Question 1

What is the difference between UK GDPR and EU GDPR?

Accepted Answer

UK GDPR is the UK&rsquo;s domesticated version of the EU General Data Protection Regulation, brought into UK law after Brexit and supplemented by the Data Protection Act 2018. The substance is largely the same; the differences are mainly procedural — the ICO is the UK regulator, transfers from the EU to the UK rely on the EU&rsquo;s adequacy decision, and there are some narrower exemptions in UK law.

Question 2

Do we need a Data Protection Officer?

Accepted Answer

You must appoint a DPO if you are a public authority, conduct large-scale systematic monitoring of individuals, or process special-category or criminal-conviction data on a large scale. Many organisations appoint a DPO voluntarily because customers and partners expect one. We deliver this as DPO-as-a-Service for organisations that need the role but cannot justify a full-time hire.

Question 3

When do we need to do a DPIA?

Accepted Answer

Whenever processing is likely to result in a high risk to individuals — typically large-scale special-category processing, systematic monitoring, large-scale profiling, processing involving new technologies, or any processing on the ICO&rsquo;s published "must DPIA" list. We run DPIAs as discrete engagements or maintain a DPIA library on retainer for clients with regular new processing.

Question 4

How quickly do we have to report a breach?

Accepted Answer

Article 33 requires notification to the ICO without undue delay and where feasible no later than 72 hours after becoming aware. Article 34 requires notification to affected individuals where the breach is likely to result in a high risk to their rights and freedoms. Internal logging is required for every breach, regardless of whether external notification is triggered.

Question 5

How does UK GDPR relate to ISO 27001?

Accepted Answer

ISO 27001:2022 Annex A 5.34 (privacy and protection of personally identifiable information) explicitly maps to GDPR. Many of the technical and organisational measures Article 32 demands map to Annex A controls — access management, encryption, monitoring, secure development. Organisations certified to ISO 27001 are typically well-placed on Article 32 evidence.

Question 6

What about cross-border data transfers?

Accepted Answer

Transfers to countries without UK adequacy require appropriate safeguards: International Data Transfer Agreements, the UK Addendum to EU Standard Contractual Clauses, or Binding Corporate Rules. Transfer Risk Assessments are now expected for many transfers post-Schrems II. We help with TIA templates, contract reviews, and transfer-mapping for clients with global operations.

Question 7

Can you act as our DPO under UK GDPR?

Accepted Answer

Yes. Our DPO-as-a-Service includes a named, independent Data Protection Officer with appropriate qualifications, available for ICO and data subject queries, contributing to DPIAs, monitoring compliance, and reporting to your most senior management. The DPO is independent of operational privacy decisions, as Article 38 requires.

Question 8

How do you handle subject access requests?

Accepted Answer

We can run them end-to-end (search, redaction, response drafting, ICO defence if challenged) or support your team with templates and review. Most organisations need template + review for routine requests and end-to-end support for complex ones. The default response window is one calendar month; extensions to three months are permitted for complex or numerous requests.

Question 9

Are we affected by the UK Data (Use and Access) Act 2025?

Accepted Answer

The Act has received royal assent, and provisions are commencing on a staged basis. It modifies parts of UK GDPR and the DPA 2018 — including provisions around scientific research, automated decision-making, legitimate interests, and ICO governance. We track the legislation as it takes effect and advise retainer clients on transitional impact. For new programme builds, we design with the changes in mind so you do not need to rework after commencement.

Question 10

How do fines work under UK GDPR?

Accepted Answer

The ICO can issue fines up to £17.5 million or 4% of annual worldwide turnover, whichever is higher, for the most serious breaches. Lower-tier infringements carry up to £8.7 million or 2%. The ICO publishes its enforcement actions; the regulator increasingly favours focused, targeted intervention over headline-grabbing fines. Demonstrable compliance maturity matters in any enforcement conversation.

UK GDPR audits, DPIAs, and DPO-as-a-Service.

What is UK GDPR?

What we do

Data mapping and ROPA

DPIAs and PIAs

DPO-as-a-Service

Breach response and ICO liaison

How a privacy programme runs

Scoping call

Data mapping

Policy and process build

DPIAs and ongoing operation

Annual review or DPO retainer

The eight data subject rights

Why 1 Sequence Cyber

PCI SSC-listed QSAC

CREST DPT alignment

Frequently asked questions

Ready to start your privacy programme?