UK GDPR and EU GDPR started as the same document. They are no longer the same law. Since 1 January 2021, the UK has operated its own data protection regime, and the two frameworks have begun to diverge. For most UK businesses with only UK customers, the practical day-to-day difference is modest. For businesses that serve both UK and EU customers, the divergence creates real compliance complexity.
Where UK GDPR comes from
The EU GDPR came into force in May 2018. When the UK left the EU, it retained the GDPR in domestic law via the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018. The result is a document that is largely identical to the original regulation — same article structure, same core rights, same principles — but now sits as a distinct UK instrument and is amended by UK statutory instruments rather than EU legislation.
The government's Data Protection and Digital Information (DPDI) Act introduced further modifications. Check the ICO's current guidance for up-to-date requirements, as the detail has shifted through the legislative process. The core obligations — lawful basis, data subject rights, privacy notices, data protection by design — remain intact.
Enforcement: the ICO, not the EDPB
Under EU GDPR, supervision is shared across national data protection authorities, coordinated by the European Data Protection Board (EDPB). The ICO has no role in that system. Under UK GDPR, the Information Commissioner's Office is the sole supervisory authority for the UK. There is no cross-border consistency mechanism between the ICO and EU authorities.
If you receive a complaint from a UK resident, the ICO handles it. If you receive a complaint from a French resident about the same processing, France's CNIL handles it under EU GDPR. These are parallel proceedings, not co-ordinated ones.
Fines compared
| Framework | Maximum fine (lower tier) | Maximum fine (upper tier) |
|---|---|---|
| EU GDPR | €10m or 2% of global turnover | €20m or 4% of global turnover |
| UK GDPR | £8.7m or 2% of global turnover | £17.5m or 4% of global turnover |
The percentages are identical. The absolute sterling figures reflect a set exchange rate used when the UK instrument was made. Practically speaking, the maximum exposure is equivalent for most businesses.
International data transfers
This is where UK and EU GDPR diverge most significantly.
Under EU GDPR, transfers to third countries require either an adequacy decision from the European Commission, or appropriate safeguards such as Standard Contractual Clauses. The EU granted the UK adequacy in June 2021, meaning data can flow freely from the EU to the UK without additional safeguards — for as long as that decision remains in force.
The UK operates its own, separate adequacy framework. The ICO maintains a list of countries deemed adequate for transfers from the UK. The EEA countries, plus several others, are on this list. Transfers to countries not on the list require UK-specific safeguards: International Data Transfer Agreements (IDTAs) or addenda to EU Standard Contractual Clauses.
Sending data to the US? The UK has its own Data Bridge arrangement with the US (in force since October 2023) for transfers to certified US organisations. This is separate from the EU-US Data Privacy Framework. Check that any US processor your site relies on — including cloud providers, analytics tools, and CDNs — is covered by the appropriate mechanism for your jurisdiction.
Dual compliance: serving both UK and EU customers
If your website processes personal data from UK residents and EU residents — which is common for any e-commerce site, SaaS product, or content business — you may need to satisfy both regimes simultaneously. The rules are similar enough that a single privacy policy and processing framework usually covers both, but there are areas where you need specific attention:
- Your privacy policy should reference both UK GDPR and EU GDPR if you serve both markets
- Your EU Representative requirement under EU GDPR Article 27 still applies if you have no EU establishment
- Data transfer mechanisms must be appropriate for the direction of the transfer (UK-to-US and EU-to-US have different legal bases)
- ICO registration covers UK processing; it does not satisfy any EU registration requirement
What to watch: the DPDI Act
The Data Protection and Digital Information Act made targeted changes to the UK framework — adjusting legitimate interests, the rules on automated decision-making, and the requirements around data protection officers. These are incremental modifications rather than a wholesale rewrite, but they represent the point at which UK GDPR and EU GDPR became formally different rather than merely separately administered.
The ICO publishes guidance on the current state of UK data protection law. For anything that has changed since the DPDI Act came into force, the ICO's website is the authoritative source.
Is your site set up for UK GDPR?
GDPR Radar scans your site against UK GDPR and ICO requirements — not EU GDPR — so you get results that are relevant to your actual legal obligations.
Scan your site for UK GDPR compliance →