Logo

What is the difference between EU GDPR and UK Data Protection Act 2018?

The EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (DPA 2018) are closely related, but there are some key differences due to the UK’s departure from the European Union (Brexit).

Here’s a breakdown:

Similarities

  • Core Principles: Both laws are based on the same core data protection principles, lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity, and accountability.

  • Rights of Individuals: Both provide individuals with similar rights, including access to data, rectification, erasure (“right to be forgotten”), data portability, and objection to processing.

  • Legal Bases for Processing: Both require a legal basis for processing personal data (consent, contract, legal obligation, vital interests, public task, legitimate interests).

EU GDPR

  • Jurisdiction: Applies to organisations operating in the EU or handling data of EU residents.

  • EU-wide: It’s a regulation, so it’s directly applicable across all EU member states without the need for national legislation.

  • Supervisory Authorities: Managed by each EU country’s supervisory authority under the oversight of the European Data Protection Board (EDPB).

  • Cross-border Data Transfers: Transfers outside the EU require appropriate safeguards, like Standard Contractual Clauses (SCCs) or adequacy decisions.

UK Data Protection Act 2018 (Post-Brexit Context)

  • Jurisdiction: Applies to organisations operating in the UK or processing data of UK residents.

  • UK GDPR: After Brexit, the UK incorporated the GDPR into domestic law, now called UK GDPR, and it works alongside the DPA 2018.

  • National Tailoring: The DPA 2018 adds UK-specific provisions, like exemptions for journalism, research, and national security.

  • Supervisory Authority: The Information Commissioner’s Office (ICO) oversees enforcement in the UK.

  • Data Transfers: The UK recognises the EU as “adequate” for data transfers, and vice versa (as of now), but this could change.

Key Differences
Feature
EU GDPR
UK DPA 2018 / UK GDPR
Geographic ScopeEU & international orgs handling EU dataUK & international orgs handling UK data
Supervisory BodyEU-based (EDPB and national bodies)UK ICO
Legal StatusDirect EU regulationUK domestic law combining DPA + UK GDPR
National DerogationsLimitedUK-specific exemptions and adaptations
Adequacy DecisionsMade by EU CommissionMade by UK government

In Practice

If a company handles both EU and UK personal data, it must comply with both sets of regulations. That often means having:

  • Representatives in both jurisdictions (if required),

  • Separate legal documentation (e.g., privacy notices, contracts),

  • Dual regulatory compliance strategies.

More Posts

Tagged , , , ,
Data Privacy Services

Operating Hours – Monday to Friday (09:00 hrs to 17:00 hrs – UK Time)

Email: info@dataprivacyservices.co.uk

Phone: 0808 101 0155

Key Services
Support & Help
Partnering and Referrals
Legal

Data Privacy and Security Services Limited © Copyright 2025

ICO NO. ZB313468

Thank you for contacting us

We will respond shortly

Note – if you do not receive an email from us please check your spam folder as we normally respond within 2 hours.

Home
Data Privacy Services
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.