When the UK left the EU, it retained the EU's General Data Protection Regulation in UK law through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The result is "UK GDPR" — a substantively similar but legally separate framework that has been diverging from EU GDPR since Brexit. Understanding both the similarities and the divergences is essential for any UK business that processes personal data.
What UK GDPR looks like in practice
For day-to-day compliance purposes, UK GDPR looks almost identical to EU GDPR. The six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) are the same. The individual rights — access, rectification, erasure, restriction, portability, objection — are the same. The accountability obligations — records of processing, privacy by design, DPIAs for high-risk processing — are the same. The ICO is the supervisory authority and has the same enforcement powers, including fines of up to £17.5 million or 4% of global annual turnover for the most serious infringements.
The practical differences are in international data transfers and the regulatory relationship with the EU. The EU has granted the UK an "adequacy decision" — a determination that UK law provides an equivalent level of protection to EU GDPR — which means data can flow freely between the EU and UK without additional safeguards, for as long as that adequacy decision stands.
International data transfers from the UK
Transferring personal data from the UK to countries outside the UK requires a transfer mechanism. The UK has its own adequacy regulations covering countries deemed to provide adequate protection (currently including the EU/EEA countries, and some others). For transfers to countries without adequacy, the UK uses its own version of Standard Contractual Clauses — the International Data Transfer Agreement (IDTA) — or the Addendum to EU Standard Contractual Clauses for contracts that also cover EU data. The US has a UK Extension to the EU-US Data Privacy Framework that provides a mechanism for UK-to-US transfers.
In practice, if you use US-based SaaS tools (which most online businesses do), you need to ensure you have a valid transfer mechanism in place with each processor. Most major providers — Stripe, Mailchimp, Google, AWS, Cloudflare — publish their UK transfer documentation. Review their Data Processing Agreements and confirm they include the appropriate UK transfer mechanism.
What the DPDI Act 2025 changed
The Data Protection and Digital Information (DPDI) Act 2025 made several UK-specific modifications to the UK GDPR framework. Key changes include: a simplified framework for legitimate interests assessments for specified categories of processing; new provisions for "recognised legitimate interests" that do not require a balancing test; updated rules on automated decision-making that are slightly more permissive than EU GDPR Article 22; changes to cookie consent rules under PECR (allowing analytics cookies to be treated as "strictly necessary" in limited circumstances for certain trusted third-party providers); and a new framework for digital identity verification. The ICO has published detailed guidance on the DPDI Act changes — businesses should review this guidance if their processing activities touch any of the amended areas.