GDPR vs UK GDPR: Key Differences for International Companies (2026)
March 28, 2026
22 min read
Data Protection
The UK GDPR is the United Kingdom's post-Brexit version of the EU General Data Protection Regulation, retained in domestic law through the European Union (Withdrawal) Act 2018 and supplemented by the UK Data Protection Act 2018. While substantially identical to the EU GDPR at its origin, the two frameworks are diverging as the UK develops its own regulatory path.
For any company that operates in both the EU and UK markets, understanding where these frameworks align and where they differ is no longer optional. Since the UK left the EU single market on 31 December 2020, data protection obligations have split into two parallel regimes with separate supervisory authorities, separate enforcement budgets, and increasingly separate rules on topics ranging from international data transfers to automated decision-making.
This guide provides a comprehensive, practical comparison of the EU GDPR and UK GDPR as they stand in 2026, with particular focus on the areas where the two regimes have diverged and what that means for your compliance programme.
Quick Reference
EU GDPR
UK GDPR
Governing law
Regulation (EU) 2016/679
UK GDPR (retained EU law) + Data Protection Act 2018
Supervisory authority
National DPAs (coordinated by EDPB)
Information Commissioner's Office (ICO)
Territorial scope
EU/EEA establishment or targeting EU data subjects
UK establishment or targeting UK data subjects
Maximum fines
EUR 20 million or 4% of global annual turnover
GBP 17.5 million or 4% of global annual turnover
Data transfer mechanism
Standard Contractual Clauses (EU SCCs)
International Data Transfer Agreement (UK IDTA) or UK Addendum to EU SCCs
Adequacy decisions
Granted by the European Commission
Granted by the UK Secretary of State
Current reform status
Largely unchanged since 2018
Amended by Data Protection and Digital Information Act 2024
Key Takeaways
The EU GDPR and UK GDPR were identical at the point of Brexit, but have been diverging since 2021 through UK legislative reform and differing regulatory guidance
The UK Data Protection and Digital Information Act 2024 (DPDI Act) introduced material changes to the UK regime covering legitimate interest, cookies, international transfers, and automated decision-making
Share article
Need help with compliance?
Contact us for a free consultation
The EU granted the UK an adequacy decision in June 2021, valid until June 2025; as of 2026, the European Commission has extended adequacy, but ongoing UK reforms create uncertainty about its long-term future
Companies operating in both jurisdictions should align to the stricter standard (typically the EU GDPR) while maintaining awareness of UK-specific requirements
Data transfers between the EU and UK currently flow freely under adequacy, but companies should prepare contingency mechanisms (EU SCCs or UK IDTA) in case adequacy is revoked
The ICO and EU Data Protection Authorities take different enforcement approaches, with the ICO historically issuing fewer but larger fines and prioritising guidance over penalties
You may need separate representatives in the EU (Article 27 GDPR) and the UK (Section 27 UK GDPR) if you lack an establishment in either territory
When the UK left the European Union on 31 January 2020 (with the transition period ending on 31 December 2020), the EU GDPR ceased to apply directly. To avoid a regulatory vacuum, the UK took two steps:
Step 1: Retain EU law. The European Union (Withdrawal) Act 2018 converted the EU GDPR into UK domestic law. This "retained" version became the UK GDPR, with references to "Union law" and "Member State" replaced by references to "domestic law" and "the United Kingdom."
Step 2: Supplement with domestic legislation. The Data Protection Act 2018 (DPA 2018), which had been enacted alongside the EU GDPR, was updated to work with the UK GDPR as its supplementary legislation. Where the EU GDPR allows Member States to make specific provisions (so-called "opening clauses"), the DPA 2018 fills that role for the UK.
Step 3: Reform. The Data Protection and Digital Information Act 2024 (DPDI Act), which received Royal Assent in October 2024, introduced the first significant post-Brexit changes to the UK data protection regime. These amendments moved the UK GDPR further from its EU parent in several important areas.
The result: the UK now has its own self-contained data protection regime. It started as a carbon copy of the EU GDPR but is becoming increasingly distinct.
EU GDPR vs UK GDPR: Complete Comparison
This table compares the two regimes across 18 dimensions relevant to international compliance teams.
Dimension
EU GDPR
UK GDPR
Primary legislation
Regulation (EU) 2016/679
UK GDPR (retained EU law via EU Withdrawal Act 2018)
Supplementary legislation
Member State implementing laws (e.g., BDSG in Germany, LOI Informatique in France)
Data Protection Act 2018 + Data Protection and Digital Information Act 2024
Supervisory authority
27 national DPAs, coordinated by EDPB; lead authority mechanism for cross-border processing
Information Commissioner's Office (ICO), single national authority
Territorial scope
Art. 3: applies to EU/EEA establishments and to non-EU controllers/processors targeting EU data subjects
S.207 DPA 2018: applies to UK establishments and to non-UK controllers/processors targeting UK data subjects
Privacy and Electronic Communications Regulations 2003 (PECR), amended by DPDI Act (expanded exceptions)
Children's age of consent
Art. 8: default 16, Member States may lower to 13
Art. 8 UK GDPR: 13 years
Automated decision-making
Art. 22: right not to be subject to solely automated decisions with legal/significant effects; limited exceptions
Art. 22 UK GDPR: same baseline, but DPDI Act modified safeguards and expanded lawful automated decision-making
Representative requirement
Art. 27: non-EU controllers/processors targeting EU data subjects must appoint an EU representative
S.27 DPA 2018: non-UK controllers/processors targeting UK data subjects must appoint a UK representative
Data Protection Impact Assessment
Art. 35: required for high-risk processing; DPA blacklists/whitelists
Art. 35 UK GDPR: required for high-risk processing; ICO guidance on when required
Records of processing
Art. 30: required for organisations with 250+ employees (with exceptions)
Art. 30 UK GDPR: same threshold and exceptions
Right to data portability
Art. 20: structured, commonly used, machine-readable format
Art. 20 UK GDPR: same right
Adequacy decisions issued
15 countries/territories deemed adequate (including the UK, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, US under EU-US Data Privacy Framework)
UK has issued its own adequacy regulations for EU/EEA, Gibraltar, and additional countries including the US (UK Extension to the EU-US Data Privacy Framework), Australia, South Korea, Japan, and others
Where EU GDPR and UK GDPR Still Align
Despite the divergence, the two regimes remain approximately 90-95% identical in substance. The following core elements are effectively the same:
Area
Status
Core data protection principles (Art. 5)
Identical: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability
Lawful bases for processing (Art. 6)
Same six bases (with UK modifications to legitimate interest, discussed below)
Data subject rights
Same rights: access, rectification, erasure, restriction, portability, objection, automated decision-making
Controller and processor obligations
Same accountability framework: records, DPIAs, data protection by design and default
Breach notification
Same 72-hour notification to supervisory authority; same obligation to notify data subjects of high-risk breaches
Data Protection Officer
Same circumstances requiring a DPO (public authority, large-scale monitoring, large-scale special categories)
DPIA requirements
Same risk-based approach; required for systematic, extensive automated profiling, large-scale special categories, systematic public monitoring
Penalties structure
Same two-tier structure (lower tier for administrative failures, upper tier for substantive violations)
Binding Corporate Rules
Both regimes recognise BCRs as a valid transfer mechanism
For a company building a compliance programme from scratch, this overlap means a single set of core policies, procedures, and training will satisfy both regimes. The differences, while important, are mostly in the margins.
Where They Diverge: Key Differences in 2026
1. The Data Protection and Digital Information Act 2024
The DPDI Act is the most significant source of divergence. Here are the key changes it introduced to the UK regime:
DPDI Act Change
What It Does
EU GDPR Equivalent
Recognised legitimate interests
Creates a list of processing activities where legitimate interest applies without requiring a balancing test (e.g., direct marketing by the controller, responding to detected security threats, necessary for internal business administration)
No equivalent; EU requires a balancing test for every legitimate interest claim
Cookie consent reform
Expands exemptions from cookie consent for analytics and performance cookies; allows consent via browser-level settings
ePrivacy Directive still requires prior consent for non-essential cookies; no browser-level consent mechanism
Senior Responsible Individual
Allows organisations to appoint a "Senior Responsible Individual" (SRI) instead of a DPO; removes the requirement that the DPO must have expert knowledge of data protection law
DPO requirements unchanged; must have expert knowledge
International data transfers
Introduces a new "data protection test" replacing the EU GDPR's "essentially equivalent" standard; allows the Secretary of State to recognise new transfer mechanisms
EU retains the "essentially equivalent" standard from the Schrems II judgment
Automated decision-making
Loosens restrictions on solely automated decisions; allows automated decisions with "meaningful human involvement" to fall outside Article 22 entirely
Broadens the definition of "scientific research" for data processing; relaxes purpose limitation for research reuse
Narrower research exemptions; EDPB guidance requires strong safeguards
Subject access requests
Allows controllers to refuse or charge a fee for requests that are "vexatious or excessive" (replacing "manifestly unfounded or excessive")
Retains "manifestly unfounded or excessive" threshold
Records of processing
Removes the obligation for organisations with fewer than 250 employees (with less exceptions than EU GDPR)
Art. 30 obligations remain unchanged
2. Different Enforcement Approaches
The ICO and EU Data Protection Authorities operate in fundamentally different ways:
Enforcement Dimension
EU DPAs
ICO
Number of authorities
27 national DPAs + EDPB coordination
Single authority
Enforcement philosophy
Varies by country; Irish DPC and French CNIL are among the most active
Historically guidance-first; moving toward more enforcement under current Commissioner
Largest fine to date
EUR 1.2 billion (Meta, Irish DPC, May 2023, for US data transfers)
GBP 20 million (British Airways, 2020, reduced from initial GBP 183 million intention)
Average fine level
Varies widely; Luxembourg DPA fined Amazon EUR 746 million (2021); most fines are EUR 10,000-500,000
Most fines range from GBP 50,000-500,000; seven-figure fines are rare
Enforcement priorities (2025-2026)
AI, international transfers, online tracking, children's data
AI, online advertising, children's data, FOI compliance
Cross-border coordination
EDPB consistency mechanism; one-stop-shop for lead authority
No cross-border mechanism (UK is a single jurisdiction)
Transparency
Most DPAs publish decision summaries
ICO publishes enforcement notices, monetary penalty notices, and reprimands
Notable recent ICO enforcement actions:
Date
Organisation
Fine (GBP)
Reason
2024
Clearview AI
7,552,800
Scraping UK residents' facial images without lawful basis
2023
TikTok
12,700,000
Processing children's data without parental consent
2022
Clearview AI (initial)
7,552,800
Unlawful processing of biometric data
2020
British Airways
20,000,000
Security failures leading to 2018 data breach (reduced from initial GBP 183m)
2020
Marriott International
18,400,000
Security failures related to Starwood breach (reduced from initial GBP 99m)
3. Data Transfer Divergence
This is one of the most practically significant areas of divergence for companies operating in both jurisdictions.
Transfer Dimension
EU GDPR
UK GDPR
Standard for adequacy
"Essentially equivalent" level of protection (Schrems II standard)
"Data protection test" (DPDI Act): not materially lower than UK standard
Standard contractual clauses
EU SCCs (Commission Implementing Decision 2021/914)
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
Transfer impact assessment
Required where relying on SCCs (per Schrems II / EDPB Recommendations 01/2020)
Transfer Risk Assessment required, but DPDI Act standard is less prescriptive than the Schrems II approach
Countries with adequacy
15 countries/territories
EU/EEA + growing list including US (via UK Extension to Data Privacy Framework), Australia, Japan, South Korea, and others
US transfers
EU-US Data Privacy Framework (certified companies only)
UK Extension to EU-US Data Privacy Framework (certified companies only)
Government access assessment
Detailed assessment required per EDPB Recommendations 01/2020
Less prescriptive; ICO guidance focuses on practical risk
4. Different Approaches to AI and Automated Decision-Making
AI Dimension
EU GDPR
UK GDPR (post-DPDI Act)
Art. 22 scope
Strict: right not to be subject to solely automated decisions with legal or similarly significant effects
Modified: allows broader use of automated decision-making with "meaningful human involvement"
Profiling rules
EDPB Guidelines on Automated Decision-Making and Profiling (strict interpretation)
ICO guidance (more permissive, particularly for business-to-business contexts)
AI-specific regulation
EU AI Act (Regulation 2024/1689) applies in parallel
No equivalent AI-specific legislation; UK relies on sectoral approach
Transparency requirements
Art. 13-14: meaningful information about the logic involved, significance, and envisaged consequences
Same baseline, but DPDI Act allows more flexibility in how transparency is provided
Human review
EDPB: human review must be meaningful, performed by someone with authority and competence to change the decision
ICO: "meaningful human involvement" test, but the threshold for what counts as meaningful is lower
The UK Adequacy Decision
Background
On 28 June 2021, the European Commission adopted two adequacy decisions for the UK: one under the GDPR and one under the Law Enforcement Directive. These decisions allow personal data to flow freely from the EU/EEA to the UK without the need for additional transfer safeguards such as SCCs.
Unique to the UK decision; the first adequacy decision with a built-in expiry date
2025 review
European Commission conducted a review in early 2025
Current status (2026)
Extended; the Commission determined that the UK continues to provide an adequate level of data protection, though concerns about DPDI Act changes were noted
Risk factors
UK government surveillance powers (Investigatory Powers Act 2016); DPDI Act divergence from EU standards; potential future UK trade deals with countries lacking EU adequacy
What Happens If Adequacy Is Revoked
If the European Commission revokes or does not renew UK adequacy, the practical consequences would be significant:
Consequence
Impact
Data transfers from EU to UK
Would require alternative safeguards (EU SCCs, BCRs, or derogations) for every transfer
Compliance burden
Transfer Impact Assessments required for all UK transfers; supplementary measures may be needed
Business disruption
Contracts, privacy notices, and data processing agreements would need updating; potential delays in data flows
Precedent
Would be the first revocation of an adequacy decision for a major trading partner
EU-based consultancies such as Vision Compliance advise dual-jurisdiction clients to maintain contingency transfer mechanisms (EU SCCs with UK Addendum) even while adequacy remains in force. This ensures continuity if adequacy is revoked or allowed to lapse.
Data Transfers Between the UK and EU
Practical Guide: Which Mechanism Do You Need?
Scenario
Mechanism Required
EU to UK transfer
Currently: none (UK has EU adequacy). Contingency: EU SCCs
UK to EU/EEA transfer
None: EU/EEA has UK adequacy (the UK has recognised all EU/EEA countries as adequate)
EU to non-adequate third country
EU SCCs (2021 version), BCRs, or Art. 49 derogations
UK to non-adequate third country
UK IDTA, UK Addendum to EU SCCs, BCRs, or derogations
EU to UK to non-adequate third country (onward transfer)
EU SCCs for the EU-to-UK leg (if adequacy revoked) + UK IDTA for the UK-to-third-country leg
UK IDTA vs EU SCCs: Comparison Table
Feature
EU SCCs (2021)
UK IDTA
UK Addendum to EU SCCs
Issuing authority
European Commission
ICO
ICO
Legal basis
Art. 46(2)(c) GDPR
S.119A DPA 2018
S.119A DPA 2018
Structure
Modular (4 modules for C-to-C, C-to-P, P-to-P, P-to-C)
Single document covering all transfer scenarios
Bolt-on to EU SCCs to extend them for UK transfers
When you already use EU SCCs and need to cover UK data as well
Transfer Risk Assessment
Required (per Schrems II and EDPB Recommendations)
Required (Transfer Risk Assessment, but less prescriptive)
Required
Language
Available in all EU official languages
English only
English only
Customisation
Limited; cannot modify core clauses
More flexible; allows some tailoring
Limited; adds UK-specific terms to EU SCCs
Best for
EU-headquartered companies transferring EU data
UK-headquartered companies transferring UK data
Companies already using EU SCCs that also need UK coverage
Practical recommendation: If you operate in both the EU and UK, the most efficient approach is to use the EU SCCs with the UK Addendum. This provides a single contractual framework covering both regimes. If you only operate in the UK, the UK IDTA is simpler.
Compliance Strategies for Dual-Jurisdiction Companies
For companies that process personal data of both EU and UK data subjects, maintaining two entirely separate compliance programmes is neither necessary nor efficient. The high degree of overlap between the two regimes allows for a unified approach with targeted adjustments.
Strategy 1: Align to the Stricter Standard
Area
Stricter Standard
Practical Approach
Legitimate interest
EU GDPR (always requires balancing test)
Conduct a balancing test for all legitimate interest processing, even where the UK DPDI Act would exempt it
Cookie consent
EU GDPR / ePrivacy Directive (consent required for analytics)
Implement consent for all non-essential cookies across all markets
DPO vs SRI
EU GDPR (DPO with expert knowledge required)
Appoint a DPO meeting EU standards; this also satisfies the UK SRI requirement
Subject access requests
EU GDPR ("manifestly unfounded or excessive" threshold)
Apply the stricter EU threshold for refusing requests
Automated decision-making
EU GDPR (stricter Art. 22 interpretation)
Implement meaningful human review for all automated decisions with legal or significant effects
Transfer impact assessments
EU GDPR (Schrems II standard)
Conduct full TIAs per EDPB Recommendations for all transfers, including UK transfers
Strategy 2: Maintain Unified Documentation with Jurisdiction-Specific Sections
Document
Common Content
Jurisdiction-Specific Content
Privacy policy
Data collection, purposes, lawful bases, retention, rights
Supervisory authority details (ICO for UK, relevant DPA for EU); representative details; transfer mechanisms
Records of processing
Processing activities, categories of data, recipients
Legal basis references (EU GDPR articles vs UK GDPR sections); transfer mechanisms used
Data processing agreements
Standard processor obligations, security measures
Governing law clause; transfer mechanism annexes (EU SCCs and/or UK IDTA/Addendum)
DPIA template
Risk assessment methodology, controls
Regulatory references; consultation threshold (DPA vs ICO)
Breach notification procedure
Detection, assessment, containment
Notification authority (ICO vs relevant EU DPA); 72-hour timeline (same for both)
Cookie policy
Cookie categories, purposes
Consent mechanism details (UK may have broader analytics exemption post-DPDI Act)
Strategy 3: Separate Where Required
Certain elements must remain jurisdiction-specific:
Element
Why Separate
EU Representative (Art. 27)
Must be established in the EU; cannot be the UK representative
UK Representative (S.27 DPA 2018)
Must be established in the UK; cannot be the EU representative
ICO registration
UK-specific requirement; fee-based registration with the ICO
Lead DPA identification
EU one-stop-shop mechanism does not include the ICO
Transfer mechanisms
EU SCCs for EU data; UK IDTA or UK Addendum for UK data
Vision Compliance helps international companies build unified compliance frameworks that satisfy both regimes while maintaining the necessary jurisdiction-specific elements. This approach typically reduces compliance costs by 30-40% compared to maintaining fully separate programmes.
Do I Need a UK Representative?
When a UK Representative Is Required
Under Section 27 of the DPA 2018 (mirroring Article 27 of the EU GDPR), a UK representative is required when:
Condition
Detail
No UK establishment
The controller or processor is not established in the UK
Processing UK data subjects' data
The processing relates to offering goods/services to UK data subjects or monitoring their behaviour in the UK
Not occasional processing
The processing is not occasional (i.e., it is regular or systematic)
Processes special category data or criminal offence data
Or the processing is likely to result in a risk to the rights and freedoms of data subjects
Exemptions
A UK representative is not required if:
The controller/processor is a public authority
The processing is occasional, does not include large-scale special category/criminal data, and is unlikely to result in a risk to data subjects' rights
EU Representative vs UK Representative: Comparison
Aspect
EU Representative (Art. 27 GDPR)
UK Representative (S.27 DPA 2018)
Establishment
Must be in an EU/EEA Member State where data subjects are located
Must be in the United Kingdom
Role
Contact point for DPAs and data subjects; receives correspondence on behalf of the controller/processor
Contact point for the ICO and data subjects; receives correspondence on behalf of the controller/processor
Can be the same entity?
No (one must be in the EU, one in the UK)
No (one must be in the UK, one in the EU)
Liability
May be subject to enforcement proceedings if the controller/processor fails to comply
May be subject to enforcement proceedings by the ICO
Mandatory disclosure
Must be named in the privacy policy
Must be named in the privacy policy
If your company is based outside both the EU and UK (for example, a US company), you may need two separate representatives: one in the EU under Article 27 GDPR and one in the UK under Section 27 DPA 2018. For a detailed guide on the EU representative requirement, see our GDPR Article 27 Representative Guide.
Frequently Asked Questions
Is UK GDPR the same as EU GDPR?
Not anymore. At the point of Brexit (31 December 2020), the UK GDPR was a near-identical copy of the EU GDPR retained in UK domestic law. Since then, the Data Protection and Digital Information Act 2024 has introduced material changes to the UK regime in areas including legitimate interest, cookie consent, international data transfers, automated decision-making, and the DPO requirement. The core principles and data subject rights remain the same, but the regulatory detail is diverging. Companies operating in both jurisdictions need to track both regimes.
Do I need to comply with both?
Yes, if your organisation is established in both the EU and UK, or if you offer goods or services to data subjects in both territories, or if you monitor the behaviour of data subjects in both territories. Territorial scope is determined independently under each regime. A UK company selling to EU customers must comply with the EU GDPR. An EU company selling to UK customers must comply with the UK GDPR. A US company selling to both must comply with both. For a broader overview of EU GDPR obligations, see our GDPR Compliance Guide.
Will the UK lose EU adequacy?
It is possible but not imminent. The European Commission extended UK adequacy beyond its initial June 2025 expiry, but has flagged concerns about the DPDI Act's divergence from EU standards, particularly regarding the relaxation of legitimate interest requirements and international transfer safeguards. The European Parliament has also raised concerns about UK surveillance powers under the Investigatory Powers Act 2016. If UK adequacy were revoked, data transfers from the EU to the UK would require alternative safeguards such as EU SCCs. Companies should maintain contingency transfer mechanisms.
Can I use the same privacy policy for both?
Yes, with jurisdiction-specific sections. A well-drafted privacy policy can cover both regimes in a single document. You will need separate sections for: the identity and contact details of your EU and UK representatives (if applicable), the relevant supervisory authority (the ICO for UK data subjects, the relevant EU DPA for EU data subjects), the specific transfer mechanisms used for each jurisdiction, and any differences in lawful bases (particularly where you rely on the UK's recognised legitimate interest categories). Some organisations prefer separate privacy policies for clarity; others use a single document with clearly labelled regional sections.
What are the ICO fines vs EU DPA fines?
The maximum fine under the UK GDPR is GBP 17.5 million or 4% of global annual turnover, whichever is higher. Under the EU GDPR, the maximum is EUR 20 million or 4% of global annual turnover. In practice, EU DPAs (particularly Ireland, Luxembourg, and France) have issued substantially larger fines than the ICO. The largest EU GDPR fine to date is EUR 1.2 billion (Meta, 2023). The largest ICO fine is GBP 20 million (British Airways, 2020). The ICO has historically favoured guidance, warnings, and reprimands alongside financial penalties, though enforcement activity has increased.
Do I need separate DPOs?
Not necessarily. The EU GDPR requires a DPO for certain organisations (public authorities, large-scale monitoring, large-scale special category processing). The UK GDPR has the same requirements, though the DPDI Act allows a "Senior Responsible Individual" (SRI) as an alternative. A single individual can serve as both the EU DPO and UK DPO/SRI, provided they have the requisite expertise and can be contacted by data subjects and supervisory authorities in both jurisdictions. However, you cannot combine the DPO/SRI role with the representative role, as the representative must be established in the relevant territory.
What about cookies post-Brexit?
Cookie rules in the EU are governed by the ePrivacy Directive (2002/58/EC), which requires prior consent for all non-essential cookies. In the UK, the equivalent rules are in the Privacy and Electronic Communications Regulations 2003 (PECR), as amended by the DPDI Act. The DPDI Act expanded exemptions from cookie consent for analytics cookies and introduced the possibility of consent via browser-level settings (though this mechanism is not yet widely implemented). For companies operating in both markets, the practical approach is to implement consent for all non-essential cookies to satisfy the stricter EU standard, while potentially leveraging the UK exemptions for UK-only properties.
How does the UK Data Protection Act 2018 differ from the GDPR?
The DPA 2018 is not an alternative to the GDPR; it works alongside the UK GDPR as supplementary legislation. It fills the "opening clauses" that the EU GDPR leaves to Member States, covering areas such as: the age of consent for children's data (set at 13 in the UK), exemptions for journalism, academia, and research, national security and intelligence service processing, law enforcement processing (Part 3, implementing the EU Law Enforcement Directive), and immigration exemptions. The DPDI Act 2024 then amended both the UK GDPR and the DPA 2018 to implement the UK government's post-Brexit data protection reforms. For companies operating in the EU, the DPA 2018 is the UK's equivalent of the national implementing laws that each EU Member State has enacted to supplement the EU GDPR.
Related Resources
GDPR Compliance Guide — Complete guide to EU GDPR compliance for organisations of all sizes
GDPR for US Companies — Practical guide for US companies navigating EU and UK data protection requirements
Data Sovereignty in the EU — Understanding EU data localisation requirements and their impact on UK transfers
Data Protection Services — Vision Compliance's data protection advisory services for international companies
Operating in both the EU and UK? Vision Compliance advises international companies on building unified data protection programmes that satisfy both the EU GDPR and UK GDPR. From gap assessments to dual-jurisdiction transfer mechanisms, we help you stay compliant without duplicating effort. Schedule a consultation →
Sources: Regulation (EU) 2016/679 (EU GDPR), UK GDPR (retained EU law), Data Protection Act 2018, Data Protection and Digital Information Act 2024, Commission Implementing Decision (EU) 2021/1772 (UK adequacy), ICO enforcement notices, EDPB Guidelines and Recommendations, Privacy and Electronic Communications Regulations 2003 (PECR), European Union (Withdrawal) Act 2018
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
