Effective data governance is not a compliance checkbox. It is an operational discipline that binds personal data processing to documented decision-making, aligns controller and processor responsibilities to actual practice, and creates accountability frameworks that regulators and courts can scrutinise. When governance fails, organisations struggle to defend data transfers, explain legitimate interests to the ICO, and respond credibly to breach investigations. Bratby Law works with organisations to build governance frameworks that work for their business, respond to evolving regulatory standards, and survive regulatory stress-testing.

When data governance and accountability obligations bite

Governance gaps surface most painfully in three contexts. First, regulatory audit and investigation: the ICO expects to see Records of Processing Activity (ROPAs) that reflect actual processing, controller and processor agreements that match the contractual chain, and legitimate interest assessments (LIAs) that document the basis for processing and address data subject rights. Second, M&A due diligence, where the buyer’s lawyers will examine whether the target has documented its processing accurately, governed cross-border transfers through compliant mechanisms, and maintained accountable relationships with third parties. Third, operational crisis: when a breach occurs, a customer objects, or a regulator opens an investigation, governance documentation becomes evidence. Organisations without current, credible documentation find themselves unable to explain their processing, justify their reliance on particular legal bases, or defend transfer mechanisms.

---

Why governance and accountability matter now

Four regulatory shifts have sharpened the governance stakes. The Data (Use and Access) Act 2025 (DUAA) changed the legal standard for international transfers. Controllers must now assess whether the third country’s protection is “not materially lower” than the UK’s, replacing the previous “essentially equivalent” test. That standard is deliberately less stringent but introduces new interpretive uncertainty. To apply it, controllers must run Transfer Risk Assessments (TRAs) that carefully weigh legal risks, law enforcement access, and practical safeguards in the destination country. The ICO’s updated guidance on international transfers (January 2026) sets out a clear three-step test to identify restricted transfers and a structured methodology for assessing transfer adequacy. Second, the recognised legitimate interests basis under Article 6(1)(ea) UK GDPR requires controllers to articulate which specific legitimate interests they are relying on, document that the processing is strictly necessary for those interests, and update their Legitimate Interests Assessments and privacy notices accordingly. Third, a new statutory complaints handling obligation takes effect on 19 June 2026. Organisations must establish internal processes to receive, acknowledge (within 30 days), investigate, and respond to data protection complaints. This is not optional and applies to all organisations regardless of size. Fourth, the ICO has acquired new enforcement powers under the DUAA. Section 96 allows the ICO to issue assessment notices that require organisations to commission and pay for independent technical reports prepared by approved experts. This power closes investigative gaps and shifts costs to the investigated party, raising the stakes for organisations that cannot credibly demonstrate compliant data governance.

---

Where governance frameworks fail

Weak governance typically follows predictable patterns. Record of Processing Activities exist but are never updated. They describe processing in high-level categories rather than specific systems, tools, and data flows. They do not reflect changes to technology infrastructure, vendor relationships, or business objectives. Controller and processor agreements are boilerplate, often missing clauses that reflect the actual scope of the processor’s authority and decision-making role. International transfer mechanisms are chosen on cost grounds without running a Transfer Risk Assessment aligned to the ICO’s updated guidance and the DUAA’s “not materially lower” test. Legitimate Interests Assessments pre-date the DUAA and do not address recognised legitimate interests or updated ROPAs. Privacy notices use abstract language about “marketing and business development” without explaining how personal data flows to specific systems, marketing platforms, and third parties. Controller and processor roles are misaligned with contractual structures: a party claims to be a processor when in practice they are making processing decisions, or vice versa. Finally, governance documentation is treated as a one-off project. It is drafted, filed, and left to gather dust. When regulations change or business processes shift, the documentation is not reviewed and updated. It becomes a liability rather than a defence.

---

What effective data governance looks like

Governance is sustainable only when it is embedded in operational rhythm. Records of Processing Activity must link directly to actual data flows. A ROPA entry should identify the system, the categories of personal data processed, the categories of recipient, retention periods, and the legal basis and Legitimate Interests Assessment (if applicable). These records must be reviewed quarterly. When business processes change, ROPAs are updated. When a data processor relationship ends, the ROPA is amended. When a new service (such as a marketing automation platform) is adopted, a new ROPA entry is created. Controller and processor allocations must reflect substantive analysis, not contractual labels. If a third party determines the purposes or means of processing in practice, that party is a joint controller and must be named as such in the legal documents and privacy notices. If a service provider has no discretion over how data is processed, it is a processor. That allocation must be documented and periodically audited. International transfer architecture should be proportionate to the organisation’s risk profile but rigorous. For low-risk personal data transfers (such as aggregate anonymised data or non-sensitive business contact information) to countries with robust legal frameworks, controllers may run a streamlined Transfer Risk Assessment. For sensitive personal data transfers to countries with broader law enforcement access or fewer data protection laws, a detailed assessment is warranted. The ICO’s three-step test and updated guidance provide the methodology. Recognised legitimate interests must be explicitly documented. Where processing relies on Article 6(1)(ea), the controller must identify which recognised legitimate interest applies, explain why the processing is strictly necessary, update the ROPA, and ensure privacy notices explain the basis and the limited scope of the balancing test. Privacy programme design must be tailored to the organisation’s risk profile and structure. A large group with processing in multiple jurisdictions requires a more elaborate governance framework than a small practice handling UK-only data. The governance framework should specify roles and responsibilities, escalation routes for data subject access requests and complaints, incident response procedures, and regular audit cycles.

---

When to instruct specialist governance counsel

Bratby Law advises on data governance in three engagement models: Direct Legal Advice for specific governance challenges; Specialist Co-counsel where internal legal teams are managing governance but need expert input on complex areas; and Fractional General Counsel for organisations without in-house data protection resources. Specialist input is warranted for international transfer architecture (particularly where organisations are navigating the DUAA’s “not materially lower” test and designing compliant mechanisms across multiple jurisdictions), ICO engagement (especially where the ICO is exercising its technical reports power or opening an investigation), M&A data protection due diligence (buying or selling a business), DUAA 2025 implementation (updating ROPAs, Legitimate Interests Assessments, privacy notices, and complaints procedures), and designing governance frameworks for complex group structures or high-risk processing. Controller and processor relationships should also be reviewed where there is uncertainty about role allocation or where contractual relationships do not reflect actual practice.

---

FAQs

What is the “not materially lower” standard and how does it differ from “essentially equivalent”?

The DUAA replaced the “essentially equivalent” test with “not materially lower”. The intention is to set a lower threshold for adequacy decisions, recognising that other countries’ data protection regimes will not be identical to the UK’s and that differences may exist given cultural context. However, the standard introduces interpretive uncertainty. It is up to the ICO and UK courts to provide guidance. Controllers should run Transfer Risk Assessments that weigh legal protections, law enforcement powers, and practical safeguards comprehensiveally, following the ICO’s January 2026 guidance.

Do we need to update our ROPAs and privacy notices for recognised legitimate interests?

Yes. Article 6(1)(ea) recognises certain legitimate interests for specific public interest purposes listed in Annex 1 of the UK GDPR. If your processing relies on these interests, you must update your ROPAs to specify which recognised legitimate interest applies and why the processing is strictly necessary. Privacy notices must explain the basis and note that balancing is not required. Legitimate Interests Assessments should document the necessity claim.

What does the new complaints handling obligation require?

From 19 June 2026, all organisations must have a clear internal process for data protection complaints. The process must allow people to submit complaints by their preferred method (email, phone, online form, or post). You must acknowledge complaints within 30 days, investigate without undue delay, keep the complainant informed, and explain the outcome. There are no exemptions. Smaller organisations and sole practitioners should document their process in writing, even if it is simple.

How should we assess international transfers under the DUAA and ICO guidance?

Use the ICO’s three-step test: does UK GDPR apply to the processing, are you initiating a transfer outside the UK to a separate legal entity, and does the organisation you are transferring to fall within restricted transfer rules. If yes to all three, run a Transfer Risk Assessment. Document the legal protections in the destination country, law enforcement access regimes, and practical safeguards (such as encryption or data minimisation). Apply the “not materially lower” standard by assessing comprehensiveally whether the overall level of protection is lower than the UK’s in a way that is material.

What should our controller and processor agreement cover?

The agreement should specify who determines purposes and means of processing. If the processor has discretion, it is a joint controller. If not, the agreement should set out the processor’s instructions, permitted sub-processors, the duration of processing, and the controller’s audit rights. The agreement must reflect actual data flows and decision-making authority. If the contractual relationship does not match practice, the agreement is not a credible defence in an ICO investigation or court proceeding.

How often should we review and update our governance documentation?

At least quarterly for ROPAs, Legitimate Interests Assessments, and transfer documentation. More frequent reviews are warranted if you deploy new processing systems, change data processors, enter new international markets, or materially change the scope of processing. Governance is not a one-off project. It is a continuing discipline.

Representative experience

Recent and representative matters include:

• Designed a data governance framework for a telecoms group, establishing controller/processor mapping, data flow documentation and Article 30 records across 12 operating entities.
• Advised a multinational technology company on the international What transfer mechanisms are available for international transfers? available for UK-to-US and UK-to-Asia data flows following the UK’s adequacy decisions and the UK International Data Transfer Agreement.
• Negotiated and drafted data processing agreements under Article 28 for a SaaS platform with sub-processors across multiple jurisdictions, including the implementation of UK Addendum to the EU SCCs.
• Reviewed binding corporate rules for a global financial services group, assessing their compliance with the UK GDPR transfer provisions and the ICO’s approval criteria.
• Advised on the data protection implications of a corporate restructuring involving the transfer of customer databases between group entities, including controller succession and re-consenting requirements.

Rob Bratby advises on data governance and international transfers drawing on his regulatory background and General Counsel experience at businesses processing significant volumes of personal data. Bratby Law is recognised by Lexology as a Global Elite Thought Leader for data protection.

Related data protection pages

See also our other data protection pages:

• Data Protection Impact Assessments
• UK/EU Data Protection Divergence
• Data Breach Response and ICO Notification
• PECR and ePrivacy
• UK GDPR Compliance
• AI and Automated Decision-Making
• Sector-Specific Data Protection

See also: SaaS and Cloud Services.

How does data governance differ from data protection compliance?

Data governance is broader than compliance with any single regulation. It encompasses the organisational policies, processes and controls for managing data across the business, including data quality, classification, retention and access. Data protection compliance is one element of a data governance framework, but effective data governance also addresses commercial data use, data ethics and cross-functional coordination. Organisations with mature data governance are better positioned to demonstrate accountability under the UK GDPR.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology