GDPR vs UK GDPR: What's the Difference?
The EU GDPR and UK GDPR are based on the same original regulation, but they are now separate laws governed by different authorities, and they are slowly drifting apart. When the UK left the EU, it adopted the EU GDPR into domestic law as the "UK GDPR", alongside the Data Protection Act 2018. The core data protection principles still match, but the UK's Data Protection and Digital Information Act 2024 (DPDIA) has introduced material differences. The biggest one is around cookie consent, where the UK now allows analytics cookies without user consent.
How UK GDPR came into existence
When the UK left the EU on 31 January 2020 (with the transition period ending 31 December 2020), the European Union (Withdrawal) Act 2018 "onshored" the EU GDPR into domestic law as the UK GDPR. It sits alongside the Data Protection Act 2018 (DPA 2018), which supplements it and covers areas the GDPR left to member states.
At the point of adoption, the UK GDPR was textually near-identical to the EU GDPR. References to "the Union" were swapped for "the United Kingdom", and the ICO (Information Commissioner's Office) took over from EU supervisory authorities. Since then, the two have started to diverge.
Key differences between EU GDPR and UK GDPR
| Area | EU GDPR | UK GDPR |
|---|---|---|
| Supervisory authority | National DPAs, coordinated through the EDPB | ICO (Information Commissioner's Office) |
| Cookie consent (analytics) | Consent required | Consent not required (post-DPDIA) |
| Cookie consent (marketing) | Consent required | Consent still required |
| Legitimate interest | Requires balancing test | "Recognised legitimate interests" list, no balancing test for listed purposes |
| Data transfer mechanisms | EU SCCs (Standard Contractual Clauses) | UK IDTA / UK Addendum (EU SCCs not valid) |
| Data Protection Officer | Required for certain controllers | Replaced by "Senior Responsible Individual" for many organisations |
| Age of consent (digital services) | 16 (member states can lower to 13) | 13 |
| Cookie law | ePrivacy Directive (implemented per member state) | PECR (Privacy and Electronic Communications Regulations) |
The biggest practical difference: analytics cookies
For website operators, the biggest day-to-day divergence is around analytics cookies. Under EU rules (the ePrivacy Directive, implemented in each member state), consent is required for all cookies that are not strictly necessary. That includes analytics cookies like the ones set by Google Analytics.
The UK's DPDIA amended PECR to exempt analytics cookies and certain other low-impact cookies from the consent rule. A UK-only website can therefore load analytics tracking without showing a cookie consent banner for those purposes.
In practice, most companies that serve both EU and UK visitors apply the stricter EU rule everywhere. Running two consent configurations (one for EU visitors and one for UK visitors) adds complexity and risk. If your site already requires consent for analytics cookies to comply with EU law, there is not much practical benefit in lifting that requirement for UK users alone.
Data transfers and the adequacy decision
The EU granted the UK an adequacy decision in June 2021, which lets personal data flow freely from the EU to the UK without additional safeguards. The decision was initially valid for four years and has been extended, although the European Commission continues to monitor UK divergence, particularly the DPDIA changes.
If adequacy were ever revoked, organisations transferring personal data between the EU and UK would have to implement Standard Contractual Clauses or other transfer mechanisms, which is a significant compliance burden. EU SCCs are not valid for UK transfers; the UK has its own International Data Transfer Agreement (IDTA) and UK Addendum.
Do I need to comply with both?
If your website is accessible to visitors in both the EU and the UK, which most websites are, you need to comply with both regimes. Being compliant with EU GDPR does not automatically make you compliant with UK GDPR. Specifically:
- Your privacy notice should name the ICO for UK users and the relevant national DPA for EU users.
- Use the right transfer mechanism for each route: EU SCCs for EU transfers, UK IDTA or UK Addendum for UK transfers.
- If you are established outside the UK, you may need a UK representative under Article 27 of the UK GDPR, separate from any EU representative.
- Apply the stricter consent standard. In practice, applying EU-level consent rules across both jurisdictions is the simplest way to satisfy both.
Why this matters for your website
The hard part is not understanding the legal differences. The hard part is knowing what your site actually does. Most sites load third-party cookies and tracking pixels from dozens of vendors, many of which the site operator never explicitly chose. Whether you need consent for analytics cookies under UK law or EU law, you first have to see exactly what is loading, from where, and at what point.
Tagmaps scans your website from locations around the world, interacts with your consent banner, and maps every cookie, script, and tracker back to its source. The result is a clear view of what is actually happening on your site, which is what you need to assess compliance under both EU GDPR and UK GDPR.