Privacy Concepts & Foundations
UK GDPR vs EU GDPR: What Actually Differs
Since Brexit, the UK keeps its own version of the GDPR. The two are still close cousins, but a few practical differences shape who you ask, which regulator helps, and how your rights are framed.
In short
UK GDPR and EU GDPR share the same core rules and rights. The main difference is who oversees them: the UK ICO for the UK GDPR, and each country's own data protection authority for the EU GDPR. They also differ on territorial scope and a few national tweaks, but your everyday rights look almost identical.
Why there are two versions at all
For years, a single law — the EU's General Data Protection Regulation (GDPR) — applied across the UK and the rest of the European Union. When the UK left the EU, it did not throw that law away. Instead, it copied the GDPR into UK law, made some technical adjustments, and renamed the result the UK GDPR. It sits alongside the UK's Data Protection Act 2018.
So the two laws started from exactly the same text. That is why the rights you have read about — access, erasure, rectification, objection — exist in both, with the same names and broadly the same meaning. If you understand one, you already understand most of the other.
The split matters less for what you can ask and more for who you ask, and who steps in if something goes wrong. The rest of this article walks through the differences that actually show up in practice.
- Both descend from the same 2018 EU regulation.
- Your core data rights are present in both, with the same names.
- The UK GDPR is read together with the Data Protection Act 2018.
- This is general information, not legal advice.
The differences that actually matter to you
The clearest difference is the regulator. Under the UK GDPR, the body that oversees data protection and handles complaints is the Information Commissioner's Office (ICO). Under the EU GDPR, each member state has its own data protection authority — for example, France's CNIL or Ireland's DPC — and you generally deal with the one in your country.
Territorial scope is the next practical point. The UK GDPR governs the handling of personal data connected to the UK; the EU GDPR governs data connected to the EU and the wider European Economic Area. An organisation that serves people in both regions usually has to follow both laws at once, which is why many privacy notices mention each separately.
There are also smaller, country-level tweaks. The UK and individual EU states can set their own rules in certain areas — such as the age at which a young person can consent to some online services, or specific exemptions. These rarely change the shape of a routine data request, but they explain why two privacy policies covering the same product can read slightly differently.
- Regulator: the ICO for the UK; a national authority for each EU country.
- Scope: UK-linked data versus EU/EEA-linked data.
- Cross-border services may have to honour both laws.
- Minor national variations exist (for example, the digital age of consent).
What this means when you exercise your rights
The good news is that the day-to-day experience of using your rights is very similar under both laws. A request for a copy of your data — a data subject access request, or DSAR — works the same way: you ask the organisation directly, they confirm who you are, and they generally have one month to respond, with a possible extension for complex cases. Erasure, correction, and objection follow the same pattern.
The thing to get right is which regulator you turn to if a request is ignored or refused. If the organisation falls under the UK GDPR, the ICO is your escalation route. If it falls under the EU GDPR, you go to the data protection authority in the relevant country. When you are unsure, the organisation's privacy notice usually names the law and regulator it answers to.
OSINTA is built to help you see your own digital footprint and prepare your own requests under whichever framework applies to you — it suggests, you decide and send. None of this is legal advice; for a decision with real stakes, a qualified adviser who knows your situation is the right call. For more detail on making a request, the DSAR guide below is a practical next step.
- DSAR mechanics — ask the organisation, verify identity, one-month response — are the same in both.
- Escalate to the ICO for UK GDPR matters, or the relevant national authority for EU GDPR.
- Check a privacy notice to confirm which law applies before you escalate.
Frequently asked questions
Is the UK GDPR weaker than the EU GDPR?
No. The UK GDPR began as a direct copy of the EU GDPR and keeps the same core rights and obligations. The differences are mainly about which regulator oversees it and a few national adjustments, not a reduction in your everyday rights.
If a company operates in both the UK and the EU, which law applies to me?
Often both. An organisation handling data linked to the UK follows the UK GDPR, and data linked to the EU or EEA follows the EU GDPR. Its privacy notice should explain how it applies each one. Where you are based usually points to the regulator you would contact.
Who do I complain to if my request is ignored?
For matters under the UK GDPR, the Information Commissioner's Office (ICO) is the body to approach. For matters under the EU GDPR, it is the data protection authority in the relevant country. Confirm which law applies first by checking the organisation's privacy notice.
Does a DSAR work differently under each version?
Not in practice. Under both, you ask the organisation directly, prove your identity, and they generally respond within one month, with a possible extension for complex cases. The mechanics are essentially the same; the regulator you escalate to differs.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Know which rules apply, then act with confidence
Whether your data falls under the UK or EU GDPR, your rights are real and yours to use. See how to make a request, or join the waitlist to map your own footprint when OSINTA opens.