Dual GDPR Compliance: The Tenant Configuration Divergence Boards Must Plan For

UK GDPR vs EU GDPR: The Technical Differences That Actually Matter

Since Brexit, dual-regulated organisations - those with UK and EU operations - have needed to navigate the divergence between the two GDPR regimes. Most guidance focuses on legal differences. This article focuses on the technical differences that affect how you configure your Microsoft 365 tenant.

The Adequacy Decision: Status and Implications

The European Commission's adequacy decision for the UK was adopted on 28 June 2021, valid for four years with a sunset clause. It was extended, and as of early 2026, data can still flow from the EU to the UK without additional safeguards under the adequacy framework. However, this is not guaranteed to persist indefinitely, and any UK legislative divergence that undermines "essentially equivalent" protection could trigger a review.

Technical implication: If you operate a single M365 tenant serving both UK and EU users, you currently don't need separate data residency configurations solely for GDPR adequacy. But you should architect for the possibility. The recommended approach is to configure Multi-Geo in SharePoint and Exchange for any organisation with >500 EU-based users, placing their data in EU datacentres. This is insurance - if adequacy lapses, you already have data residency sorted.

# Check current M365 data location assignments
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -All -Property UserPrincipalName, PreferredDataLocation |
    Where-Object { $_.PreferredDataLocation -ne $null } |
    Group-Object PreferredDataLocation |
    Select Name, Count

International Transfer Mechanisms: UK IDTA vs EU SCCs

This is where the regimes have diverged most significantly in practical terms.

EU Standard Contractual Clauses (SCCs): The EU adopted new modular SCCs in June 2021. They require a Transfer Impact Assessment (TIA) documenting the legal framework of the recipient country and supplementary technical measures.

UK International Data Transfer Agreement (IDTA): The UK ICO published the IDTA and the UK Addendum to the EU SCCs. The IDTA is a standalone document - simpler than the EU SCCs but structurally different. The UK Addendum allows you to bolt UK compliance onto existing EU SCCs.

Technical implication for M365: Microsoft's Data Protection Addendum (DPA) covers both EU SCCs and the UK IDTA. However, if you're a controller transferring data to sub-processors outside of Microsoft's ecosystem, you need to track which mechanism covers each transfer.

A data flow register should be maintained in a SharePoint list with these columns:

• Data category
• Source jurisdiction (UK/EU/Both)
• Destination jurisdiction
• Transfer mechanism (Adequacy/SCCs/IDTA/UK Addendum)
• Supplementary technical measures applied
• TIA completion date
• Review date

This register is the single most requested document in both ICO and EU DPA investigations.

Data Residency: Configuring for Dual Regulation

For dual-regulated firms, M365 should be configured as follows:

Exchange Online:

• UK mailboxes: Preferred Data Location set to GBR
• EU mailboxes: Preferred Data Location set to EUR (or specific country: DEU, FRA, etc.)
• Verify with: Get-Mailbox -Identity user@domain.com | Select MailboxRegion

SharePoint Online:

• Create separate geo-located site collections for UK and EU team content
• Apply Purview sensitivity labels that restrict sharing based on the user's data location
• Important: OneDrive for Business follows the user's PDL. If a UK employee moves to an EU office, update their PDL and their OneDrive will be migrated

Teams:

• Teams chat data follows the user's mailbox location
• Teams files are stored in the associated SharePoint site - ensure the site is in the correct geo
• Channel meetings recordings now go to OneDrive/SharePoint (no longer Stream Classic) - verify the recording storage location matches the data residency requirement

Age of Digital Consent

EU GDPR Article 8: Default age of consent for information society services is 16, with member states able to lower to 13. UK GDPR: The UK set the age at 13 via the Data Protection Act 2018, Section 9.

Technical implication: If you operate consumer-facing services authenticated through Entra External ID (formerly Azure AD B2C), your age-gating logic must apply different thresholds based on the user's jurisdiction. This is implemented in the custom policy:

• For UK users (determined by country claim or IP geolocation): consent gate at 13
• For EU users: consent gate at 16 (or the member state specific age)

This requires custom attributes in the B2C directory and conditional logic in your user flows.

Legitimate Interest Balancing Test

Both regimes recognise legitimate interest as a lawful basis, but the ICO's approach to the balancing test has diverged from EU DPA practice:

ICO approach: The ICO has been more permissive of legitimate interest for direct marketing and fraud prevention, provided the balancing test is documented. The UK's Data Protection and Digital Information Act (which progressed through Parliament) signalled further relaxation.

EU approach: EU DPAs, particularly the French CNIL and the German LfDI, have taken a stricter view, especially regarding cookie consent, tracking, and profiling.

Technical implication: Your Purview Communication Compliance and DLP policies may need different sensitivity for UK vs EU user populations. For example:

• EU users: stricter consent tracking for marketing emails via Exchange transport rules
• UK users: legitimate interest may suffice for certain communications, but you still need a documented balancing test

This is implemented with Exchange mail flow rules that tag messages based on the sender's jurisdiction and route them through the appropriate compliance check.

ICO vs EU DPA Enforcement Patterns

Understanding enforcement patterns affects how you prioritise control implementation:

ICO (UK):

• Historically focused on public sector, health data, and financial services
• Heavy emphasis on breach notification compliance (Article 33/34 equivalent)
• The ICO has been moving toward a more risk-based, outcome-focused approach
• Key technical area: access request handling (DSAR automation)

EU DPAs:

• Varied by member state, but CNIL and the Irish DPC have been the most active on tech enforcement
• Cookie consent enforcement is far more aggressive than the ICO
• Cross-border cases handled via the one-stop-shop mechanism, which creates delays

Technical implication: DSAR automation should be prioritised for UK-regulated entities (using Purview Data Subject Request workflows) and cookie consent management for EU-facing services.

# Check Purview DSR cases and completion metrics
Connect-IPPSSession
$dsrCases = Get-ComplianceCase -CaseType DSR
$dsrCases | ForEach-Object {
    $searches = Get-ComplianceSearch -Case $_.Identity
    [PSCustomObject]@{
        CaseName    = $_.Name
        Status      = $_.Status
        CreatedDate = $_.CreatedDateTime
        SearchCount = $searches.Count
    }
} | Sort-Object CreatedDate -Descending | Format-Table -AutoSize

M365 Tenant Configuration Differences: Summary Matrix

For dual-regulated firms, here is the standard configuration matrix:

| Configuration Area | UK-Only Tenant | UK+EU Tenant | |---|---|---| | Data residency | Single-geo (GBR) | Multi-Geo (GBR + EUR) | | Transfer mechanism | IDTA for non-UK transfers | SCCs + UK Addendum | | Age gating (B2C) | 13 years | 16 years (default) / per-state | | DSAR tooling | Purview DSR (priority) | Purview DSR + manual DPA liaison | | Cookie consent | ICO standard (lower bar) | CNIL/DPA standard (strict) | | Breach notification | ICO within 72h | Lead SA within 72h + cross-border | | DPO requirement | Only if meeting thresholds | Required for public authorities, large-scale processing | | Marketing consent | Soft opt-in available (PECR) | Strict opt-in (ePrivacy) |

Practical Recommendations

1. Don't assume adequacy is permanent. Architect Multi-Geo from the start if you have any EU operations. Retrofitting data residency is significantly more expensive than deploying it at inception.

2. Maintain separate Records of Processing Activity (ROPA) for UK and EU. The legal bases may differ for identical processing activities across jurisdictions. These should be stored as structured data in SharePoint with Power Automate flows that generate the Article 30 register format.

3. Automate DSAR handling. The ICO has repeatedly fined organisations for slow DSAR response. Purview's built-in DSR tool handles Exchange, SharePoint, and OneDrive content searches. For Teams data, you'll need an eDiscovery (Premium) case.

4. Watch the UK Data Reform Bill. The UK government has signalled intent to diverge further - potentially relaxing cookie consent, modifying the DPO requirement, and expanding legitimate interest. Each change will require tenant configuration updates. Build flexibility into your compliance architecture.

5. Use Purview Compliance Manager with both the EU GDPR and UK DPA assessments loaded. This gives you a side-by-side view of compliance gaps across both regimes.

The post-Brexit GDPR landscape is manageable if you plan for divergence rather than react to it. The M365 platform has the tooling for dual compliance, the challenge is knowing which levers to pull for which jurisdiction.