Artifact GuideEU

EU GDPR vs UK GDPR

Use this comparison to separate grounded EU GDPR duties from UK GDPR transfer facts that appear in the available EU GDPR source folder.

The EU side covers scope, lawful basis, rights, controller and processor accountability, security, DPIAs, records, and transfers. UK-side claims are intentionally source-limited where the folder does not contain UK GDPR or ICO guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This page is an EU GDPR-first comparison. It states GDPR obligations only where the available EU GDPR grounding sources support them, and it keeps UK GDPR comparator facts narrow: this folder supports UK transfer and adequacy notes, but not a full UK GDPR obligation matrix.

Side-by-side comparison

EU GDPR vs UK GDPR: what is grounded here

Use the EU side as a grounded GDPR obligation map. Use the UK side only for transfer and adequacy comparator points supported by the available EU GDPR grounding folder.

Review all sources
First framework
EU GDPR

The EU column is grounded in the GDPR text and EU-focused guidance for lawful basis, rights, accountability records, DPIAs, security, breach response, transfers, and enforcement.

Second framework
UK GDPR

The UK column is intentionally source-limited. This folder supports UK transfer and adequacy references, but not a complete UK GDPR duties, rights, procedure, or penalty matrix.

Comparison row 1

Scope boundary

EU GDPR

EU GDPR applies to processing of personal data by controllers and processors, including processing in the context of an EU establishment and non-EU offering or monitoring of people in the Union.

Regulation (EU) 2016/679 (GDPR)Sources 1
UK GDPR

Not fully grounded in this folder. Before relying on UK GDPR scope, add a UK-specific legal source; this page only grounds UK-related transfer references from Commission materials.

European Commission - Adequacy decisionsSources 1
Operational implication

Do not treat EU scope and UK scope as automatically identical. Write an EU scope finding now and leave the UK scope finding open until UK-specific sources are attached.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 2

Covered actors

EU GDPR

EU GDPR evidence should identify controllers, processors, joint controllers, processor instructions, Article 28 contracts, Article 30 records, DPO involvement where applicable, and the owner responsible for each processing activity.

Regulation (EU) 2016/679 (GDPR)Sources 1Irish DPC - Records of Processing Activities under Article 30 GDPRSources 2
UK GDPR

Not fully grounded here. If UK GDPR roles are in scope, attach UK-specific role and contract sources before reusing the EU controller or processor conclusion.

European Commission - Standard Contractual ClausesSources 1
Operational implication

One data map can support both workstreams, but each role label and contract obligation needs its own cited source.

Irish DPC - Records of Processing Activities under Article 30 GDPRSources 1
Comparison row 3

Trigger

EU GDPR

EU GDPR work should identify the Article 6 lawful basis, provide transparent information, facilitate rights under Articles 15 to 22, and keep logs showing how requests were received, verified, answered, or refused.

Regulation (EU) 2016/679 (GDPR)Sources 1Irish DPC - Guidance on legal bases for processing personal dataSources 2
UK GDPR

Not grounded here beyond the fact that UK transfer material exists in Commission sources. Do not infer UK rights clocks, exemptions, or ICO handling procedures from this EU folder.

European Commission - Adequacy decisionsSources 1
Operational implication

Reuse request tooling only after each jurisdiction has its own rights source, response clock, exception analysis, and escalation path.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 4

Core obligations

EU GDPR

EU GDPR work should tie Article 32 security measures to the processing risk, run a DPIA where processing is likely to create high risk, retain residual-risk and consultation decisions, and record personal-data-breach assessments.

Regulation (EU) 2016/679 (GDPR)Sources 1CNIL - Privacy Impact AssessmentSources 2ENISA - Guidelines for SMEs on the security of personal data processingSources 3
UK GDPR

Not fully grounded here. Do not infer UK breach notification procedures, DPIA consultation steps, or authority-specific forms from these EU sources.

European Commission - Adequacy decisionsSources 1
Operational implication

Security controls may be shared operationally, but DPIA, breach, and authority-contact records should show which jurisdictional source they satisfy.

ENISA - Guidelines for SMEs on the security of personal data processingSources 1
Comparison row 5

Evidence record

EU GDPR

EU GDPR evidence can include the scope memo, lawful-basis analysis, rights log, RoPA, processor contract, DPIA, Article 32 security record, breach assessment, transfer file, and supervisory-authority correspondence.

Irish DPC - Records of Processing Activities under Article 30 GDPRSources 1Regulation (EU) 2016/679 (GDPR)Sources 2
UK GDPR

Reuse is not blocked, but it is not self-proving. UK reuse needs UK-specific source labels unless the evidence concerns the limited Commission-grounded transfer facts on this page.

European Commission - Standard Contractual ClausesSources 1
Operational implication

Keep shared evidence operationally reusable and legally labelled. If a UK source is missing, mark the item as EU-grounded only.

Irish DPC - Records of Processing Activities under Article 30 GDPRSources 1
Comparison row 6

Timing and deadlines

EU GDPR

EU GDPR transfer planning should start with Chapter V: adequacy decisions, SCCs or other safeguards, transfer impact assessment where SCCs are used, supplementary measures where needed, and evidence that the mechanism matches the data flow.

Regulation (EU) 2016/679 (GDPR)Sources 1European Commission - Standard Contractual ClausesSources 2
UK GDPR

Grounded only for transfer comparison: Commission materials list the United Kingdom in adequacy materials and mention UK endorsement of EU SCCs with limited domestic adaptations.

European Commission - Adequacy decisionsSources 1European Commission - Standard Contractual ClausesSources 2
Operational implication

Treat UK transfer notes as a comparator input, not as a complete UK transfer legal opinion. Keep adequacy, SCC, TIA, and supplementary-measure files separate by jurisdiction.

European Commission - Standard Contractual ClausesSources 1
Comparison row 7

Enforcement

EU GDPR

EU GDPR supervisory authorities have corrective powers and administrative fines. The GDPR text sets EU fine tiers of up to EUR 10,000,000 or 2 percent of worldwide annual turnover, and up to EUR 20,000,000 or 4 percent, depending on the infringement.

Regulation (EU) 2016/679 (GDPR)Sources 1
UK GDPR

Not grounded here. This folder does not support UK authority procedures, UK penalty levels, or UK national variants.

European Commission - Adequacy decisionsSources 1
Operational implication

Escalate EU GDPR enforcement exposure from the GDPR text. Leave UK enforcement exposure blocked until a UK-specific source is added.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 8

Overlap and reuse

EU GDPR

EU and UK teams can often reuse the same operational artifacts, but each artifact still needs a separate legal label. A RoPA, DPIA, transfer file, or breach log can travel across workstreams only if the supporting source is clear.

Regulation (EU) 2016/679 (GDPR)Sources 1
UK GDPR

For UK reuse, record the Commission adequacy or SCC reference only when the item is actually about transfer or adequacy. Do not stretch those sources to cover unrelated UK scope or rights questions.

European Commission - Standard Contractual ClausesSources 1
Operational implication

Shared workflows are fine; shared citations are not. Reuse the same document, but keep the jurisdiction tag and supporting source attached to each conclusion.

European Commission - Adequacy decisionsSources 1
Comparison row 9

Practical decision rule

EU GDPR

EU GDPR applies to processing of personal data by controllers and processors, including processing in the context of an EU establishment and non-EU offering or monitoring of people in the Union.

Regulation (EU) 2016/679 (GDPR)Sources 1
UK GDPR

Not fully grounded in this folder. Before relying on UK GDPR scope, add a UK-specific legal source; this page only grounds UK-related transfer references from Commission materials.

European Commission - Adequacy decisionsSources 1
Operational implication

Do not treat EU scope and UK scope as automatically identical. Write an EU scope finding now and leave the UK scope finding open until UK-specific sources are attached.

Regulation (EU) 2016/679 (GDPR)Sources 1
Practical decision rule

How should teams decide whether one evidence pack is enough?

  • Use one shared evidence pack only when each item has a source label for every jurisdiction it supports.
  • For EU GDPR, label scope, lawful basis, rights, RoPA, DPIA, security, breach, transfer, and enforcement evidence from the cited EU sources.
  • For UK GDPR, reuse only transfer and adequacy points grounded in the Commission sources on this page unless a UK-specific source has been added.
  • Mark UK scope, rights, authority procedure, national derogation, breach process, and penalty claims as blocked until UK-specific grounding exists.
Regulation (EU) 2016/679 (GDPR)Sources 1European Commission - Adequacy decisionsSources 2European Commission - Standard Contractual ClausesSources 3
Section 1

How to use this comparison

Start with the EU GDPR fact pattern: whether personal data is processed, which controller or processor is responsible, which lawful basis applies, which rights can be exercised, whether Article 30 records are required, whether a DPIA or security review is needed, and whether Chapter V transfer rules apply.

For UK GDPR, do not copy EU conclusions into a UK workstream from this page alone. The available EU GDPR folder grounds UK-related transfer points through European Commission adequacy and SCC materials, but it does not include a standalone UK GDPR text or ICO guidance source.

  • Use the EU column as the primary obligation checklist.
  • Use the UK column only for comparator facts explicitly supported by the cited Commission transfer sources.
  • Keep separate evidence labels when the same RoPA, DPIA, transfer file, contract, or security record is reused across jurisdictions.
  • Add a UK-specific source review before making UK scope, rights, enforcement, penalty, or authority-process decisions.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Grounds EU GDPR scope, principles, lawful bases, rights, controller and processor duties, records, security, DPIAs, transfers, supervisory powers, and fines.
European Commission - Adequacy decisions
Grounds the limited UK comparator point that the Commission adequacy page lists the United Kingdom under GDPR-related adequacy materials.
Section 2

Evidence records to keep separate

The most useful output is not a generic statement that the regimes are similar. It is a labelled evidence pack showing which source supports each conclusion.

For EU GDPR, keep the Article 6 lawful-basis analysis, privacy notice basis, rights workflow, RoPA, processor terms, DPIA or no-DPIA rationale, Article 32 security measures, breach assessment, transfer mechanism, and supervisory-authority response history as distinct records.

  • Record the processing purpose, data categories, data subjects, recipients, transfers, erasure timing, and security measures in the RoPA.
  • Keep consent evidence only where consent is actually the chosen lawful basis; otherwise record the selected Article 6 basis and why it fits.
  • Keep DPIA scoping, risk assessment, mitigation decisions, residual risk approvals, and consultation decisions together.
  • For transfers, keep the adequacy, SCC, transfer impact assessment, supplementary-measures, and importer-notification evidence separate from general vendor due diligence.
Sources for this answer
Irish DPC - Guidance on legal bases for processing personal data
Grounds the need to identify the correct legal basis before processing personal data.
Irish DPC - Records of Processing Activities under Article 30 GDPR
Grounds controller and processor RoPA requirements, including prescribed record contents and accountability use.
CNIL - Privacy Impact Assessment
Grounds the DPIA trigger for processing likely to result in high risk to rights and freedoms.
Section 3

Where the UK comparison is source-limited

The available grounding folder supports only narrow UK comparator facts: the European Commission adequacy page lists the United Kingdom under GDPR adequacy materials, and the Commission SCC page says some jurisdictions, including the United Kingdom, have endorsed EU SCCs as a transfer mechanism with limited domestic adaptations.

Do not infer UK GDPR lawful bases, data-subject-rights clocks, controller/processor wording, ICO procedures, national derogations, or UK penalty variants from those EU transfer sources. Those facts need UK-specific grounding before publication or customer advice.

  • Supported UK comparator fact: EU transfer planning may need to consider Commission adequacy material for the United Kingdom.
  • Supported UK comparator fact: Commission SCC guidance mentions the United Kingdom in relation to EU SCC endorsement and national transfer clauses.
  • Unsupported in this folder: a full UK GDPR scope test, UK rights workflow, ICO enforcement route, UK breach procedure, UK penalty variants, or UK national derogations.
Sources for this answer
European Commission - Adequacy decisions
Grounds UK adequacy references in the EU international-transfer context.
European Commission - Standard Contractual Clauses
Grounds the limited statement that the Commission page mentions UK endorsement of EU SCCs with domestic adaptations.
Section 4

Accountability checks before relying on one evidence pack

A shared privacy evidence pack is useful only if it preserves the source for each claim. EU GDPR accountability evidence should show the controller decision, processor instructions, lawful basis, rights handling, Article 30 records, security measures, DPIA outcome, breach assessment, and transfer mechanism.

Where a record is reused for UK GDPR work, label the UK source that supports the reuse. If that source is missing, mark the record as EU-grounded only and queue a UK-specific review.

  • Name the controller, joint controller, or processor role for each processing activity.
  • Attach the Article 6 lawful basis and the evidence that supports it.
  • Show how data-subject rights requests are received, identified, routed, answered, and logged.
  • Keep Article 32 security measures and breach assessments tied to the specific processing activity.
  • For transfers, record whether adequacy, SCCs, or another Chapter V mechanism is being used.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Grounds controller and processor responsibilities, rights, records, security, DPIAs, breach notification, transfers, and enforcement provisions.
ENISA - Guidelines for SMEs on the security of personal data processing
Grounds risk-based security evidence for personal-data processing, including confidentiality, integrity, and availability framing.
Recommended next step

Use this comparison to separate EU-grounded and UK-grounded claims

Sorena can help turn the EU GDPR obligations and source-limited UK transfer notes on this page into labelled evidence requests, owner assignments, and review steps.

Research workflow
Open Research Copilot for GDPR

Ask source-linked questions about GDPR scope, lawful basis, records, DPIAs, security, transfers, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your EU GDPR and UK GDPR evidence labels, transfer files, and remaining source gaps with Sorena.

Explore next step
Primary sources

References and citations

European Commission - Adequacy decisions
commission.europa.eu
Referenced sections
  • Does not ground UK enforcement or penalties; included to show the only UK-related source available in this folder.
"United Kingdom"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Grounds the EU GDPR evidence categories used in the decision rule.
"demonstrate compliance"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.