UK GDPR vs EU GDPR: Brexit and DUAA 2025 changes
Steven | TrustYourWebsite · 4 May 2026 · Last updated: May 2026
The UK GDPR vs EU GDPR differences matter most for small UK firms that sell into the EU and for EU firms that sell into the UK. Both regimes come from the same 2016 EU text. Both have drifted only modestly since Brexit. A UK business with EU customers is bound by both at the same time.
This guide sets out where the two rule sets diverge in 2026. It covers what the Data (Use and Access) Act 2025 changed and what dual compliance looks like in practice. For a technical scan against the rules that apply to your market, run a free compliance check.
UK GDPR vs EU GDPR: the side-by-side comparison
The table below summarises the headline UK GDPR vs EU GDPR differences as they stand after the DUAA 2025. Each row links to a primary source where the rule lives.
| Area | UK GDPR (post-DUAA 2025) | EU GDPR |
|---|---|---|
| Statute | UK GDPR plus DPA 2018 plus DUAA 2025 | Regulation (EU) 2016/679 |
| Regulator | ICO | National DPAs coordinated by the EDPB |
| Age of consent for online services | 13 (DPA 2018 s.9) | 16 default, member states may lower to 13 |
| Lawful basis list | Six Article 6 bases plus a statutory list of recognised legitimate interests | Six Article 6 bases, no statutory recognised list |
| Records of processing (Article 30) | Reduced for low-risk SMB processing under DUAA 2025 | Full Article 30 record-keeping for all but the smallest controllers |
| International transfer tool | UK IDTA or UK Addendum to the EU SCCs | EU SCCs |
| US transfer route | UK-US Data Bridge since 12 October 2023 | EU-US Data Privacy Framework |
| Fine ceiling | £17.5m or 4% global turnover (whichever is higher) | EUR 20m or 4% global turnover (whichever is higher) |
| One-stop-shop | Not available | Lead DPA in the member state of main establishment |
| Cookie consent route | PECR Regulation 6 (cap £500,000) | National ePrivacy implementations |
When each regime applies
Both regimes use the same extraterritorial scope rule from Article 3 of the 2016 Regulation.
UK GDPR applies when a controller or processor is established in the UK. It applies wherever the actual processing happens. It also catches non-UK controllers that offer goods or services to people in the UK or monitor their behaviour. The supervisory authority is the ICO.
EU GDPR applies when a controller or processor is established in the EU. It also catches non-EU controllers that offer goods or services to EU data subjects or monitor their behaviour. The lead authority is the DPA of the member state where the controller has its main EU establishment. Where there is no EU establishment, the data subject can complain to their own national DPA. The EDPB coordinates national positions.
A UK SaaS firm with paying customers in Germany, France and the Netherlands is subject to UK GDPR because it is UK-established. It is also subject to EU GDPR because it targets EU individuals. It needs a privacy notice that names both regimes. It needs an EU representative under Article 27 EU GDPR. A US firm with UK and EU customers needs two separate Article 27 appointments. One sits in the UK, one in an EU member state.
What the two regimes share
The substantive content of UK GDPR and EU GDPR is nearly identical at the point of reading. The UK retained the EU GDPR text word-for-word at the end of the Brexit transition.
Both require a lawful basis under Article 6 for processing personal data. Both use the same six bases. These are consent, contract, legal obligation, protection of life (Article 6(1)(d)), public task and legitimate interests.
Both give individuals the same data subject rights under Articles 15 to 22. These cover access, rectification, erasure, restriction, portability, objection and rights around automated decisions. Both require a response within one month for subject access requests.
Both require breach notification to the supervisory authority within 72 hours where a breach is likely to risk individuals (Article 33). Both require notice to individuals where the risk to them is high (Article 34).
Both carry equivalent fine tiers. The UK GDPR cap of £17.5 million or 4% turnover matches the structure of the EU GDPR cap of EUR 20 million or 4% turnover, even if the headline amounts differ.
If you already run a GDPR-compliant privacy notice for EU customers, the changes for UK compliance are mostly editorial. Swap the relevant EU DPA reference for the ICO. Reference UK GDPR and the DPA 2018 instead of EU GDPR. Point the complaints path at ico.org.uk/concerns.
Where the regimes diverge
Supervisory authority. EU GDPR uses a one-stop-shop mechanism under Article 60. A controller with cross-border EU processing gets a lead DPA in the member state of its main EU establishment. The ICO does not take part in this mechanism. UK complaints go to the ICO. EU complaints involving the same facts go through the lead EU DPA.
Age of consent for online services. The UK sets the floor at 13 under section 9 of the Data Protection Act 2018. The EU GDPR default is 16. Member states can lower it to 13. Ireland and Denmark have done so. If your service is aimed at young people, the UK threshold is one of the lower ones across the UK and the EU.
International transfers. UK GDPR uses the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, not the raw EU SCCs themselves. The UK has its own equivalents to EU adequacy decisions. The UK-US Data Bridge has been in force since 12 October 2023. It plays the same role as the EU-US Data Privacy Framework for transfers to certified US recipients. A privacy notice that mentions only "Standard Contractual Clauses" without naming the UK equivalents fails the UK disclosure standard.
Records of processing. The Data (Use and Access) Act 2025 narrowed the record-keeping duty for certain low-risk SMB processing under the UK regime. Very small organisations doing limited, non-high-risk processing may be exempt from full Article 30 records under UK GDPR. The EU GDPR Article 30 duty is unchanged for equivalent EU processing.
Recognised legitimate interests. The DUAA 2025 created a statutory list of recognised legitimate interests in UK GDPR. Listed activities such as fraud prevention, safeguarding and public-health emergencies can rely on legitimate interests without the full balancing test. EU GDPR has no equivalent statutory list. The legitimate interests assessment under EU GDPR stays fully case-by-case. The EDPB has confirmed that legitimate interests remain a contestable basis at EU level.
Accessibility. This is the starkest policy split and the one that matters most for e-commerce. The EU's European Accessibility Act 2019 went live on 28 June 2025. It imposes mandatory WCAG 2.1 AA duties on private-sector e-commerce, banking, transport and media services across EU member states. The UK has no private-sector equivalent. The Equality Act 2010 requires "reasonable adjustments" but does not name WCAG. A UK e-commerce site selling only to UK customers has materially different exposure from an equivalent French site.
Cookie consent. Cookie law in the UK sits in PECR, not UK GDPR. The EU equivalent is the ePrivacy Directive 2002/58/EC, implemented differently across member states. The substantive rule (prior consent for non-essential cookies) is the same. The statutory route differs. PECR fines are capped at £500,000. EU ePrivacy fines vary by member state. The French CNIL has issued penalties above EUR 100 million under French law.
The Data (Use and Access) Act 2025: before and after
The Data (Use and Access) Act 2025, the DUAA, is the most significant update to UK data protection law since the DPA 2018. It passed in early 2025 after the earlier DPDI Bill collapsed when Parliament was dissolved for the 2024 general election.
The table below shows the four provisions that matter most for typical SMB websites. Each row compares the pre-DUAA UK GDPR position with the post-DUAA position.
| Provision | Pre-DUAA UK GDPR | Post-DUAA UK GDPR |
|---|---|---|
| Legitimate interests for fraud, safeguarding, emergencies | Full Article 6(1)(f) balancing test required | Statutory recognised legitimate interests list, no balancing test for listed purposes |
| Article 30 records of processing | Required for all but the smallest very-low-risk processing | Reduced duty for low-risk SMB processing per ICO guidance |
| Scientific research lawful basis | Implicit route, mixed practice | Clear dedicated route with named safeguards |
| Cookie consent under PECR | Prior consent for non-essential cookies | Unchanged: prior consent still required |
Three points worth holding in mind:
- Recognised legitimate interests apply only to the listed purposes. They do not change anything for standard commercial processing such as analytics or marketing.
- SME record-keeping relief lets genuinely low-risk small firms cut paperwork. It does not reduce substantive duties such as breach reporting or honouring data subject rights.
- The scientific research pathway matters for universities, health research bodies and market research firms. It is rarely relevant for typical SMB websites.
What the DUAA did not change: the core rights in Articles 15 to 22, the consent standard for cookies under PECR, the breach notification timeline, the fine ceiling, the international transfer rules and the basic requirement for a privacy notice.
Dual compliance for UK businesses with EU customers
If you sell to EU customers and are established only in the UK, your compliance position covers both regimes at once.
Your privacy notice should name both UK GDPR and EU GDPR. It should name both the ICO and the relevant lead EU supervisory authority. Where you have no EU establishment, say that EU complainants can go to their own national DPA. It should explain transfers in terms of both the UK Data Bridge for UK-to-US flows and the EU-US Data Privacy Framework for EU-to-US flows via your US processors.
You need an EU representative under Article 27 EU GDPR if you have EU customers and no EU establishment. This is a written appointment of a named person or organisation in an EU member state who can receive correspondence from EU DPAs and from data subjects. Specialist services (DataRep, EDPO, GDPR-Rep.eu) offer this on subscription at around £25 to £50 per month.
On the UK side, the ICO enforces UK GDPR against non-UK companies. The £12.7 million penalty issued by the ICO against TikTok Inc in 2023 (a US-registered entity fined for misuse of children's data) shows that non-EU companies with UK customers are not shielded by their non-UK status.
Your cookie banner must satisfy PECR for UK visitors and the national ePrivacy implementation for EU visitors. In practice a PECR-compliant banner that requires prior consent before scripts load will also satisfy most EU national implementations, because the substantive standard is the same.
The EAA accessibility duties apply to your EU-facing surface from 28 June 2025. Your UK-only pages do not trigger the EAA. Any pages marketed to EU consumers in EAA sectors do. See our EU guide on EAA penalties for what enforcement exposure looks like in practice.
This is technical analysis, not legal advice. Consult a solicitor for guidance on your specific compliance position.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Start free checkUK Website Guides
GDPR compliance for UK businesses: website checklist 2026
GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.
UK GDPR vs EU GDPR after Brexit for UK businesses
UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookies, ICO enforcement and when you still need an EU representative.
DPA 2018 vs UK GDPR: Which Law Applies to Your Website?
The DPA 2018 and UK GDPR work together but cover different ground. Which applies to your website, when DPA exemptions bite and how they interact in 2026.
Data (Use and Access) Act 2025: UK website changes
Data (Use and Access) Act 2025 reforms UK GDPR and the DPA 2018 from Royal Assent on 19 June 2025. What changes for UK websites and what stays the same.