What changes when you operate under both UK GDPR and EU GDPR simultaneously — most businesses do not realise they are two separate regimes
- Chander Srivastava
- Jun 9
- 1 min read

A colleague recently asked me — "We're GDPR compliant, so we're covered for the UK too, right?"
Not quite.
This is one of the most common misconceptions I encounter when working with F&B, restaurant, cafe, hospitality, and higher education businesses operating across borders. Since Brexit, UK GDPR and EU GDPR are two separate regimes. Same origins, yes — but they are diverging and enforced by different authorities with different expectations.
If your business processes personal data of UK individuals, UK GDPR applies. If it processes personal data of EU individuals, EU GDPR applies. If it touches both — both apply. Simultaneously. With separate obligations, separate breach notification timelines, and separate enforcement bodies.
I have seen businesses spend significant time and money becoming EU GDPR compliant, only to discover they have a separate gap on the UK side. Or vice versa.
The good news — it is fixable without starting from scratch.
Map where your data originates. Separate your UK and EU obligations. Align your privacy notices, consent mechanisms, and breach response to satisfy both independently. If data moves between the UK and the EU, ensure you have a lawful transfer mechanism covering both directions.
One coherent compliance programme can cover both regimes.
Most businesses just have not built it that way yet.
Comments