Data Governance, Transfers and Accountability

Data governance, international transfers and accountability are core requirements of the UK GDPR and Data Protection Act 2018. They require organisations to build and maintain frameworks that demonstrate compliance, not merely assert it. The Data (Use and Access) Act 2025 reinforces this by introducing new provisions on recognised legitimate interests and automated decision-making that affect how governance frameworks should be designed. bratby.law advises on each element, from initial framework design to ongoing regulatory engagement with the ICO.

Governance frameworks

A governance framework establishes the policies, processes and organisational structures that an organisation uses to manage personal data. The UK GDPR requires controllers to implement appropriate technical and organisational measures (Article 24) and to adopt data protection by design and by default (Article 25). In practice, this means defining data ownership, setting processing standards, establishing approval workflows for new processing activities, and embedding privacy considerations into product development and procurement.

Effective governance requires clear allocation of responsibility. The controller must identify who within the organisation is accountable for data protection decisions and ensure those individuals have the authority, resources and access to information needed to fulfil their roles. For group companies, governance must address intra-group data sharing, consistent application of policies across jurisdictions, and management of group-wide data protection risks.

Records of processing activities

Article 30 of the UK GDPR requires controllers and processors to maintain records of processing activities (ROPA). The ROPA must document the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a general description of security measures. While the Article 30(5) exemption applies to organisations with fewer than 250 employees, it is narrow: it does not apply where processing is likely to result in a risk to data subjects’ rights and freedoms, where processing is not occasional, or where special category data or criminal offence data is processed.

In practice, most organisations that process personal data regularly will need a ROPA. The ICO expects the ROPA to be a living document that is updated as processing activities change. We help clients design ROPA formats that are proportionate to their operations and useful as a management tool, not merely a compliance artefact.

International data transfers

The UK GDPR restricts transfers of personal data to countries outside the UK unless an appropriate safeguard is in place. The available mechanisms are:

Adequacy regulations: the UK government has made adequacy decisions for the EEA, and a number of other jurisdictions. Transfers to adequate countries require no further safeguard.
International Data Transfer Agreement (IDTA): the UK’s replacement for standard contractual clauses, issued by the ICO under section 119A of the Data Protection Act 2018.
UK Addendum to EU SCCs: an alternative to the IDTA that allows organisations already using EU standard contractual clauses to extend them to UK transfers.
Binding Corporate Rules (BCRs): approved by the ICO for intra-group transfers, requiring a substantial application process.
Derogations: Article 49 derogations (explicit consent, contractual necessity, public interest) are available but intended for occasional, non-repetitive transfers only.

Transfer risk assessments

Where an organisation relies on the IDTA, UK Addendum or BCRs, it must conduct a transfer risk assessment (TRA) to evaluate whether the laws and practices of the destination country provide an adequate level of protection. The TRA should assess the legal framework of the importing country, the specific circumstances of the transfer (including the nature of the data, the sector, and the identity of the importer), and any supplementary measures that can be applied to mitigate identified risks. The ICO has published guidance on conducting TRAs, and we advise clients on a methodology that is proportionate and defensible.

Data Protection Officer advisory

Articles 37 to 39 of the UK GDPR require certain organisations to designate a Data Protection Officer (DPO). The appointment is mandatory where the organisation is a public authority, where core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or where core activities consist of processing special category data or criminal offence data on a large scale.

The DPO must be independent, report to the highest management level, and must not receive instructions regarding the exercise of their tasks. In practice, organisations often struggle with DPO positioning: ensuring genuine independence while maintaining the DPO’s access to the information and resources needed to be effective. We advise on DPO appointment decisions, role design, reporting lines and the management of conflicts of interest. For organisations that do not require a mandatory DPO, we advise on whether a voluntary appointment is appropriate and how to structure the role.

Accountability and demonstrating compliance

The accountability principle (Article 5(2)) requires controllers not only to comply with data protection principles but to demonstrate that compliance. This is a continuous obligation, not a one-off exercise. Demonstrating accountability means maintaining documentation (ROPA, DPIAs, policies, training records), conducting regular reviews of processing activities, monitoring compliance with internal policies, and responding promptly to data subjects and the ICO.

Data protection impact assessments (DPIAs) under Article 35 are a key accountability tool. A DPIA is required before processing that is likely to result in a high risk to individuals. This includes systematic profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. We advise on DPIA methodology, scope, risk assessment and the integration of DPIA findings into project governance. For AI-related DPIAs, see our page on AI and automated decision-making.

How bratby.law helps with data governance and transfers

We advise on:

Data governance framework design and implementation, including policies, procedures and organisational structures
Records of processing activities: format, content and ongoing maintenance
International data transfer strategies, including IDTA, UK Addendum, BCR applications and derogation analysis
Transfer risk assessments: methodology, documentation and supplementary measures
DPO appointment, role design, independence and reporting structures
DPIA methodology and integration into project governance
Accountability documentation: policies, training records, audit trails and ICO correspondence
Processor and sub-processor governance, including due diligence and contract review

Need advice on data governance, transfers or accountability? Book a call to discuss your requirements.

Frequently asked questions about data governance and transfers

Do I need a ROPA if I have fewer than 250 employees?

Probably yes. The exemption in Article 30(5) is narrow. It does not apply if your processing is not occasional, if it could result in a risk to individuals’ rights and freedoms, or if you process special category data or criminal offence data. Most organisations that process personal data as part of their regular business will need a ROPA regardless of size.

What is the difference between the IDTA and the UK Addendum?

The IDTA is a standalone contract for UK international data transfers, issued by the ICO. The UK Addendum is a shorter document that sits on top of EU standard contractual clauses and adapts them for UK law. Both achieve the same outcome. The UK Addendum is often more practical for organisations that already have EU SCCs in place with their counterparties.

When is a DPO appointment mandatory?

A DPO must be appointed where the organisation is a public authority, where core activities require regular and systematic monitoring of data subjects on a large scale, or where core activities involve large-scale processing of special category or criminal offence data. The ICO interprets “large scale” by reference to the number of data subjects, volume of data, duration of processing and geographical extent.

How often should I review my data governance framework?

The ICO expects governance frameworks to be reviewed regularly and updated when processing activities change, new risks emerge, or regulatory guidance is updated. An annual review is a reasonable minimum for most organisations. Significant changes to processing activities, such as deploying a new AI system or entering a new market, should trigger an immediate review of the relevant governance documentation.

Related data protection pages

See also our other data protection pages: