Data Protection
Specialist UK data protection advice for controllers, processors and technology businesses
Effective data protection advice demands deep expertise in the UK GDPR, the Data Protection Act 2018 and the Data Use and Access Act 2025, combined with practical understanding of how the ICO enforces them. Bratby Law advises controllers, processors and technology businesses on compliance, DPIAs, international transfers, AI governance and breach response. Rob Bratby is recognised by Lexology as a Global Elite Thought Leader in data protection and holds four fractional General Counsel appointments that keep his understanding of operational compliance current.
The regulatory framework
The UK GDPR sets the core principles for processing personal data: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. The Data Protection Act 2018 supplements the UK GDPR with provisions on law enforcement processing, intelligence services processing, and the powers of the Information Commissioner. The ICO is the independent supervisory authority responsible for enforcement.
The Data Use and Access Act 2025 has amended the UK data protection framework. Most provisions commenced on 5 February 2026. The Act modifies the conditions for lawful processing, reforms the ICO’s enforcement powers, introduces a statutory complaints handling obligation for controllers, and makes changes to the framework for international transfers. Organisations must now maintain a complaints procedure and acknowledge complaints within 30 days. The ICO has published guidance on how it will regulate under the amended framework.
The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside the UK GDPR and govern electronic marketing, cookies, traffic data and location data. PECR imposes sector-specific rules on telecoms operators, including requirements for consent to process location data for value-added services under regulation 14. The interaction between PECR and the UK GDPR creates compliance complexity that general privacy advice often underestimates.
What we advise on
Our data protection services cover the full compliance lifecycle.
Why data protection matters
Data protection compliance is not a box-ticking exercise. The ICO has increased its enforcement activity, issuing larger fines and focusing on systemic failures rather than isolated incidents. The DUAA 2025 has expanded the ICO’s powers and introduced new obligations on controllers. Organisations that treat data protection as a standalone compliance function rather than an operational design question expose themselves to enforcement action, transaction delay and reputational damage. Understanding how the ICO thinks, how regulated businesses handle data in practice, and how data protection intersects with sector-specific regulation is the foundation of effective advice.
Our unique perspective on data protection
Bratby Law’s data protection advice is shaped by three distinct perspectives.
The Regulator’s Perspective
Rob Bratby spent a year on secondment to Oftel from Baker and McKenzie. That experience of working inside a regulator provides direct insight into how regulatory frameworks are developed, interpreted and enforced. It applies to engagement with the ICO on data protection matters: understanding the regulator’s priorities, how it assesses compliance, and what it actually cares about versus what is procedural.
The Operator’s Perspective
Four current fractional General Counsel appointments at TOTSCo, UK Payments Initiative Limited, TelXL and Core Communication give Rob Bratby continuous exposure to how organisations process personal data in practice. Data protection compliance at these businesses is not theoretical: it involves real processing activities, real vendor relationships and real regulatory risk. That operational experience shapes practical advice.
The Advisor’s Perspective
Rob Bratby has spent 30 years advising on data protection at leading UK and US City law firms. His practice covers DPIAs, international transfers, breach response, AI governance and data commercialisation. He advises across telecoms, payments and technology sectors, where data protection intersects with sector-specific regulation in ways that general privacy practices often miss.
This combination of regulator, operator and advisor perspective gives clients access to practical, confident data protection advice grounded in how the ICO and regulated businesses actually operate.
Our data protection credentials
Lexology recognises Rob Bratby as a Global Elite Thought Leader in data protection. Chambers UK ranks Bratby Law in Band 2 for Telecoms Regulation, reflecting the firm’s cross-disciplinary strength across telecoms, data and payments. The Legal 500 ranks Rob Bratby as a Leading Partner. His data protection practice is anchored by four current fractional General Counsel appointments at regulated businesses where data protection compliance is a live operational requirement.
Why a specialist boutique?
Data protection advice from a specialist with operator-side experience delivers a different quality of outcome from advice produced by a general privacy practice or a City firm’s data team.
| Factor | Bratby Law | General privacy practices and City firms |
|---|---|---|
| Regulatory insider perspective | Oftel secondment and four ongoing fractional GC appointments. Direct experience of how regulatory frameworks are designed and enforced. | Advisory-only perspective. Limited exposure to regulator behaviour or operational compliance. |
| Sector focus and depth | Data protection advice integrated with telecoms, payments and technology regulation. Understands how PECR, FCA requirements and Ofcom obligations interact with UK GDPR. | Data protection treated as a horizontal practice. Limited understanding of sector-specific regulatory overlays. |
| Senior partner delivery | Advice delivered by Rob Bratby, Managing Partner with 30 years’ experience. No delegation to junior associates. | Data protection work routinely delegated. Senior partner involvement limited to sign-off. |
| Cost and engagement flexibility | Boutique pricing. Fractional GC arrangements available for ongoing data protection support. | Full-service firm billing rates. Data protection advice priced as part of a broader privacy or regulatory mandate. |
Recent data protection insights
- Data Protection Complaints: What Controllers Must Do by 19 June 2026
- What Does the ICO Regulate? A Guide to the UK’s Data Protection Regulator
- Recognised Legitimate Interests: The UK Parts Ways with the EU on the Balancing Test
How we work
Bratby Law works with clients in three ways: as direct legal advisors on specific matters, as specialist co-counsel supporting other legal teams, and as fractional general counsel on a longer-term retained basis. Each model delivers partner-level input without delegation.
Need specialist data protection advice?
Frequently asked questions about data protection
Has the Data Use and Access Act 2025 changed my data protection obligations?
Yes. The DUAA 2025 amends the UK GDPR framework. Key changes include reforms to the ICO’s enforcement powers, a statutory complaints handling obligation requiring controllers to maintain a procedure and acknowledge complaints within 30 days, and modifications to international transfer provisions. We advise on the practical implications for your processing activities.
How has ICO enforcement changed?
The ICO has increased the frequency and scale of enforcement action. It is focusing on systemic failures, inadequate DPIAs, unlawful international transfers and insufficient technical measures. The DUAA 2025 has expanded the ICO’s powers. Organisations should review their compliance posture against the current enforcement priorities.
Do I need separate UK and EU data protection compliance?
If you process personal data of UK and EU residents, you need to comply with both the UK GDPR and the EU GDPR. The regimes are diverging. The DUAA 2025 has introduced UK-specific changes that do not apply in the EU. We advise on dual compliance strategies and the practical implications of divergence.
Is AI governance a separate compliance requirement?
AI governance sits within data protection. If you train AI models on personal data or use automated decision-making, you must establish a lawful basis under UK GDPR, comply with Article 22 on automated decisions, and conduct DPIAs where processing is high-risk. We advise on AI governance as part of the data protection framework, not as a standalone requirement.
When should I instruct external data protection counsel?
When the matter involves regulatory risk that your in-house team cannot assess independently. Common trigger points include ICO investigations, high-risk DPIAs, international transfer structuring, data breach response, and integration of data processing arrangements in M&A. Early instruction reduces cost and regulatory risk.
What does the new complaints handling obligation require?
Controllers must maintain a complaints procedure and acknowledge data protection complaints within 30 days. The procedure must be accessible and transparent. Failure to comply is enforceable by the ICO. We advise on designing compliant complaints procedures.
How does the DUAA affect DPIAs?
The DUAA 2025 modifies the DPIA framework. Controllers must still carry out DPIAs for high-risk processing. The changes affect the circumstances in which DPIAs are required and the ICO’s role in assessing them. We advise on when DPIAs are needed under the amended framework and how to document them.
What data protection issues arise in telecoms and payments transactions?
Acquiring a telecoms operator or payment service provider changes the controller relationship. Data migration requires new processor agreements, may trigger DPIAs, and involves re-establishing international transfer mechanisms. PECR adds sector-specific requirements for telecoms data. We advise on data protection due diligence and post-completion integration.
Also see
Our related pages on Telecoms Regulation, Payments Regulation and Transactions explore the intersections between data protection and these adjacent areas. For information about our engagement models, see How We Work. For commentary on current regulatory developments, see Insights.
Independent directory rankings
Our specialist expertise is recognised in major independent legal directories:
- Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
- The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
- Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology
