What is the difference between UK GDPR and EU GDPR?

UK GDPR is the EU GDPR retained in UK law post-Brexit, with minor textual amendments. The disclosure requirements are functionally identical. The differences: ICO is the supervisory authority (not an EU DPA), the Data Protection Act 2018 supplements UK GDPR, and children's consent age is 13 (not 16). Most compliance work is the same as EU GDPR.

Do I need a separate UK privacy policy?

Not necessarily — most businesses serving both EU and UK users have a single policy that references both. The policy needs to mention the ICO alongside any EU supervisory authority and reference both UK GDPR and EU GDPR. A separate UK-only policy is overkill for most.

Does Brexit change anything for my privacy policy?

For most businesses, no major change. The EU recognized the UK as adequate in 2021 (under review for renewal) so EU → UK transfers continue without additional safeguards. The main change: businesses serving UK users should reference the ICO and DPA 2018 alongside the EU GDPR references.

Home / Privacy Policy / UK GDPR Privacy Policy Generator

UK GDPR Privacy Policy Generator

A UK-specific privacy policy that satisfies the Data Protection Act 2018 and the UK GDPR — not just an EU GDPR template with the country swapped.

Generate my UK privacy policy → Free preview · No signup · 2 minutes

ICO named as the complaint authority (UK-specific)
Data Protection Act 2018 referenced alongside UK GDPR
Post-Brexit EEA transfer mechanism addressed

UK GDPR is functionally identical to EU GDPR but has its own statute (the Data Protection Act 2018) and its own supervisory authority (the ICO, not an EU DPA). A "UK GDPR compliant" privacy policy has to name the ICO as the complaint authority (not "a supervisory authority"), reference the DPA 2018 alongside UK GDPR, and address the post-Brexit transfer mechanism if you transfer data to / from the EEA. EU-templated policies often fail on these three points. This page generates a policy with the UK-specific particulars correct.

What UK GDPR requires

Disclosures grounded in the actual statutory text.

UK GDPR Articles 13 / 14 disclosures

Same disclosure list as EU GDPR — identity, purposes, lawful basis under Art. 6, recipients, transfer safeguards, retention, data-subject rights, complaint right. Functionally identical to EU GDPR with UK-specific authority references.

ICO as complaint authority

The right to lodge a complaint must name the Information Commissioner's Office (ICO) — not "an EU supervisory authority". UK residents complain to the ICO; the address (Wycliffe House, Wilmslow) and helpline (0303 123 1113) are standard inclusions.

Data Protection Act 2018

The DPA 2018 supplements UK GDPR with UK-specific provisions (special categories, criminal-conviction data, children's consent age = 13 not 16). Reference it alongside UK GDPR.

Transfer mechanism post-Brexit

EU → UK transfers: covered by the EU's 2021 adequacy decision (review pending). UK → EU transfers: covered by UK's recognition of EU adequacy. UK → US: SCCs or the UK extension to the EU-US Data Privacy Framework.

Children's consent age

UK DPA 2018 sets the children's consent age at 13 (versus 16 in many EU member states). Policies covering UK users should reflect this.

Common mistakes

Where UK GDPR templates usually go wrong.

EU template applied unchanged

A policy that says "complaint to your local supervisory authority" without naming the ICO. UK residents need to know which authority to go to.
No DPA 2018 reference

UK GDPR has to be read with the DPA 2018 — the statute that gives it legal effect in UK law. EU-only templates skip the DPA reference.
Wrong children's consent age

EU templates often use 16; UK uses 13. Worth getting right if you have any users under 16 in the UK.

Ready to generate your UK GDPR privacy policy?

A 2-minute wizard with the UK GDPR jurisdiction pre-selected. Free preview shows the first three sections — pay $2 only if you want to unlock the full document.

Generate my UK privacy policy →

FAQ