UK GDPR vs EU GDPR: Divergence Map 2026

In one sentence. As of 2026, the UK GDPR and EU GDPR remain substantially aligned in their core principles, lawful bases, and rights — but the UK’s Data (Use and Access) Act 2025 (DUAA) introduces meaningful divergences in cookie rules, automated decision-making, subject access requests, international transfers, and ICO governance. The EU Commission’s adequacy decision for the UK (issued June 2021, renewed 2025 for 4 years) keeps EU→UK data flows free of additional safeguards — but the Commission monitors divergence and could withdraw adequacy if the gap widens. For controllers operating in both jurisdictions, the divergence map matters most for cookies, AI use cases, DSAR handling thresholds, and international onward transfers.

The UK adopted GDPR via the UK GDPR + Data Protection Act 2018, effective 1 January 2021 post-Brexit. Since then, the UK has progressively diverged through the Data Protection and Digital Information Bill (failed) and its 2025 successor, the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent in June 2025 and is being phased into force through 2026.

Key takeaways

• Core framework substantially aligned — principles, lawful bases, rights, fines structure mirror EU GDPR.
• DUAA 2025 introduces UK-specific changes: cookies, ADM, DSAR, transfers, ICO restructure.
• UK retains adequacy with the EU (renewed June 2025, valid 4 years).
• Cookies: UK now permits some analytics cookies without consent.
• ADM: UK permits more Article 22-equivalent decisions with safeguards.
• DSARs: UK allows refusal/charging for “vexatious or excessive” requests with broader criteria than EU.
• International transfers: UK has “data bridges” approach independent of EU adequacy decisions.
• ICO replaced by Information Commission (governance restructure under DUAA).

1. Where UK and EU still align (the 90%)

These provisions are essentially identical:

• 6 lawful bases (Article 6)
• 8 data subject rights (transparency, access, rectification, erasure, restriction, portability, objection, ADM safeguards)
• Special category data protections (Article 9)
• Children’s protection (Article 8)
• Controller/processor distinction
• DPIA obligation (high risk processing)
• DPO designation criteria
• Breach notification (72h to authority + risk-based to subjects)
• ROPA obligation
• International transfer mechanisms (SCCs, BCRs, adequacy)
• Two-tier fines structure (up to £17.5M/4% in UK; €20M/4% in EU)
• One-stop-shop equivalent (not applicable post-Brexit)

2. Cookies — material divergence

EU position

PECR/ePrivacy Directive + GDPR Article 4(11) + EDPB Guidelines 05/2020: all non-essential cookies require consent, including analytics.

UK position post-DUAA

DUAA Schedule 12 amends PECR: analytics cookies no longer require consent if they only collect aggregate, non-identifying data for service improvement. Other cookies still need consent.

Practical impact: A UK-only site can drop analytics consent banners. A multi-jurisdictional site still needs consent for EU visitors → most operators run dual-track (geo-based consent or single highest-common-denominator banner).

3. Automated decision-making — material divergence

EU position

Article 22: prohibition of solely automated decisions with legal/significant effect, narrow exceptions, SCHUFA case (C-634/21) tightened “solely automated” interpretation.

UK position post-DUAA

DUAA Section 80: automated decisions are permitted for non-special-category data, provided:

• Data subject is informed
• Right to human intervention available
• Right to contest the decision

Special category data still requires explicit consent OR substantial public interest.

Practical impact: UK businesses get more latitude for AI-driven decisions (credit, hiring, pricing). EU operations remain bound by Article 22’s stricter regime.

4. Subject access requests — material divergence

EU position

Article 12-15: must respond within 1 month, extendable +2 months. Can refuse only if “manifestly unfounded or excessive” — interpreted narrowly.

UK position post-DUAA

DUAA introduces broader grounds for refusal/charging:

• “Vexatious or excessive” replaces “manifestly unfounded or excessive”
• Repeat requests can be refused more easily
• ICO guidance permits proportionality assessment
• Time clock pauses while clarification sought from requester

Practical impact: UK controllers face lower DSAR burden. EU controllers retain the strict interpretation.

5. International transfers — divergence emerging

EU approach

Article 45 adequacy decisions, Article 46 SCCs (2021 modernised version), Schrems II + TIA requirement.

UK approach

• Data bridges — UK can recognize third-country adequacy independently
• UK recognized adequacy for: all EU/EEA states, Switzerland, Argentina, Israel, Japan, Canada (commercial), New Zealand, Korea, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, United States (UK-US Data Bridge, October 2023), Kenya, Vietnam (under DUAA roadmap 2026)
• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
• TIA equivalent: ICO “Transfer Risk Assessment” tool, less prescriptive than EDPB version

Practical impact: UK→US transfers via the Data Bridge are simpler than EU→US (which requires DPF certification only for DPF-listed organizations).

6. ICO restructure — governance divergence

DUAA replaces the Information Commissioner’s Office (ICO) with the Information Commission — a multi-member board (chair + commissioners) instead of single Commissioner. Effective 2026.

Practical changes:

• Decision-making by board majority
• Enforcement strategy set by board
• Some new powers around codes of conduct
• Closer Treasury oversight on regulatory cost

The EU equivalent remains the EDPB (board of national authorities) + national DPAs.

7. Fines structure

Element	EU GDPR	UK GDPR (post-DUAA)
Lower tier	€10M or 2% turnover	£8.7M or 2% turnover
Upper tier	€20M or 4% turnover	£17.5M or 4% turnover
Calculation criteria	Article 83(2) — 11 criteria	DPA 2018 Schedule 17 — substantially same
Methodology	EDPB Guidelines 04/2022	ICO/Information Commission internal guide
Worldwide turnover	Yes — Volkswagen ruling	Yes

8. Lawful basis differences

DUAA introduces “recognized legitimate interests” — pre-cleared use cases that don’t require LIA balancing test:

• Direct marketing to existing customers (with opt-out)
• Crime/safeguarding processing
• Statutory processing
• Limited intra-group transfers for administration

EU GDPR retains case-by-case LIA test for all legitimate interest reliance.

9. Research and statistical exemption

DUAA broadens the UK research exemption (DPA 2018 Schedule 2 Part 6). UK allows:

• Broader consent for research purposes (“research purposes” not narrowly defined at consent time)
• Easier exemption from Article 15 access rights for research data
• Lower threshold for “scientific research” qualification

EU GDPR remains stricter on research purpose specification.

10. Adequacy risk — the watching variable

The EU Commission renewed UK adequacy in June 2025 for 4 years (to 2029), with explicit monitoring of DUAA implementation. Withdrawal would require EU operators to use SCCs+TIA for UK transfers — significant friction.

Commission criteria for withdrawal:

• Material weakening of data subject rights
• Loss of supervisory authority independence
• Lower fine ceilings undermining deterrence
• Inadequate surveillance safeguards

DUAA was carefully designed to stay within adequacy bounds. The 2029 renewal review is the next critical date.

11. Compliance strategies for multi-jurisdictional operations

Strategy A — Highest common denominator

Apply EU GDPR everywhere (including UK). Simplest, costs flexibility.

Strategy B — Dual-track

EU rules for EU data subjects, UK rules for UK data subjects. Requires:

• Geo-IP detection
• Two consent banners
• Two privacy notices
• Two SAR processes
• Two ADM frameworks Most complex, maximum optimization.

Strategy C — Hybrid

EU rules for substantive areas (rights, fines, transfers), UK relaxations for low-risk areas (cookies, research).

Most multinationals use Strategy A for substantive compliance + Strategy C for cookies and DSAR triage.

12. Tooling

Legiscope maintains side-by-side UK vs EU compliance matrices, flags processing activities affected by DUAA divergence, and generates jurisdiction-specific privacy notices and DSAR workflows.

For related reading: GDPR Article 44 transfers, GDPR Article 22 automated decisions, GDPR cross-border data transfers.

Conclusion

The UK GDPR remains ~90% aligned with the EU GDPR. The 10% that diverges — cookies, ADM, DSAR thresholds, international transfers, ICO governance — matters disproportionately for operational design. The 2025 adequacy renewal buys 4 years of free EU→UK data flows; the Commission’s 2029 review will judge whether DUAA implementation stayed within bounds. For most multinationals, applying EU GDPR substantively + UK relaxations tactically (cookies, DSAR triage) is the pragmatic path.

FAQ

Is the UK GDPR the same as the EU GDPR?

Substantially yes for core principles, lawful bases, and rights. But the Data (Use and Access) Act 2025 introduces divergences in cookies, automated decision-making, DSAR refusal grounds, international transfers, and ICO governance.

Does EU→UK data still flow freely?

Yes — the EU Commission renewed the UK adequacy decision in June 2025 for 4 years. EU→UK transfers don’t require SCCs or other safeguards as long as adequacy holds.

What is the Data (Use and Access) Act 2025?

The UK’s 2025 reform of data protection law (DUAA). It received Royal Assent June 2025 and is being phased through 2026. It modernizes UK GDPR with cookies relaxations, ADM permissions, DSAR refinements, and replaces the ICO with the Information Commission.

Are UK cookies rules different from EU?

Yes — DUAA exempts analytics cookies from consent requirements when collecting only aggregate, non-identifying data. EU still requires consent for all non-essential cookies under ePrivacy/PECR.

What’s the UK-US Data Bridge?

A UK extension of the EU-US Data Privacy Framework (October 2023) allowing UK→US transfers to organizations certified under the Data Bridge to take place without additional safeguards.