UK Data Protection in 2026: UK GDPR, the DPDI Act, and Post-Brexit Divergence

The UK’s data protection framework — UK GDPR, the Data Protection Act 2018, and the more-recently enacted Data Protection and Digital Information Act 2024 — has gradually diverged from EU GDPR since Brexit. The divergence has been measured rather than dramatic, but specific changes affect engineering teams operating across UK and EU.

I want to walk through where UK data protection actually sits in 2026.

The framework#

The UK data protection landscape consists of:

UK GDPR — substantively the same as EU GDPR but with UK-specific amendments, including specific provisions reflecting the post-Brexit context.

Data Protection Act 2018 — the UK’s domestic data protection law, which transposed and supplemented GDPR pre-Brexit and now sits alongside UK GDPR.

Data Protection and Digital Information Act 2024 (DPDI Act) — the most-discussed recent change, enacting various reforms intended to reduce the compliance burden on UK organizations while maintaining adequacy with the EU.

The Information Commissioner’s Office (ICO) — the supervisory regulator, with substantial operational independence and enforcement capability.

The EU adequacy decision for the UK, granted in 2021 with reviews scheduled. The 2025 review concluded with continued adequacy but with specific monitoring elements.

What the DPDI Act changed#

The Data Protection and Digital Information Act 2024 introduced specific changes from the pre-existing framework:

Records of processing requirements — modified to reduce the documentation burden for smaller organizations.

DPIA requirements — modestly relaxed in scope, with the threshold for mandatory DPIA raised slightly.

Subject access requests — clarified the standards for processing SARs and the fees that can be charged for excessive requests.

Cookie consent — clarified the conditions under which cookies can be used without explicit consent (specifically for analytics in some narrow circumstances).

Automated decision-making — modified some of the GDPR Article 22 provisions to provide more flexibility for businesses while maintaining safeguards.

The role of the ICO — modified to provide additional oversight mechanisms.

The cumulative effect has been a meaningful but not dramatic divergence from EU GDPR. Practitioners running combined UK/EU programs can usually use the EU GDPR posture as a ceiling, with UK-specific adaptations.

Adequacy and cross-border transfer#

The EU’s adequacy decision for the UK is operationally significant. The implications:

• EU-to-UK transfer is permitted without additional safeguards (Standard Contractual Clauses, etc.) under the adequacy decision.
• UK-to-EU transfer is similarly facilitated under UK GDPR’s recognition of EU adequacy.
• UK transfers to third countries can use the EU SCCs (with UK modifications) or the UK’s own International Data Transfer Agreement (IDTA).
• The adequacy review process has been conducted with continued recognition; further reviews are scheduled.

The adequacy decision is meaningful because losing it would require substantial transfer-mechanism work for UK-EU data flows. The 2024-2025 DPDI Act changes were deliberately calibrated to maintain adequacy.

ICO enforcement posture#

The ICO has been progressively more active in enforcement through 2022-2026:

• Children’s data has been a particular priority — multiple fines and orders.
• AdTech and cookies — continued enforcement on cookie banner compliance.
• AI-related processing — increasing engagement on AI governance.
• Public-sector data handling — substantial public-sector enforcement.
• Adtech ecosystem — broader scrutiny of the IAB TCF and related advertising-tech.

ICO fines have been substantial but generally smaller than the European DPA equivalents (which can exceed €200M for the largest infractions).

Practical engineering implications#

For an enterprise operating in the UK in 2026:

1. Identify whether you process UK data, EU data, or both — the regulatory framework differs.

2. Records of processing maintained under both UK GDPR and UK DPA requirements (with DPDI Act modifications).

3. DPIA process for higher-risk processing, with the DPDI Act-adjusted thresholds.

4. Cookie consent under the DPDI Act adjustments — typically still requires explicit consent for non-essential cookies.

5. DSAR workflow with the response timelines and the fee structures clarified under DPDI.

6. Cross-border transfer documentation — IDTAs or modified SCCs as appropriate.

7. DPO designation where required.

8. AI processing impact assessments integrated with broader DPIA workflow.

9. Breach detection and notification — 72 hours to the ICO for most breaches.

10. Annual privacy program review with documented findings.

Sector-specific UK considerations#

A few sector-specific overlays:

Financial services under FCA oversight have specific data-handling expectations beyond UK GDPR.

Healthcare under MHRA, the Caldicott principles, and the NHS-specific frameworks (covered here).

Telecommunications under Ofcom and the relevant communications-specific regulations.

Public sector under the Freedom of Information Act and the Public Sector Equality Duty considerations.

What’s coming in 2026 and 2027#

Three things to watch:

The next EU adequacy review — scheduled within the planning horizon.

ICO enforcement priorities continue to evolve, with AI and children’s data likely to remain prominent.

Sector-specific guidance continues to be issued.

Where pdpspectra fits#

Our privacy compliance work spans the UK and the broader EU. We help clients navigate the UK-specific framework, the cross-jurisdictional considerations, and the operational implementation.

Related reading: the Germany GDPR enforcement post, the cross-border data transfer post, and the India DPDPA compliance post.

---

UK data protection is gradually diverging from EU. Talk to our team about your compliance program.