UK GDPR vs EU GDPR: what actually changed after Brexit

When the UK left the EU's single market on 31 December 2020, it also left the EU's data protection framework. From 1 January 2021, the EU GDPR ceased to apply in the UK. In its place came UK GDPR - technically the EU GDPR as "retained" in UK law through the European Union (Withdrawal) Act 2018, with modifications made by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

In practice, for the first year or two after Brexit, the differences between UK GDPR and EU GDPR were minimal. The two texts are very similar, and for most businesses with customers only on one side of the border, the change was largely administrative. But the gap has been growing, and it matters more now than it did in 2021.

What stayed the same

The core architecture of UK GDPR is identical to EU GDPR. The lawful bases for processing - consent, contract, legal obligation, vital interests, public task, legitimate interests - are the same. The individual rights framework is the same: right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object. The accountability principles are the same. The approach to special category data is the same.

For a UK business that sells only to UK customers and processes data only within the UK, the practical impact of the EU/UK split is limited. You comply with UK GDPR, which is enforced by the ICO, and the EU framework is not your concern. The confusion tends to arise for businesses that have customers or operations on both sides.

Data transfers between the UK and EU

This is where Brexit created the most immediate practical complication. Under EU GDPR, transferring personal data to a country outside the EU/EEA is restricted unless that country has an "adequacy decision" - a European Commission determination that its data protection framework provides essentially equivalent protection to the EU's. The UK needed an adequacy decision from the EU to continue receiving personal data from EU organisations without additional safeguards.

In June 2021, the European Commission granted the UK an adequacy decision, meaning personal data can flow freely from the EU to the UK. This was a significant outcome for UK businesses. The alternative would have been requiring Standard Contractual Clauses (SCCs) or other transfer mechanisms for routine data flows from EU customers - a significant administrative burden.

From the UK side, the situation is different. The UK government created its own framework for international transfers: the International Data Transfer Agreement (IDTA), which replaced EU Standard Contractual Clauses for transfers from the UK to third countries. The UK has also granted adequacy status to a range of countries, including the EU/EEA (which means data can flow from UK to EU freely). So the adequacy relationship currently runs both ways.

Where the frameworks have started to diverge

The UK Government has made several changes to the retained UK GDPR text, and further changes are likely. The Data Protection and Digital Information Act 2025 (which passed after a lengthy parliamentary journey) introduced some notable modifications to the UK framework.

One change is around the legitimate interests basis. UK GDPR now includes a list of "recognised legitimate interests" - a set of pre-approved purposes for which legitimate interests can be relied upon without needing to carry out a full balancing test in the same way. This makes legitimate interests somewhat easier to use in the UK than in the EU. The EU's interpretation, guided by the European Data Protection Board, remains stricter.

Cookie consent rules have also seen some movement. The UK's approach under PECR has historically mirrored the EU's ePrivacy rules, but there has been discussion in the UK about relaxing cookie consent requirements for analytics cookies. The EU, by contrast, has been tightening enforcement through national DPAs. The two frameworks are drifting in different directions here.

Another area of divergence is around automated decision-making. EU GDPR Article 22 gives individuals a right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. UK GDPR has retained this provision but the UK Government signalled it might reform it to facilitate AI-driven decision-making. How this plays out will matter for businesses using AI systems to make decisions about customers.

Dual compliance: what it means in practice

If your business has customers in both the UK and the EU, you need to comply with both frameworks. In many areas this is not difficult because the requirements overlap heavily. But there are practical implications:

Your Privacy Policy needs to correctly identify which law applies. If you process data about UK residents, UK GDPR applies and the ICO is the supervisory authority. If you process data about EU residents, EU GDPR applies and the relevant EU member state's data protection authority is involved. A business selling to both audiences technically falls under both regulators.

For EU operations, if you have an establishment in the EU, the "one-stop-shop" mechanism under EU GDPR means your lead supervisory authority is in the member state of your main EU establishment. This simplifies things if you have a European subsidiary or office. If you have no EU establishment but target EU residents, you may need to appoint an EU representative under Article 27 of EU GDPR - the equivalent of the UK's requirement for non-UK businesses targeting UK residents to appoint a UK representative.

The divergence risk

The longer-term concern for businesses operating across the UK-EU border is further divergence. The UK Government has expressed interest in a more "flexible" and "pro-innovation" approach to data protection. The EU, particularly through the work of the European Data Protection Board and enforcement by national DPAs, has been moving in a more restrictive direction on several issues.

If divergence continues - particularly if the UK significantly weakens its data protection standards - the EU adequacy decision for the UK may not be renewed when it comes up for review. That would force businesses back to relying on Standard Contractual Clauses or Binding Corporate Rules for UK-EU transfers, which is workable but more administratively complex.

For most small UK businesses with mainly UK customers, this is not an immediate practical concern. For businesses with significant EU customer bases, or for companies that share data with EU group companies, it is worth keeping track of.

What this means for your Privacy Policy

If you are a UK business with UK customers only, your Privacy Policy should reference UK GDPR (not EU GDPR), name the ICO as the supervisory authority, and use UK-specific language around rights and contact details. Referencing "GDPR" without specifying UK or EU is technically ambiguous, though the ICO is generally pragmatic about this.

If you serve EU customers as well, your policy needs to either cover both frameworks explicitly, or you need separate policies for UK and EU audiences. The latter is cleaner but adds maintenance overhead.

For the full list of what a compliant UK privacy policy must include, see our detailed guide to what your Privacy Policy must actually say. And for a broader look at your legal requirements as a UK website, the UK website Privacy Policy requirements article covers the practical starting points. If you want to understand what enforcement actually looks like, the ICO enforcement cases from 2024 are instructive reading.