UK GDPR
Following Brexit, the UK retained GDPR through the European Union (Withdrawal) Act, creating ‘UK GDPR’. Combined with the Data Protection Act 2018, this forms UK data protection law. UK GDPR mirrors EU GDPR with modifications: references to EU institutions replaced with UK equivalents, the ICO as supervisory authority, and national security exemptions reflecting UK law. The EU granted the UK adequacy status in 2021, allowing data to flow freely between EU/EEA and UK without additional safeguards. However, this adequacy is reviewed periodically and could be revoked if UK law diverges significantly from EU standards. The tension between UK GDPR’s protections and the broad surveillance powers under the Investigatory Powers Act remains a concern for EU adequacy assessments.