What is the difference between EU GDPR and UK Data Protection Act 2018?
The EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (DPA 2018) are closely related, but there are some key differences due to the UK’s departure from the European Union (Brexit).
Here’s a breakdown:
Similarities
Core Principles: Both laws are based on the same core data protection principles, lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity, and accountability.
Rights of Individuals: Both provide individuals with similar rights, including access to data, rectification, erasure (“right to be forgotten”), data portability, and objection to processing.
Legal Bases for Processing: Both require a legal basis for processing personal data (consent, contract, legal obligation, vital interests, public task, legitimate interests).
EU GDPR
Jurisdiction: Applies to organisations operating in the EU or handling data of EU residents.
EU-wide: It’s a regulation, so it’s directly applicable across all EU member states without the need for national legislation.
Supervisory Authorities: Managed by each EU country’s supervisory authority under the oversight of the European Data Protection Board (EDPB).
Cross-border Data Transfers: Transfers outside the EU require appropriate safeguards, like Standard Contractual Clauses (SCCs) or adequacy decisions.
UK Data Protection Act 2018 (Post-Brexit Context)
Jurisdiction: Applies to organisations operating in the UK or processing data of UK residents.
UK GDPR: After Brexit, the UK incorporated the GDPR into domestic law, now called UK GDPR, and it works alongside the DPA 2018.
National Tailoring: The DPA 2018 adds UK-specific provisions, like exemptions for journalism, research, and national security.
Supervisory Authority: The Information Commissioner’s Office (ICO) oversees enforcement in the UK.
Data Transfers: The UK recognises the EU as “adequate” for data transfers, and vice versa (as of now), but this could change.
Key Differences
Feature | EU GDPR | UK DPA 2018 / UK GDPR |
|---|---|---|
| Geographic Scope | EU & international orgs handling EU data | UK & international orgs handling UK data |
| Supervisory Body | EU-based (EDPB and national bodies) | UK ICO |
| Legal Status | Direct EU regulation | UK domestic law combining DPA + UK GDPR |
| National Derogations | Limited | UK-specific exemptions and adaptations |
| Adequacy Decisions | Made by EU Commission | Made by UK government |
In Practice
If a company handles both EU and UK personal data, it must comply with both sets of regulations. That often means having:
Representatives in both jurisdictions (if required),
Separate legal documentation (e.g., privacy notices, contracts),
Dual regulatory compliance strategies.
More Posts
Data Use and Access Act 2025: Key Data Protection Changes and What UK Organisations Must Do
The Data Use and Access Act 2025 changes how UK...
Data Subject Access Requests (DSAR) under UK GDPR and the Data Use and Access Act 2025
The right of access is one of the most powerful...
Data privacy and AI: practical guidance for UK organisations
Modern artificial intelligence (AI) systems depend on processing vast quantities...
Data Protection Officer (DPO): Roles, Responsibilities and Why Outsourcing Makes Sense
Understanding when and how to appoint a data protection officer...