# [GDPR after Brexit](https://www.cookiebot.com/en/gdpr-brexit/)
**The General Data Protection Regulation (GDPR) and Data Protection Act 2018 affect how you as a website owner must obtain and store cookie consents from your visitors from the UK & EU.**
· [Try Cookiebot CMP free for 14 days… or forever if you have a small website](https://admin.cookiebot.com/signup)

---
## GDPR and Brexit - 2021 update

On January 1, 2021, the United Kingdom formally and effectively left the European Union.

Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures [an interim period of six months](https://www.cookiebot.com/en/gdpr-brexit/) of unrestricted data flow between the two blocs.

On June 28, 2021, the EU adopted [an adequacy decision for the UK](https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en/), ensuring the free flow of personal data between the two blocs for a four-year period (until June 2025).

For UK websites, companies and organizations processing personal data from individuals inside the EU, this UK adequacy decision means unrestricted business-as-usual for the next four years.

After June 2025, the EU will have to engage in a new adequacy process to determine whether the UK still ensures an equivalent level of data protection for the adequacy decision to be renewed.

## Compliance with GDPR after Brexit

[Our consent management platform (CMP)](https://www.cookiebot.com/) is a world-leading solution for achieving full data privacy compliance on your website.

With a powerful scanner that detects all cookies, trackers and trojan horses on your domain and maps exactly where in the world you send data to, [Cookiebot CMP](https://www.cookiebot.com/) takes the hard and difficult part out of privacy protection and compliance.

[Cookiebot CMP](https://www.cookiebot.com/) offers plug-and-play compliance with the [EU’s GDPR](https://www.cookiebot.com/en/gdpr/), [UK-GDPR](https://www.cookiebot.com/en/uk-gdpr/), [California’s CCPA/CPRA](https://www.cookiebot.com/en/ccpa/), [South Africa’s POPIA](https://www.cookiebot.com/en/popia/), [Brazil’s LGPD](https://www.cookiebot.com/en/lgpd/), [Singapore’s PDPA](https://www.cookiebot.com/en/singapore-pdpa/) and many other data privacy laws.

---
## Reminder: what is the GDPR?

The European regulation known as **GDPR (General Data Protection Regulation)** is a law in all EU member states that **govern the protection of personal data** and the ways it is allowed to be collected and processed by websites, companies, organizations and more.

**GDPR** has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.

**GDPR** sets up a data protection regime in the EU that requires companies and websites (known as “controllers” and “processors” in the law) to have a legal basis in order to process the personal data of individuals (“data subjects”) inside the EU.

The most common legal basis for processing is prior consent – this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.

## GDPR after Brexit in the UK

The European Withdrawal Agreement signed by the UK and EU includes specific provisions on the processing of personal data and the flow of information between the UK and EU.

In particular, **Articles 70-73** of the Agreement state that the UK *“shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.”*

Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be **deemed** **adequate** by the EU and thus ensure the free, uninhibited flow of data between the two countries.

### Brexit, GDPR and the DPPEC regulations

The GDPR/Brexit changes made to UK data privacy law are all contained in the government’s *[Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019](https://www.legislation.gov.uk/ukdsi/2019/9780111177594/contents/)*, also known as the DPPEC regulations.

The **DPPEC regulations** do two major things:

1. create a whole "new" domestic law known as UK-GDPR.
2. revise the Data Protection Act 2018.

### The amended Data Protection Act 2018

The [new and amended Data Protection Act 2018](https://www.cookiebot.com/en/data-protection-act-2018/) also took effect on January 31, 2020.

The [DPA2018](https://www.cookiebot.com/en/data-protection-act-2018/) will no longer rely on the EU GDPR, but on the [UK-GDPR](https://www.cookiebot.com/en/uk-gdpr/) instead. It will instead refer to the new domestic GDPR after Brexit.

### Brexit and GDPR in short

Here’s a short recap of what happened on January 1, 2021:

- Six months interim period secures free personal data flow between UK and EU.
- The new UK-GDPR is in effect.
- An amended version of the Data Protection Act 2018 is in effect.

## GDPR, Brexit and your website

What does all of this Brexit and GDPR stuff ultimately mean for you and your website and its use of cookies and similar tracking technology?

It means that **until June 2021**, the interim provision allows unrestricted personal data flow between UK and EU.

Your website will need to comply with the GDPR (both UK and EU versions) just as before, but no additional measures need to be taken when processing personal data from the EU:

You still need the **prior consent** of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.

## Frequently asked questions

Will the GDPR apply in UK after Brexit? 

If your website processes personal data from users inside the EU, you are required to comply with the EU’s GDPR, even if your website is located and operated from inside the UK after Brexit. The UK-GDPR applies domestically in the UK and requires the same data protection and consent from your users as the EU’s.

What is the UK-GDPR? 

The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s domestic data privacy law that replaces the EU’s GDPR after Brexit. The UK-GDPR is essentially the same law as the EU’s GDPR only changed to accommodate domestic areas of law. The UK-GDPR will regulate personal data and require the same legal bases for processing of personal data.

What is the Data Protection Act? 

The Data Protection Act 2018 (DPA2018) is a domestic law governing the use of personal data and flow of information in the UK. Together with the UK-GDPR it forms the legal regime of data privacy in the United Kingdom. The DPA also governs data processing for law enforcement authorities and intelligence services.

How can websites be compliant with the UK-GDPR? 

Your website is required to obtain the prior consent from users before processing any of their personal data. To ensure compliance on your website, a consent management platform scans and detects all cookies and trackers in operation, then keeps them deactivated until your users have given their consent.

## Resources

[What is the EU's GDPR?](https://www.cookiebot.com/en/gdpr/)
[What is the UK-GDPR?](https://www.cookiebot.com/en/uk-gdpr/)
[What is the Data Protection Act 2018?](https://www.cookiebot.com/en/data-protection-act-2018/)
[UK adequacy decision from June 2021](https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en/)
[ICO’s consultation on data transfers to and from the U.K. from August 2021](https://iapp.org/news/a/faqs-for-uk-icos-data-transfer-consultation-including-approach-to-eu-sccs/)
[EPRS report on EU-UK private-sector data flows (pdf)](https://www.europarl.europa.eu/RegData/etudes/IDAN/2021/690536/EPRS_IDA(2021)690536_EN.pdf)
[See IAPP's comprehensive Brexit privacy checklist](https://iapp.org/media/pdf/resource_center/brexit_privacy_checklist.pdf)
[The DPPEC regulations](https://www.legislation.gov.uk/ukdsi/2019/9780111177594/contents/)
[Keeling Schedule for the new UK-GDPR](https://www.gov.uk/government/publications/data-protection-law-eu-exit/)
[Keeling Schedule for the amended Data Protection Act 2018](https://www.gov.uk/government/publications/data-protection-law-eu-exit/)
[The Information Commissioner’s Office (ICO)](https://ico.org.uk/)
*Used by: Evalian*

---

## Product
[Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/)

## Regulations
[DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/)

## Partners
[Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/)

## Resources
[Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/)

## Company
[About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/)

---
[Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/)

©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)