Is UK GDPR the same as EU GDPR?

UK GDPR is derived from EU GDPR and mirrors its core structure: the same six lawful bases under Article 6, the same eight data subject rights, and the same accountability and documentation requirements. The differences lie in supervisory authority (ICO for UK data, national DPAs for EU data), the adequacy and transfer mechanisms used after Brexit, and a handful of UK-specific adaptations introduced by the Data Protection Act 2018.

Does EU GDPR still apply to UK businesses after Brexit?

EU GDPR applies to any organisation that targets or monitors EU residents, regardless of where the organisation is based. A UK company sending direct mail or email to contacts in Germany or France is processing EU personal data and must comply with EU GDPR (and relevant national ePrivacy rules) for those records. UK GDPR governs the organisation's processing of UK residents' data independently.

What is the UK adequacy decision and does it still stand?

The European Commission granted the UK an adequacy decision in June 2021, meaning personal data can flow freely from the EU to UK organisations without additional safeguards such as Standard Contractual Clauses. Adequacy decisions are reviewed periodically and can be withdrawn. Marketers should monitor ICO guidance for any change to this status.

Which regulator covers UK data buying: the ICO or a European DPA?

UK data buyers are regulated by the Information Commissioner's Office (ICO). European DPAs (such as the CNIL in France or the BfDI in Germany) have no jurisdiction over UK-only data processing. If a UK marketer also processes EU residents' data, the relevant EU DPA may have jurisdiction over that portion of activity.

Do I need separate lawful bases for UK vs EU contacts in the same campaign?

Yes, in practice. The lawful basis assessment under UK GDPR and under EU GDPR follows the same Article 6 framework, so the analysis is similar, but it is applied by different regulators with different enforcement track records and case law. Document your lawful basis for UK contacts under UK GDPR and separately for EU contacts under EU GDPR. For B2B prospecting, legitimate interests under Article 6(1)(f) is available under both regimes, but the national ePrivacy rules layered on top (PECR in the UK, local Directive 2002/58/EC implementations in each EU member state) differ by channel and country.

Does PECR apply to EU data, or only UK data?

The Privacy and Electronic Communications Regulations (PECR) apply to communications directed at UK-based recipients. For EU recipients, the equivalent rules are national implementations of the ePrivacy Directive (Directive 2002/58/EC), which vary by member state. Germany and France are notably stricter than the UK PECR baseline for unsolicited B2B email, for instance. If you are buying data for a cross-border campaign, check the ePrivacy rules for each target country.

UK GDPR vs EU GDPR for marketers buying data

Why this question matters for data buyers

Before Brexit, a UK marketer buying a contact list and using it for a UK campaign only had one regulatory framework to think about: the EU GDPR as it applied in the UK. Since 31 December 2020, there are two parallel regimes. They look very similar, but the distinctions matter whenever you are buying data, sending cross-border campaigns, or transferring records to a processor in a different jurisdiction.

The confusion is compounded by the fact that most data providers and compliance guides were written under the original EU GDPR and have not been fully updated. The practical result is that some UK marketers are over-engineering compliance for purely UK campaigns (applying EU transfer mechanisms they do not need) while others are under-engineering it for EU campaigns (assuming PECR covers contacts in Paris or Berlin). Neither position is correct.

UK GDPR vs EU GDPR: a side-by-side comparison

The table below covers the dimensions that matter most when buying and using contact data in the UK. Where the two regimes are identical in substance, that is noted explicitly, because the similarities are as important as the differences.

Dimension	UK GDPR	EU GDPR
Governing legislation	UK GDPR (retained EU law) plus the Data Protection Act 2018	Regulation (EU) 2016/679, directly applicable in all 27 member states
Supervisory authority	Information Commissioner's Office (ICO), Wilmslow	National DPA in each member state (e.g., CNIL in France, BfDI in Germany, DPC in Ireland)
Lawful bases (Article 6)	Identical: consent, contract, legal obligation, vital interests, public task, legitimate interests	Identical: same six bases in the same Article 6 structure
Electronic marketing rules	PECR (UK): B2C email and SMS requires prior opt-in consent; B2B email to corporate addresses permitted under soft opt-in or where LIA supports it	National ePrivacy Directive implementations vary by member state; some (Germany, Austria) apply stricter B2B rules than the UK does
International data transfers	UK Transfer Mechanism (IDTA or Addendum to EU SCCs) required for transfers to countries without UK adequacy status; EU has had UK adequacy since June 2021	EU Standard Contractual Clauses (SCCs) required for transfers to third countries without EU adequacy status; the UK has EU adequacy but this is subject to review
Maximum administrative fine	Up to £17.5 million or 4% of annual global turnover, whichever is higher	Up to €20 million or 4% of annual global turnover, whichever is higher
Data subject rights	Identical eight rights: access, rectification, erasure, restriction, portability, object, automated decision-making, withdraw consent	Identical eight rights under the same Articles 15 to 22

How do lawful bases work under each regime for B2B prospecting?

This is where most data buyers focus, and the good news is that the frameworks are substantively the same. Under UK GDPR Article 6(1)(f) and EU GDPR Article 6(1)(f), legitimate interests is a valid lawful basis for B2B prospecting to corporate contacts provided you complete a Legitimate Interests Assessment (LIA), weigh your interests against the data subjects' rights, and respect opt-out requests promptly.

The LIA process under both regimes involves the same three-part test: purpose test (is the interest legitimate?), necessity test (is processing necessary for that purpose?), and balancing test (do your interests override the individuals' rights?). The ICO has published guidance on this three-part test, as have several EU DPAs, and the analyses align closely.

For more detail on running an LIA specifically for B2B data sourced in the UK, see our article on legitimate interests as the lawful basis for B2B data under UK GDPR.

One practical difference: if you are prospecting into Germany, you should be aware that German data protection authorities have historically taken a narrower view of legitimate interests for unsolicited B2B email than the ICO has. The substantive law is the same; the enforcement culture is not.

What about B2C data under both regimes?

For consumer data, the key instrument layered on top of both GDPR regimes is the ePrivacy framework. In the UK, that is PECR: consent is required for email and SMS marketing to consumers, full stop. In the EU, the equivalent rules are national implementations of the ePrivacy Directive, which means the standard varies by country. France (CNIL), Spain (AEPD), and Germany (Bundesnetzagentur) all enforce somewhat different thresholds for what constitutes valid consent and what record of that consent must be retained.

SortedIQ's consumer file is a fully opt-in consumer file under UK GDPR and PECR consent, holding over 10 million UK records. It is built for UK campaigns only. If your target audience includes EU consumers, you would need to source a separately consented EU file that complies with the relevant member state's ePrivacy implementation.

What changed after Brexit: the details that matter in practice

The UK adequacy decision

In June 2021, the European Commission granted the UK an adequacy decision under EU GDPR Article 45. This means EU organisations can send personal data to UK recipients without needing to put Standard Contractual Clauses in place. For UK marketers buying data from EU-based suppliers, this is significant: the EU-to-UK transfer flow is covered without additional paperwork.

Adequacy decisions are reviewed periodically. The UK decision was granted for four years, with a review window. Marketers who rely on EU-sourced data should monitor ICO and Commission announcements in case adequacy status changes. The ICO's website at ico.org.uk carries current guidance on transfer mechanisms.

UK-to-EU transfers

Going the other way, if a UK organisation sends personal data to a processor or partner in the EU, the transfer is covered by the EU adequacy decision for the UK. If the destination is outside the EU (say, a US-based CRM platform), the question is which transfer mechanism applies. UK organisations use the International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs. EU organisations in the same scenario use the EU SCCs directly.

In practice, many UK marketers first encounter this when their CRM, email platform, or data management tool is hosted on US servers. The processor agreement with that vendor should reference the IDTA for UK personal data.

The Data Protection Act 2018 and UK-specific provisions

The UK GDPR is supplemented by the Data Protection Act 2018 (DPA 2018), which provides UK-specific provisions including: the exemptions framework (Schedule 2), the conditions for processing special category data (Schedule 1), the age of consent threshold for information society services (set at 13 in the UK, versus 16 as the EU GDPR default), and specific rules around immigration, national security, and journalism.

For most commercial marketers buying consumer or B2B contact data, the DPA 2018 additions are background noise rather than daily operational concern. The exemptions that matter most are the research and direct marketing exemptions, which mirror the EU GDPR approach closely.

Which regime applies to your campaign?

The answer depends on the location of the data subjects, not the location of your business. Apply this test before sourcing data:

UK residents only: UK GDPR plus PECR. The ICO is your supervisory authority. No EU transfer mechanisms required unless you send the data to a third-country processor.
EU residents only: EU GDPR plus the relevant national ePrivacy rules for each country targeted. The national DPA in each target country (or the lead DPA under the one-stop-shop mechanism if you have an EU establishment) is your supervisory authority.
Mixed UK and EU: Both regimes apply to their respective populations. Document them separately. The lawful basis analysis under Article 6 is identical, but your records need to be segmented so you can demonstrate compliance under each regime independently.
Outside UK and EU: Neither regime applies by default, though both can apply to organisations that "target" non-EU/non-UK markets from the EU/UK (Articles 3(2) of each regulation).

SortedIQ sells UK data only. All records in our B2B and B2C files are UK-resident contacts. If your campaign addresses UK targets, you are working entirely within UK GDPR and PECR. If any part of your campaign targets EU contacts, that portion of the data is outside what we supply and outside the scope of this site.

Practical compliance checklist for UK data buyers

If you are buying UK contact data and running UK campaigns, the compliance steps are entirely within the UK GDPR and PECR framework. There is no need to reference EU SCCs, EU DPAs, or EU adequacy in your documentation. The ICO's accountability framework is the relevant reference.

Key steps to document before a campaign goes live:

Record your lawful basis under UK GDPR Article 6 (for B2B prospecting under legitimate interests, complete and retain your LIA).
Confirm the data supplier's own lawful basis for processing and transferring the data to you: a legitimate data supplier will provide a data-sharing agreement or controller-to-controller agreement that documents this.
For B2C email or SMS, confirm the consent records comply with PECR: double opt-in, timestamped, with a clear description of the categories of marketing the individual consented to receive.
Wash telephone records against the Telephone Preference Service (TPS) for consumer calls and the Corporate Telephone Preference Service (CTPS) for B2B calls.
Ensure your unsubscribe or opt-out mechanism is functional before first send, and honour opt-outs within the legally required timescale (PECR requires this; ICO guidance suggests 28 days as a reasonable maximum for direct marketing lists).
If you are transferring the data to a US-based processor (CRM, ESP, data warehouse), put an IDTA or compliant Addendum in place with that processor.

Note on the ICO's direct marketing guidance

The ICO published updated direct marketing guidance in 2023 that clarifies the interaction between UK GDPR and PECR for various channels. It is the primary reference for UK marketers and sits alongside the DMA UK's code of practice. Both are available free on their respective websites.

A note on the future of UK data law

The UK government passed the Data (Use and Access) Act 2025, which amends some provisions of the UK GDPR and DPA 2018. Most of the changes are procedural or sector-specific (smart data schemes, data intermediaries, digital verification services) rather than substantive changes to the lawful basis framework. The six Article 6 bases remain intact. The legitimate interests basis for B2B prospecting is unchanged. Marketers should note that the DUA Act introduces a definition of "recognised legitimate interests" for certain specified purposes, which may provide additional certainty for some processing activities over time.

The EU, for its part, is still working on the proposed ePrivacy Regulation, which has been in negotiation since 2017. When finalised, it will replace the ePrivacy Directive and harmonise the national rules that currently differ so much between France, Germany, Spain, and others. Until then, EU campaigns require a country-by-country ePrivacy check.