UK GDPR After Brexit: What Changed and What You Need to Do

Two GDPRs, One Website

Since Brexit, the UK operates under its own data protection framework: the UK GDPR (the EU GDPR as retained in UK law) plus the Data Protection Act 2018. If your website serves visitors in both the EU and the UK, you now need to comply with two separate but very similar legal frameworks.

What Stayed the Same

The good news: UK GDPR is almost identical to EU GDPR in substance. The core requirements haven't changed:

• Same lawful bases for processing (consent, legitimate interest, etc.)
• Same data subject rights (access, erasure, portability)
• Same requirements for cookie consent (prior opt-in for non-essential cookies)
• Same data breach notification requirements (72 hours)
• Same maximum fines (17.5 million GBP or 4% of global turnover)

If you're already GDPR-compliant, you're 95% of the way to UK GDPR compliance.

What Changed

1. Supervisory Authority

UK data protection is enforced by the Information Commissioner's Office (ICO), not EU data protection authorities. The ICO has its own enforcement priorities and interpretation of the rules.

2. Data Transfers

The UK is treated as a "third country" under EU GDPR. However, the EU issued an adequacy decision for the UK in June 2021, meaning data can flow freely from the EU to the UK (for now — this is reviewed every four years).

Transfers from the UK to the EU are unrestricted. Transfers from the UK to other countries require safeguards (Standard Contractual Clauses or adequacy decisions).

3. UK Representative

If your business is based outside the UK but processes UK residents' data, you may need to appoint a UK representative — similar to the EU representative requirement under Article 27.

4. Potential Future Divergence

The UK government has signalled interest in reforming data protection law to be more "business-friendly." The Data Protection and Digital Information Bill (now Act) introduced some changes, including relaxing some record-keeping requirements for low-risk processing. However, core consent requirements for cookies remain unchanged.

Cookie Consent Under UK GDPR

The UK's Privacy and Electronic Communications Regulations (PECR) govern cookies specifically. The requirements are essentially the same as the EU's ePrivacy Directive:

• Non-essential cookies require prior opt-in consent
• Consent must be informed, specific, and freely given
• Users must be able to refuse without losing site access
• Necessary cookies are exempt

The ICO has been actively enforcing PECR, issuing guidance and reprimands to websites with non-compliant cookie banners.

How LegalBanner Handles UK GDPR

LegalBanner detects UK visitors and applies the correct compliance framework automatically. From a practical standpoint, the consent banner behaves the same for EU and UK visitors since the requirements are nearly identical. Your privacy policy should reference both EU GDPR and UK GDPR/PECR as applicable legal frameworks.