Data protection, privacy and cross-border data transfers

Ensuring lawful, transparent and accountable use of personal data remains a critical compliance requirement for organisations operating in the United Kingdom. The landscape continues to evolve following the Data Use and Access Act 2025 (DUAA) and the ongoing application of the UK GDPR and the Data Protection Act 2018. These frameworks impose obligations on controllers and processors and require evidence of appropriate governance, risk management and technical safeguards.

This page provides an overview of the UK regime and the practical steps organisations should take to manage legal and operational risk. For wider context on our work in this area, please see AI & Data.

The UK data protection framework

The DUAA consolidates and updates elements of the former regime and modernises rules governing personal data use, access and sharing. It sits alongside:

• the UK GDPR (Regulation (EU) 2016/679 retained in UK law)
  https://www.legislation.gov.uk/eur/2016/679/contents
• the Data Protection Act 2018
  https://www.legislation.gov.uk/ukpga/2018/12/contents

The core principles remain unchanged: processing must be lawful, fair and transparent; limited to specified purposes; minimised to what is necessary; accurate; stored for no longer than required; and subject to appropriate security controls.

Organisations must be able to demonstrate compliance through documented policies, risk assessments and governance structures. Clients frequently combine this work with broader digital or contractual review programmes. See: Technology and Telecoms Transactions and Specialist Co-Counsel.

Rights of individuals

Individuals continue to benefit from extensive statutory rights, including:

• the right of access;
• the right to rectification and erasure;
• the right to object to certain processing operations;
• rights relating to automated decision-making; and
• data portability.

Time limits for responses remain strictly applied. Organisations must maintain internal processes for receiving, triaging and responding to requests in line with ICO expectations.
ICO guidance: https://ico.org.uk/your-data-matters/your-right-of-access/

International transfers

Cross-border transfers of personal data remain one of the most legally complex aspects of data governance. The DUAA reinforces the requirement that UK organisations ensure an adequate level of protection for data exported to third countries.

The lawful mechanisms include:

• UK adequacy regulations, issued by the Secretary of State
  https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers
• the International Data Transfer Agreement (IDTA) and Addendum to EU SCCs
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
• Transfer Risk Assessments (TRAs) evaluating local law and practical safeguards

Transfer governance is increasingly scrutinised in regulatory investigations and commercial negotiations. We frequently assist clients in designing cross-border transfer strategies that align with commercial imperatives and regulatory expectations.

Governance, risk management and accountability

The ICO continues to emphasise risk-based governance. Key measures include:

• maintaining a comprehensive Record of Processing Activities (ROPA);
• implementing clear policies and training;
• conducting Data Protection Impact Assessments (DPIAs) for high-risk or AI-driven processing;
• ensuring processor contracts contain mandatory terms; and
• adopting proportionate technical and organisational measures, including encryption, access controls and monitoring.

For clients seeking strategic, ongoing support, we offer Fractional General Counsel services.

Data breach notification

Where a personal data breach creates a risk to individuals’ rights and freedoms, controllers must notify the ICO without undue delay, and in any event within 72 hours. In certain cases, affected individuals must also be informed.
ICO breach guidance: https://ico.org.uk/for-organisations/report-a-breach/

Effective incident response, including tabletop testing, is therefore essential.

AI, automated decision-making and new technologies

AI-driven systems introduce increased risks relating to transparency, explainability, fairness and human oversight. The DUAA introduces specific provisions governing data access and automated decision-making, complementing existing rules under the UK GDPR.

We advise on the deployment, governance and contractual allocation of risk in AI-driven systems. For further information, please see AI & Data.

How Bratby Law can help

Bratby Law supports organisations across sectors with:

• compliance programmes and audits;
• international data transfer assessments;
• AI governance and automated decision-making reviews;
• drafting processor, data-sharing and cross-border transfer agreements;
• breach response; and
• regulatory engagement with the ICO.

To understand our approach and ethos, see Why Bratby Law?

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology

What clients say