Data Protection

UK GDPR compliance, data governance, AI regulation and sector-specific data protection

UK Data Protection Framework

UK data protection law is set out in the Data Protection Act 2018 and the UK GDPR, supplemented by the Privacy and Electronic Communications Regulations 2003 (PECR) and sector-specific requirements from regulators including the ICO, Ofcom and the FCA. The framework governs how organisations collect, store, share and process personal data, with enforcement powers including fines of up to 4% of global annual turnover.

The regulatory landscape is developing. The Data Protection and Digital Information Act 2024 introduces changes to legitimate interests, international transfers and automated decision-making. AI governance frameworks are creating new data protection obligations around algorithmic transparency, bias testing and impact assessments. Cross-border data transfer mechanisms continue to evolve following Brexit.

bratby.law provides senior, specialist data protection advice across UK GDPR compliance, international transfers, data governance, AI-related processing and sector-specific requirements for telecoms and financial services. The practice combines regulatory depth with sector knowledge and commercial awareness, helping organisations comply with their obligations, manage regulatory risk and structure data-related arrangements with confidence.

Our Data Protection Services

Our Data Protection practice is organised around four specialisms.

UK GDPR and Regulatory Compliance

Controller and processor obligations, lawful bases, data subject rights, DPIAs, ICO enforcement and international data transfers under UK GDPR and the Data Protection Act 2018.

AI and Automated Decision-Making

Data protection compliance for AI systems, algorithmic transparency, automated decision-making under Article 22 UK GDPR and AI governance frameworks.

Sector-Specific Data Protection

Data protection advice for telecoms operators, financial services firms, digital infrastructure providers and regulated businesses. PECR, ePrivacy and sector-specific data requirements.

Data Governance, Transfers and Accountability

Cross-border data transfers, adequacy frameworks, SCCs, accountability structures, records of processing, DPO advisory and data-sharing arrangements.

UK GDPR and regulatory compliance

Comprehensive support across UK GDPR, PECR and data-governance obligations. Data-mapping, DPIAs/AIAs, high-risk processing, transparency and fairness, data retention, security, profiling and automated decision-making.

We advise on:

Data strategy, governance and records of processing activities.
Lawful bases, purpose limitation and compatibility for re-use of data.
Data subject rights, subject access requests and response procedures.
ICO engagement, codes of practice and regulatory investigations.

Learn more about UK GDPR and regulatory compliance

Sector-specific data protection

Sector-specific advice on how data protection intersects with telecoms regulation, financial services regulation and digital infrastructure requirements. This includes PECR compliance, security and resilience obligations, and customer data handling for regulated businesses.

We support:

Telecoms operators and financial services firms processing personal data across networks, operations and customer services.
Compliance with Ofcom’s General Conditions, TSA security duties and resilience requirements where AI is embedded in critical processes.
Data and AI issues in network-sharing, MVNO, interconnection and infrastructure arrangements.

Learn more about sector-specific data protection

AI and automated decision-making

Clear, senior guidance on UK and international AI regulatory requirements. Advice on the UK’s principles-based AI framework, the EU AI Act and related guidance, including how these interact with UK GDPR, the Data Protection Act 2018 and sector-specific regimes.

We help clients:

Assess data protection obligations for AI-enabled products and automated processing.
Conduct data protection impact assessments for high-risk AI processing.
Advise on lawful bases, transparency and fairness obligations for automated decision-making and profiling.
Manage ICO engagement, regulatory enquiries and compliance programmes for AI-related data processing.

Learn more about AI and automated decision-making

Data governance, transfers and accountability

Board-level and senior management support on data governance, regulatory compliance, accountability frameworks and data protection programme management.

Our work includes:

Designing data governance frameworks, data protection policies and accountability structures.
Integrating data protection risk into existing risk management and assurance processes.
Training boards and senior teams on UK GDPR obligations, ICO expectations and practical oversight.
Supporting internal audits, data protection reviews and ICO regulatory enquiries.

Learn more about data governance, transfers and accountability

What clients ask us about data protection

Typical questions include:

How do the UK’s approach to data protection for AI-enabled products, the EU AI Act and UK GDPR interact for our business?
What data protection documentation, policies and governance do we need to demonstrate accountability?
How do data protection obligations interact with telecoms-specific duties on security, resilience and consumer protection?
What should our board be doing to demonstrate appropriate data protection governance and oversight?

Our role is to answer these data protection questions clearly, explain the regulatory logic and translate it into concrete governance, contractual and operational steps.

How we help

We combine regulatory depth, sector knowledge and technical understanding.

Regulatory experience

Experience at Oftel, in-house at operators and as a partner and practice leader in international firms provides an end-to-end view of how regulation is made, interpreted and enforced.

Data protection expertise

Recognised strength in data protection and data governance, applied to complex compliance programmes, cross-border transfers, sector-specific requirements and regulatory engagement.

Technical and analytical capability

A scientific first degree and formal governance training support a structured, technically informed approach to data protection compliance and risk assessment.

Commercial focus

Advice is calibrated to commercial objectives and risk appetite, helping clients move projects forward rather than simply catalogue risk.

Who we work with

We provide data protection advice to:

Telecoms operators and digital-infrastructure providers.
Technology companies, platforms and data-driven businesses.
Investors and acquirers assessing data protection risks in transactions.
Law firms and consultancies seeking specialist co-counsel input on data protection issues.

An end-to-end regulatory perspective

Rob Bratby’s experience spans three perspectives that are seldom combined in a single advisor:

The Regulator’s Perspective

Work at Oftel, the predecessor to Ofcom, provides first-hand experience of how UK communications regulation is developed, interpreted and enforced. This includes leadership of the project to liberalise the UK’s international telecoms infrastructure market (subsea cables and satellite), and a detailed understanding of regulatory intent and enforcement dynamics.

The Operator’s Perspective

Senior in-house roles at COLT and embedded general-counsel roles within operator-side businesses provide practical insight into how networks are built, where risks arise, how compliance is operationalised and how commercial and regulatory decisions are made inside carriers and infrastructure operators.

The Advisor’s Perspective

Senior partnership roles at international law firms and current fractional General Counsel appointment at TOTSCo and UK Payments Initiative Limited provide a working understanding of how legal advice translates into commercial and regulatory decisions at board level.

This combination enables advice that is legally rigorous, commercially aligned and technically grounded.

Why a specialist boutique?

bratby.law is structured to provide a clear alternative to broad practices and City or international law firms:

Boutique approach	City firm
Specialist, sector-specific focus	Broad TMT or FS coverage with variable depth
Senior delivery on all matters	Work delegated to teams of varying experience
Integrated regulatory, operator and advisory experience	Limited practical or regulatory grounding
Predictable, flexible engagement models	Rigid, process-driven structures

As a boutique, bratby.law provides specialist regulatory depth, partner-level delivery and commercially aligned advice shaped by practical operator-side experience. Engagement models are flexible and predictable, including direct instruction, specialist co-counsel and fractional general counsel support.

What clients say about bratby.law

“…one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in.”
“I worked with Rob over many years whilst I was at Orange. He is one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in. Most notably he provided first class support to me and my team on a high profile / high value joint venture network sharing deal. His ability to see both the detail and the bigger strategic picture were enormously helpful.”
Amanda Doyle
(Former) General Counsel, Orange UK
“I would highly recommend Rob and his team.”
“I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
Nick White
(Former) Deloitte
“I would recommend Rob for any major Telecoms project”
“I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
Toby Lovell
(Former) Chief of Staff, The One Touch Switching Company

Insights

Our Insights blog tracks key developments in data protection regulation and related telecoms and platform issues.

Ready to discuss your matter?

Schedule an initial call

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology

Related sub-pages

Frequently asked questions about data protection

What laws govern data protection in the UK?

Data protection in the UK is governed primarily by the UK GDPR (the retained EU General Data Protection Regulation) and the Data Protection Act 2018 (DPA 2018). Together these set out the rules on how personal data must be collected, processed, stored and shared. The Privacy and Electronic Communications Regulations 2003 (PECR) impose additional requirements for electronic marketing, cookies and communications metadata. The Information Commissioner’s Office (ICO) is the independent supervisory authority responsible for enforcing these rules. Organisations processing personal data must comply with the data protection principles, establish a lawful basis for processing, and respect individuals’ rights including access, rectification, erasure and data portability.

How does the UK’s approach differ from the EU AI Act?

The UK takes a “principles-based, sector-led” approach rather than a binding horizontal AI statute. The EU AI Act is prescriptive, categorising AI systems by risk and imposing detailed compliance requirements. UK-based organisations working in or selling into the EU may need to comply with both frameworks.

What is the ICO’s current enforcement focus?

The ICO’s current priorities include data protection compliance in AI and automated decision-making, children’s privacy and the Age Appropriate Design Code, marketing and cookies compliance, international data transfers, and cyber security and breach reporting. The ICO has confirmed it will use its full enforcement powers, including fines, to address non-compliance in these areas.

What are an organisation’s core obligations when developing or deploying AI systems?

Obligations depend on context, but typically include:
lawfulness and transparency of data use |
data minimisation and purpose limitation |
meaningful human oversight |
security and robustness controls |
testing and validation to manage bias and accuracy risk |
accountability frameworks, including model governance and documentation |
third-party risk management and contractual controls for AI services and models.

Do we need a data protection governance framework?

Yes. A formal data protection governance framework is a practical requirement for accountability under UK GDPR. This typically includes a data protection policy, defined roles and responsibilities, records of processing activities, a DPIA process, data breach procedures, data subject rights processes, training programmes and regular compliance reviews.

What data protection issues arise with AI and automated decision-making?

Compliance requires:
identifying a lawful basis for training |
ensuring training data is fair, relevant and not excessive |
applying appropriate anonymisation or pseudonymisation |
assessing high-risk activities using a DPIA or AI-specific impact assessment |
providing adequate transparency about model training |
managing data subject rights, including the right to object or request erasure if applicable.

Can we use publicly available data without restriction?

Public availability does not remove data protection obligations. If the data includes personal data, a lawful basis is still required. Organisations must also consider the reasonable expectations of data subjects, the purpose of the original publication, and whether further processing is compatible. Copyright, database rights, confidentiality and terms of service may also apply.

Do we always need consent to process personal data?

Not necessarily. UK GDPR provides six lawful bases for processing: consent, contract, legal obligation, vital interests, public task and legitimate interests. The appropriate basis depends on the purpose and context. Consent is required for direct marketing communications under PECR and may be required for processing special category data. A legitimate interests assessment should be conducted where that basis is relied upon.

What are the key data protection risks for technology businesses?

Key data protection risks for technology businesses include: inadequate lawful basis for processing | insufficient transparency and privacy notices | insecure international data transfers | vendor and processor compliance gaps | inadequate breach detection and response | non-compliance with data subject rights | excessive data retention | and, for AI-enabled products, risks of bias, automated decision-making without human oversight and opaque processing.

How do we manage international data transfers?

Where personal data is transferred outside the UK, organisations must implement appropriate safeguards. Options include UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), binding corporate rules or specific derogations. A transfer risk assessment is required to evaluate the legal framework and practical enforcement environment in the destination country.

Who is responsible for data protection compliance in a supply chain?

Under UK GDPR, the controller is responsible for compliance regardless of how processing is carried out. Where processors are engaged, controllers must conduct due diligence, enter into compliant data processing agreements under Article 28, and monitor ongoing compliance. Joint controller arrangements require a transparent allocation of responsibilities. Sub-processor chains must be managed contractually and operationally.

What should we do in the event of a personal data breach?

Under UK GDPR, personal data breaches likely to result in a risk to individuals must be notified to the ICO within 72 hours. Where the breach is likely to result in a high risk, affected individuals must also be notified. Organisations should maintain a breach register, have documented incident response procedures and conduct post-incident reviews.

How does the ICO enforce data protection compliance?

The ICO has a range of enforcement powers including information notices, assessment notices, enforcement notices, penalty notices (fines of up to 17.5 million or 4% of global turnover), and prosecution for certain offences. The ICO publishes enforcement actions and regulatory guidance to signal its priorities and expectations.

What are the consequences of non-compliance with UK GDPR?

Consequences of non-compliance include ICO enforcement action and fines, private claims for compensation (including group litigation), contractual disputes, reputational harm and operational disruption. For regulated sectors such as telecoms or financial services, data protection failures can also affect licensing and supervisory relationships.

Do we need a record of processing activities?

Yes. Under Article 30 of the UK GDPR, controllers and processors must maintain records of processing activities. These records must include purposes, categories of data subjects and personal data, recipients, international transfers, retention periods and security measures. Records of processing are a core accountability requirement and are routinely requested by the ICO.

Should boards oversee data protection compliance?

Yes. Boards are expected to oversee data protection compliance in the same way they oversee cybersecurity and other legal risks. They should receive regular reporting, approve governance frameworks, ensure adequate resources and understand the organisation’s risk exposure. The ICO has emphasised that accountability starts at board level.

Are SMEs expected to comply with the same data protection standards?

Yes. UK GDPR applies to all organisations processing personal data, regardless of size. However, the ICO adopts a proportionate approach. SMEs may not need a DPO and may use simplified records of processing, but they must still have lawful bases, fair processing notices, security measures and breach procedures in place.

How does data protection interact with telecoms regulation?

Telecoms providers process large volumes of personal data including traffic data, location data and subscriber information. The Communications Act 2003, PECR and UK GDPR impose overlapping obligations. Data protection compliance must be managed alongside Ofcom’s General Conditions, the Telecommunications (Security) Act 2021 and the electronic communications privacy framework.

What practical steps should we take to improve data protection compliance?

A typical starting point includes:
mapping AI use cases |
reviewing data flows and training datasets |
implementing an data governance framework |
completing an AI impact assessment |
updating contracts and third-party arrangements |
aligning policies (data protection, security, acceptable use, procurement) |
conducting staff training |
establishing monitoring and oversight arrangements.