The EU General Data Protection Regulation defined the modern privacy landscape — every framework on the other pages of this site is descended from it, compared to it, or measured against it. The UK retained its own version after Brexit, and through the Data (Use and Access) Act 2025 has now begun to actively diverge — particularly on automated decision-making, recognised legitimate interests, and DSAR mechanics. EU adequacy held in July 2025; the divergence is real but the bridge stands. This page is the working brief for organisations operating into the EEA, the UK, or both.
The EU GDPR is the source. The UK GDPR is the post-Brexit retained version, operating alongside the Data Protection Act 2018. For five years they were operationally identical. The Data (Use and Access) Act 2025 — Royal Assent 19 June 2025 — changed that. The frameworks now share most of their text but diverge meaningfully on automated decision-making, lawful bases, DSAR mechanics and a number of operational details. Both regimes still anchor to the same global standards.
The General Data Protection Regulation entered force on 25 May 2018 — replacing the 1995 Data Protection Directive and introducing direct effect across all EU member states. Eight years on, it is the most enforced privacy framework in the world, with cumulative fines exceeding €5 billion and a body of regulatory guidance and case law that defines current practice not just in Europe but globally.
Processing of personal data in the context of activities of an establishment in the EU, regardless of where processing takes place. Plus extra-territorial reach under Article 3(2) — non-EU controllers and processors offering goods/services to EEA-resident data subjects, or monitoring their behaviour. Excludes processing by competent authorities for law enforcement (Law Enforcement Directive 2016/680 covers that), national security, and purely personal/household activity.
The fine regime under Article 83 has produced multi-billion euro outcomes. Meta — €1.2 billion (May 2023, Irish DPC, transfer mechanisms). Amazon — €746 million (Luxembourg, 2021). TikTok — €530 million (May 2025, Irish DPC, transfers to China). Beyond headline fines, the practical day-to-day discipline is shaped by the EDPB's binding decisions, national DPA guidance, and a substantial body of CJEU case law — including Schrems II (transfers), Planet49 (cookies), and Bindl (right to be forgotten).
Six bases: consent, contract, legal obligation, vital interests, public interest / official authority, legitimate interests. Each with its own conditions and proper applicability test.
Mandatory for public authorities, large-scale regular monitoring, large-scale special category data. Must be independent, expert, reachable. Reports to highest management.
Adequacy decisions (Art. 45), SCCs (Art. 46, 2021 modular set), BCRs (Art. 47), derogations (Art. 49). Schrems II requires Transfer Impact Assessment for non-adequate corridors.
72-hour notification to supervisory authority. Individual notification where high risk. NIS2 sectoral overlay for critical entities adds 24-hour early warning.
The UK retained the GDPR text after Brexit, supplementing it with the Data Protection Act 2018. For five years the regime ran in lock-step with the EU. The Data (Use and Access) Act 2025 — third attempt at reform after two failed DPDI bills — received Royal Assent on 19 June 2025, with most provisions in force from 5 February 2026. The reform is targeted rather than radical, deliberately calibrated to preserve EU adequacy while introducing meaningful divergence on specific operational areas.
The DUAA is the third major reform attempt — succeeding two earlier DPDI Bills that expired in Parliament. The earlier bills proposed more radical departure from EU GDPR; concerns about EU adequacy renewal — set to expire December 2025 — pushed the government toward a more measured DUAA text. The European Commission launched the process to adopt new adequacy decisions on 22 July 2025, confirming the UK regime remained adequate notwithstanding the DUAA changes.
UK adequacy was originally conferred in June 2021. The decisions were due to expire June 2025; were extended to December 2025 to allow DUAA assessment; and the European Commission moved to adopt new adequacy decisions in July 2025. The position is stable but not permanent — future divergence (particularly any future expansion of the DUAA or successor reforms) could trigger renewed adequacy review. Practitioners should treat adequacy as an ongoing watch item, not a settled matter.
Active enforcement track record. Penalty ceilings: £17.5M / 4% standard, £8.7M / 2% lower tier. Recent material fines on TikTok (children's data), Clearview AI, multiple data brokers.
Provisions taking effect in phases — most on 5 February 2026, others requiring further commencement regulations and ICO guidance through 2026.
RoPA still required. UK representative still required for foreign controllers. DSAR refusal grounds for vexatious requests not extended (DPDI proposal that didn't survive).
RLI lawful basis added. ADM regime fundamentally reworked. DSAR clock-stopping permitted. International transfers reformed. ICO governance overhauled. Children's data new provisions.
The DUAA is targeted reform — most of the UK GDPR remains identical to the EU GDPR, but there are six specific areas where divergence is now operationally real. Multinational organisations operating into both EU and UK need to understand each — for UK-only processing the new flexibilities can be material; for cross-jurisdictional processing the divergence creates compliance complexity rather than relief.
Each of the six changes below alters specific UK GDPR mechanics. None changes the core protective architecture — but each creates UK-specific operational practice that diverges from EU GDPR baseline.
A new seventh lawful basis under Article 6(1) of UK GDPR — "Recognised Legitimate Interests" (RLI). Defined categories where the legitimate interests balancing test does not need to be performed.
UK GDPR Art. 6(1) — new RLIThe most significant divergence. Article 22 (automated decision-making prohibition) repealed and replaced with new Articles 22A — 22D. ADM with significant effects now generally permitted with safeguards, not prohibited by default.
UK GDPR Arts. 22A — 22DControllers may stop the DSAR response clock when they reasonably need clarification of scope from the requester. Not in the EU regime — practical operational relief for UK-only DSAR handling.
DUAA ss. 75 — 79Chapter V of UK GDPR amended through DUAA Schedules 7 — 9. New "data protection test" framework for adequacy assessments. Practical effect: more flexibility for UK adequacy decisions, but core SCC / BCR mechanics retained.
DUAA s. 85 + Schedules 7 — 9New Chapter 8A in UK GDPR. Research, archiving and statistics ("RAS purposes") consolidated under one set of safeguards — combining what was Article 89 plus DPA 2018 s.19. Operational simplification for legitimate research processing.
UK GDPR Ch. 8A · new Art. 84AComposition and powers of the Information Commissioner's Office reformed. Move toward statutory board structure. New duties on the ICO regarding growth and innovation balance. Practical effect on enforcement style still developing.
DUAA ICO provisionsWorking comparison matrix for groups operating into both EU and UK. The Diverges chip flags the points where the DUAA introduced UK-specific change. For most processing, the regimes remain operationally close enough that a single program with UK-specific overlays handles both. For ADM-heavy processing or RLI-reliant operations, the divergence is material enough to warrant explicit jurisdictional split.
| Dimension | EU EU GDPR |
UK UK GDPR + DUAA 2025 |
|---|---|---|
| Primary instrument | Regulation (EU) 2016/679Direct effect across EEA | UK GDPR + DPA 2018 + DUAA 2025Retained EU law as amended |
| Regulator | 27 national DPAsEDPB coordinates; one-stop-shop for cross-border | ICOSingle national regulator |
| Lawful bases (Art. 6) | Six basesConsent, contract, legal obligation, vital interests, public interest, legitimate interests | Seven basesDivergesSix EU bases + Recognised Legitimate Interests (RLI) |
| Automated decisions (Art. 22) | Prohibited by defaultUnless narrow exception applies — explicit consent, contract, legal authority | Generally permitted with safeguardsDivergesArt. 22 replaced by 22A — 22D; legitimate interests acceptable for non-special-category ADM |
| DPO requirement (Art. 37) | Three triggersPublic authority, large-scale regular monitoring, large-scale special category | Three triggersSame as EU; DUAA did not change DPO appointment grounds |
| DSAR mechanics | One-month response windowExtendable by 2 months for complex / numerous; manifestly unfounded refusal limited | One-month + clock-stopDivergesControllers may stop the clock when reasonably needing scope clarification (DUAA ss.75 — 79) |
| Breach notification | 72 hours to DPAIndividuals notified where high risk · NIS2 24-hour overlay for critical entities | 72 hours to ICOSame threshold as EU; aligned breach notification regime |
| International transfers (Ch. V) | Adequacy + SCCs + BCRsSchrems II TIA requirement; new EU-US Data Privacy Framework (Jul 2023) | Reformed under DUAADivergesNew "data protection test"; UK SCCs / IDTA + Addendum mechanics retained |
| Research / archiving (RAS) | Article 89 safeguardsMember-state derogations possible; fragmented in practice | New Chapter 8ADivergesRAS purposes consolidated; clearer single safeguards regime |
| Penalty ceiling | €20M or 4% turnoverWhichever higher; lower tier €10M / 2% | £17.5M or 4% turnoverWhichever higher; lower tier £8.7M / 2% |
| Enforcement maturity | €5bn+ cumulative finesMeta €1.2bn, TikTok €530m, Amazon €746m; deep CJEU case law | Active ICO enforcementTikTok children's data, Clearview AI, data brokers; new ICO governance under DUAA |
| Cross-flow status | Adequacy decision in placeUK adequate; July 2025 process to renew under post-DUAA framework | Adequacy heldEU declared UK adequate post-DUAA; future divergence remains a watch item |
For most multinational programs, a single GDPR-aligned operating model still works. Treat the EU regime as the baseline, layer UK-specific overlays for the four divergences (RLI, ADM, DSAR clock-stop, RAS purposes) in UK-only processing flows. Where ADM is core to product — recruitment platforms, lending decisions, content moderation — the divergence is material enough to warrant explicit jurisdictional design rather than a single program.
Practical workstreams for organisations operating into the EEA, the UK, or both. Most clients already have some GDPR program in place — the work is more often gap-closing, audit-readiness and divergence-mapping than ground-up build. Where ground-up build is needed (typical for new market entry from outside Europe), the workstreams below are the structural baseline.
Diagnostic against EU GDPR and UK GDPR (post-DUAA). Gap report against current state, prioritised remediation, divergence-aware program design. Where the organisation has existing GDPR posture, reassessment for DUAA changes lands as targeted update rather than full rebuild.
For multinationals — explicit mapping of where EU and UK regimes now differ. ADM operations, RLI-reliant processing, DSAR workflows, RAS-purposes processing all require jurisdiction-specific design. Single-program-with-overlays vs. fully-split-program decision sits here.
Trigger assessment under EU GDPR Art. 37 / UK GDPR Art. 37. DPO recruitment, qualification, independence, reporting line. For multinationals, single DPO function with EU-rep and UK-rep coverage. DPOaaS arrangements common where in-house hire is not justified.
Records of Processing under Article 30. Single integrated register with regime-tagging. For ADM-heavy organisations, additional Article 22 / 22A — D processing inventory. Sub-processor mapping; international flow visibility.
DPIA methodology aligned to Article 35. DPIA library covering all high-risk processing. Active register, sign-off governance, refresh cycle on material change. EDPB and ICO methodology guidance both incorporated.
Inventory of cross-border flows. Schrems II Transfer Impact Assessment for EU-to-non-adequate corridors. EU SCCs (2021 modular set) for EU outbound. UK IDTA + UK Addendum for UK outbound. EU-US Data Privacy Framework where applicable.
Consent flow design meeting Article 7 standards. Lawful basis register for non-consent processing. For UK, RLI assessment for processing falling within the new recognised categories. EU separate balancing test for Art. 6(1)(f) legitimate interests.
Operational mechanism for Articles 12 — 22 rights. One-month response window with documented extension protocol. For UK, DUAA clock-stop protocol where scope clarification needed. Channel accessibility, ID verification, response templates.
Where ADM is in scope — Article 22 (EU) and 22A — 22D (UK) governance. EU explicit consent / contractual basis design. UK safeguard architecture (information, response opportunity, human intervention, contestability). Material divergence point — separate workflow design typically required.
72-hour notification protocol — EU national DPA and UK ICO mechanisms. Multi-jurisdiction breach choreography for incidents touching both. NIS2 24-hour overlay for critical entities under EU regime. Coordinated drafting; consistent factual narrative across jurisdictions.
For controllers / processors outside EEA / UK, mandatory representative appointments under Article 27 EU GDPR and equivalent UK provisions. Practical engagement of representative service providers, contact-point publication, regulator-facing role.
GDPR work is delivered through one of three engagement shapes — depending on whether the program needs building, operating, or specialist input. For organisations entering EU / UK markets for the first time, the build is substantial. For groups with established programs, the work is typically divergence reassessment plus DUAA-driven update.
For organisations entering EU / UK markets, or with material program gaps. End-to-end build: readiness, RoPA, DPIA library, transfer mechanism, DSR machinery, ADM governance, breach playbook. Or refresh-engagement for established programs adapting to DUAA changes.
For organisations triggered into mandatory DPO appointment under Article 37. Named DPO carried, DPA / ICO-facing, board-engaged. For multinationals, single DPO function covering both EU and UK regimes with appropriate independence and resourcing.
For organisations with in-house privacy capability needing senior backup on harder GDPR questions — Schrems II analysis, Art. 22 / 22A — D ADM design, RLI assessment, DUAA divergence interpretation, regulator escalation strategy. Block-hour retainer.
Common GDPR questions in late 2025 / early 2026 — particularly around the DUAA divergence and what it means operationally for organisations that already have established GDPR programs.
The DUAA isn't a complete overhaul — but the changes to ADM, lawful bases, DSAR mechanics and transfers are real. Most established GDPR programs need targeted update rather than ground-up rebuild. A 30-minute scoping call costs nothing — we will tell you honestly which DUAA changes affect your processing, where the EU / UK divergence creates compliance complexity, and what the right shape of work looks like.
Schedule a call