's surveillance legislation and mass data collection practices have been areas of EU scrutiny
• Any UK court decisions or legislative changes significantly reducing data protection standards could prompt the Commission to suspend adequacy

Practical implication: Businesses relying on UK adequacy for EU→UK data flows should have a contingency plan (UK IDTAs or BCRs) should adequacy be withdrawn or suspended, even if renewal appears likely.

UK→EU Data Flows

Under UK GDPR's international transfer provisions, the UK Secretary of State has granted adequacy regulations for EU/EEA countries — meaning personal data can flow from the UK to EU/EEA countries without additional transfer mechanisms.

---

International Data Transfer Agreements (IDTAs)

For transfers from the UK to countries without UK adequacy decisions, UK GDPR requires appropriate safeguards. The ICO published the International Data Transfer Agreement (IDTA) and an IDTA Addendum to EU SCCs in March 2022, replacing the older model clauses for UK transfers.

Key IDTA features:

• UK-specific standard contractual clauses covering all four EU SCC module scenarios (C2C, C2P, P2P, P2C) in a single document
• "Risk Assessment" framework (rather than EU SCC's mandatory TIA)
• UK-specific definitions and supervisory authority references
• Mandatory terms that must not be modified; optional clauses available

IDTA Addendum to EU SCCs: Allows businesses to use EU SCCs as the basis for UK transfers by adding an addendum that adapts them for UK purposes. This is the preferred approach for many multinational businesses that have already implemented EU SCCs and want to cover UK transfers without separate documentation.

Transition from EU SCCs: The ICO extended the deadline for updating legacy EU SCC contracts to UK IDTAs — businesses that entered EU SCC contracts before September 21, 2022 had until March 21, 2024 to replace them with UK IDTAs (extended by ICO guidance).

Selecting the appropriate transfer mechanism:

---

ICO Enforcement Powers and Approach

The Information Commissioner's Office (ICO) is the UK's independent data protection supervisory authority. Post-Brexit, the ICO is no longer part of the EDPB and acts independently in all respects.

ICO enforcement powers:

• Issue information notices requiring organisations to provide information
• Issue assessment notices (audits)
• Issue enforcement notices (requiring compliance actions)
• Issue penalty notices:
  • Lower tier: up to £8.7 million or 2% of global annual turnover (whichever higher) — for less severe violations
  • Upper tier: up to £17.5 million or 4% of global annual turnover (whichever higher) — for most serious violations
• Criminal prosecution for deliberate data crimes (under DPA 2018 Part 3 and offences)

ICO enforcement approach: The ICO has historically taken a risk-based, proportionate approach — engaging with organisations through reprimands and informal guidance before escalating to fines. However, the ICO has issued significant fines: £20 million to British Airways (later reduced to £20 million on appeal), £18.4 million to Marriott International, and multiple seven-figure fines to public authorities.

Post-DPDI Act: The DPDI Act 2025 modified the ICO's framework, introducing a "principal objective" to promote a thriving digital economy alongside data protection, and creating a statutory code of practice for responsible AI. This signals a somewhat more pro-innovation regulatory approach than pre-DPDI.

---

Dual Compliance: UK GDPR and EU GDPR

For businesses subject to both UK GDPR and EU GDPR — the most common situation for UK-based businesses with EU operations — managing dual compliance requires careful programme design.

Structuring for dual compliance:

1. Separate legal entities: If your UK and EU operations are separate legal entities, each has its own supervisory authority (ICO for UK, relevant national DPA for EU) and must maintain separate compliance programmes

2. Common policy base: UK GDPR and EU GDPR share ~95% of their substantive requirements. A single comprehensive privacy programme covering all requirements of both can be built, with UK-specific and EU-specific layers on top

3. Transfer mechanisms: UK→EU transfers use UK adequacy regulations (no mechanism needed currently). EU→UK transfers use EU adequacy decision for UK (no mechanism needed currently). Internal transfers between UK and other countries need UK IDTAs. Internal transfers between EU and other countries need EU SCCs

4. Lead supervisory authority: Under EU GDPR, EU operations can designate a lead supervisory authority for cross-border EU processing through the one-stop-shop mechanism. This does not apply in the UK — ICO supervises all UK-established entities

5. Privacy notices: Maintain separate privacy notices or clearly distinguish UK and EU legal bases, contact information (DPO, UK rep, EU rep), and supervisory authority references

6. DPO appointment: If required under both frameworks, a single DPO can serve both jurisdictions. The DPO contact details in UK privacy notices should reference UK obligations; EU notices should reference EU obligations

---

UK-Specific Data Protection Considerations

PECR (Privacy and Electronic Communications Regulations 2003)

UK PECR governs cookies, electronic marketing, and traffic/location data. It is separate from UK GDPR and was not updated by DPDI Act, though reform is ongoing. Key PECR requirements:

• Cookie consent: clearly informed consent required for non-essential cookies
• Email/SMS marketing: opt-in consent required for individuals; opt-out (soft opt-in) available where there is an existing customer relationship and same/similar products
• Cold calling: prohibited to numbers on the Telephone Preference Service (TPS); businesses can register for the Corporate TPS

Biometric Data (Special Category under UK GDPR)

Biometric data processed for uniquely identifying individuals is a special category under UK GDPR. The DPA 2018 Schedule 1 provides specific conditions for processing special categories, including explicit consent and employment law conditions.

UK Representative for Non-UK Established Controllers

Under UK GDPR Article 27, controllers and processors not established in the UK but subject to UK GDPR (because they offer goods/services to UK individuals or monitor UK individuals' behaviour) must appoint a UK representative. This is a standalone role from the DPO and can be a natural person or legal entity.

---

UK Data Protection Compliance Checklist

• Determine whether UK GDPR, EU GDPR, or both apply to your organisation
• UK representative appointed if non-UK established and subject to UK GDPR
• Privacy notice updated to reference UK GDPR, ICO, and UK-specific rights
• UK IDTA or IDTA Addendum implemented for transfers from UK to non-adequate countries
• EU→UK transfer mechanism reviewed (currently relying on EU adequacy for UK — monitor for changes)
• DPO appointed where required under UK GDPR; contact information published
• Record of processing activities maintained (UK GDPR Article 30)
• DPIAs conducted for high-risk processing activities
• Legitimate interests assessments documented where legitimate interests is the legal basis
• PECR compliance reviewed: cookie consent, electronic marketing opt-in mechanisms
• Staff training completed on UK GDPR obligations
• Breach notification procedure: 72-hour notification to ICO, individual notification for high-risk breaches
• Data subject rights procedures implemented (UK GDPR timeline: one month)
• Legacy EU SCC contracts reviewed and updated to UK IDTAs where required

---

Frequently Asked Questions

Is EU GDPR still applicable in the UK after Brexit?

No. EU GDPR ceased to apply directly in the UK on January 1, 2021. However, the UK retained EU GDPR as domestic law in the form of "UK GDPR," which is substantially similar but now a separate UK statute. If you process personal data of EU/EEA individuals or have an EU-based establishment, EU GDPR continues to apply to those aspects of your business regardless of Brexit.

Do I need separate DPOs for UK and EU operations?

A single DPO can serve both UK and EU obligations, provided they have sufficient knowledge of both frameworks and are accessible to data subjects and supervisory authorities in both jurisdictions. The DPO's contact details should be published in privacy notices for both jurisdictions, and the DPO should be aware of UK-specific ICO guidance alongside EDPB guidance for EU obligations.

What happens if the EU withdraws UK adequacy?

EU→UK data flows would require an alternative transfer mechanism — typically EU SCCs. Businesses would need to sign EU Standard Contractual Clauses for EU→UK transfers and conduct Transfer Impact Assessments. This would be operationally significant but manageable for businesses that have planned contingencies. The practical disruption would be greatest for businesses relying on informal data flows (employee data, cloud infrastructure shared between EU and UK entities) without formal transfer documentation.

What are "recognised legitimate interests" under the DPDI Act?

The DPDI Act 2025 introduced "recognised legitimate interests" — a new category of processing purposes that do not require the full three-part legitimate interests balancing test under UK GDPR. Recognised legitimate interests include: direct marketing by the organisation that collected the data; intragroup transfers for administrative purposes; network and information security purposes; employee monitoring and management for safety/legal compliance. Businesses can rely on these without documenting a formal balancing test, simplifying compliance for these specific use cases.

How does UK data protection apply to UK citizens living abroad?

UK GDPR protects individuals in the UK — it is not tied to UK citizenship or nationality. An EU citizen living in the UK is protected by UK GDPR. A UK citizen living in France is protected by EU GDPR applied in France. The laws are territorial in their primary application, not citizenship-based. UK citizens' data is not inherently subject to UK GDPR when they are located outside the UK unless the controller/processor is UK-established or targeting UK individuals.

Are cookies in the UK governed by UK GDPR or PECR?

Cookies are primarily governed by the Privacy and Electronic Communications Regulations 2003 (PECR) in the UK, not directly by UK GDPR. PECR requires clear information about cookies and consent for non-essential cookies. UK GDPR applies to the personal data collected through cookies (where cookies process personal data). Both frameworks must be satisfied simultaneously — PECR governs the cookie placement; UK GDPR governs the subsequent processing of personal data collected.

---

Next Steps

The UK's post-Brexit data protection landscape is more complex than many businesses anticipated — particularly for those operating across UK and EU jurisdictions simultaneously. Keeping pace with ICO guidance, DPDI Act reforms, and the EU adequacy relationship requires ongoing attention.

ECOSIRE helps businesses design and maintain dual UK/EU compliance programmes, implement appropriate international data transfer mechanisms, and build privacy-by-design into their technology platforms.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. UK data protection law is evolving through legislation and ICO guidance. Consult qualified UK legal counsel for advice specific to your organisation.