UK GDPR and the Data Protection Act 2018: What's the Difference — and Why Does It Matter for Your Career?

If you work in an organisation that handles personal data — which in practice means almost every organisation in the UK — you have almost certainly encountered the terms GDPR and the Data Protection Act 2018. Many people use them interchangeably. They are not the same thing. Understanding the difference between them, and how they work together, is fundamental to data protection practice in the UK.

This post explains both clearly, without legal jargon.

What is GDPR?

GDPR stands for General Data Protection Regulation. It was introduced by the European Union in May 2018 as a single, unified data protection framework applying across all EU member states. Before GDPR, each EU country had its own data protection laws, which varied significantly. GDPR replaced that patchwork with a single regulation that applied consistently across Europe.

GDPR established the core framework for how personal data should be collected, stored, used, and protected. Its six data protection principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality — remain the foundation of data protection practice in the UK today.

GDPR also established key individual rights, including the right to access personal data held about you, the right to have data corrected or erased, the right to restrict processing, and the right to data portability.

What happened to EU GDPR after Brexit?

When the UK left the European Union, it ceased to be bound by EU law — including EU GDPR. However, rather than creating an entirely new data protection framework from scratch, the UK incorporated EU GDPR directly into domestic UK law. This created a new, separate legal instrument known as UK GDPR.

UK GDPR came into force on 1 January 2021, at the end of the Brexit transition period. It is largely identical to EU GDPR in its principles, individual rights, and obligations — but it is a distinct UK legal instrument, maintained and updated by the UK government rather than by the EU.

This matters practically because organisations that operate in both the UK and the EU must now comply with two separate but closely aligned regimes — UK GDPR for their UK processing activities, and EU GDPR for their EU processing activities.

What is the Data Protection Act 2018?

The Data Protection Act 2018 (DPA 2018) is the UK's domestic legislation that works alongside UK GDPR. It does not replace UK GDPR — it supplements it.

Think of UK GDPR as the primary framework and the Data Protection Act 2018 as the legislation that fills in the gaps, adapts the framework to the UK context, and covers areas that GDPR deliberately left for member states to regulate themselves.

Specifically, the Data Protection Act 2018 covers:

Areas outside UK GDPR's scope. UK GDPR covers general data processing by most organisations. The DPA 2018 separately regulates data processing by law enforcement bodies (police, courts, prosecutors) and the intelligence services — areas that GDPR explicitly excluded from its scope.

UK-specific exemptions and derogations. The DPA 2018 sets out specific circumstances in which UK GDPR's requirements can be modified or disapplied — for example, for national security purposes, for journalism and research, or for processing in the context of legal proceedings.

The age of consent. UK GDPR allows member states to set their own age of consent for children's data processing. The DPA 2018 sets this at 13 in the UK.

The Information Commissioner's Office. The DPA 2018 establishes the ICO — the Information Commissioner's Office — as the UK's supervisory authority for data protection, and sets out its powers and enforcement mechanisms, including the ability to issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches.

Special category data exemptions. The DPA 2018 provides specific conditions for processing special category data — including health data, biometric data, racial or ethnic origin data, and data about criminal convictions — that supplement UK GDPR's provisions.

How do UK GDPR and the Data Protection Act 2018 work together?

They must be read together. UK GDPR provides the overarching principles and rights framework. The DPA 2018 fills in the detail, provides UK-specific adaptations, and governs areas outside GDPR's scope. For most organisations, compliance with UK data protection law means complying with both.

A practical way to understand the relationship is this: if you receive a Subject Access Request from an employee or customer, UK GDPR gives them the right to make it. The DPA 2018 tells you the specific exemptions that might apply in the UK context — for example, if the data relates to ongoing legal proceedings.

Most day-to-day data protection questions — lawful basis for processing, consent, data subject rights, breach notification, data protection by design — are answered primarily by UK GDPR. Situations involving law enforcement, intelligence processing, national security, or specific UK statutory exemptions are addressed by the DPA 2018.

What is the difference between UK GDPR and EU GDPR?

Since Brexit, UK GDPR and EU GDPR have been separate legal instruments. In practice, they remain very closely aligned — the UK government incorporated EU GDPR substantially unchanged at Brexit and has since maintained close alignment to preserve data flows between the UK and EU.

The most significant practical differences are:

Jurisdiction. EU GDPR applies to organisations processing the personal data of EU residents. UK GDPR applies to organisations processing the personal data of UK residents. Organisations doing both must comply with both.

Supervisory authority. Under EU GDPR, enforcement is by the relevant EU member state data protection authority (such as the ICO's Irish counterpart, the DPC, which oversees many of the large US tech companies' EU operations). Under UK GDPR, the ICO is the sole supervisory authority.

Adequacy. The EU has granted the UK an adequacy decision, meaning personal data can flow freely from the EU to the UK without additional safeguards. This decision was renewed in December 2025 and runs through December 2031 — providing organisations that rely on EU-to-UK data transfers with a stable basis for the foreseeable future, though it remains subject to review.

Active divergence — the Data (Use and Access) Act 2025. The UK data protection landscape has already begun to diverge from EU GDPR. The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, with the majority of its data protection provisions coming into force on 5 February 2026. The DUAA amends but does not replace UK GDPR or the DPA 2018. Its most significant changes include the introduction of a new lawful basis for processing — recognised legitimate interests — which removes the need for organisations to conduct a full balancing assessment in certain circumstances, and a narrowing of automated decision-making protections to situations involving special category data. The ICO's guidance on the DPA 2018 is currently under review to reflect these changes. Data protection professionals need to track this legislation actively, as further provisions are expected to come into force in the remainder of 2026.

Why does understanding this matter for your career?

Whether you are a data protection professional, a DPO, a compliance officer, a solicitor, or someone whose role involves handling personal data, understanding the relationship between UK GDPR and the Data Protection Act 2018 is not optional — it is fundamental.

Organisations in every sector — financial services, healthcare, education, retail, technology, the public sector — are required to comply with both instruments. The professionals responsible for that compliance need to understand how the two pieces of legislation interact, where the exemptions lie, and how to apply both in practice.

There are currently over 4,375 data protection jobs advertised in the UK, with DPO salaries in London averaging £69,638 and reaching over £146,000 for senior professionals. The demand is driven not just by GDPR but by the growing complexity of the UK data protection landscape — AI, automated decision-making, biometric data, and children's data are all creating new compliance challenges that require professionals with structured, current knowledge.

How does Duco Digital Training help?

Both the UK GDPR and the Data Protection Act 2018 — their principles, individual rights, lawful bases, special category data provisions, DPO obligations, breach notification requirements, and enforcement mechanisms — are core components of the BCS Foundation and Practitioner Certificates in Data Protection.

At Duco Digital Training, our data protection courses are taught by Mandy Hargun — Legal Counsel, qualified solicitor, and BCS Accredited Trainer with over 18 years of hands-on data protection experience. Mandy's teaching draws directly on her experience applying these laws in practice, not just explaining them in theory.

Both courses are delivered fully online and self-paced, with 12 months of access, your BCS exam fee included, and Pass Assist support throughout — including live tutor calls, practice exam papers, and WhatsApp support.

BCS Foundation Certificate in Data Protection — the structured starting point for anyone needing to understand UK data protection law and how to apply it in an organisation.

BCS Practitioner Certificate in Data Protection — the advanced professional certificate for those with data protection responsibilities, including DPOs, compliance leads, and privacy managers. Recognised by employers as a required or highly desirable qualification for DPO-level roles.

Browse our data protection courses and take the first step toward a career in one of the UK's fastest-growing professional fields.

Still unsure which course is right for you? Speak to one of our advisers today on WhatsApp. Alternatively, use the Contact Us page. We are happy to talk through your goals and which certificate makes the most sense for you. Most enquiries get a response within the hour, Monday to Friday.

Note: This post is for general guidance only and does not constitute legal advice. Data protection law is complex and subject to change. For advice specific to your organisation's circumstances, consult a qualified data protection professional or legal adviser.