India's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer servicesIndia's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer services
Abhishek Bansiwal
UKUK GDPR & Data Protection Act 2018

Nearly the GDPR, but 'nearly' is where the exposure lives.

Post-Brexit, the UK runs its own version of the GDPR alongside the Data Protection Act 2018, enforced by the ICO. The obligations track the EU regime closely, but transfers, documentation, and reform under the Data (Use and Access) Act diverge in ways that catch out companies who assume one compliance programme covers both.

At a glance

Who it catches

UK-established organisations, plus businesses worldwide targeting or monitoring people in the UK

Maximum fines

Up to £17.5 million or 4% of global annual turnover, whichever is higher

Key divergences

UK IDTA / Addendum instead of EU SCCs, ICO Transfer Risk Assessments, evolving reform under the Data (Use and Access) Act

Regulator

Information Commissioner's Office (ICO)

What it requires

The obligations that matter in practice.

  • Everything the EU GDPR requires, lawful bases, notices, ROPAs, rights handling
  • UK-specific transfer documentation: the IDTA or the UK Addendum to EU SCCs
  • Transfer Risk Assessments following ICO guidance rather than EDPB methodology
  • Dual documentation where you serve both EU and UK markets
  • Attention to UK reform, obligations are shifting as the Data (Use and Access) Act beds in

How we help

Where our practice comes in.

FAQ

Common UK GDPR questions.

Mostly, but not automatically. Transfer documentation is the sharpest divergence: EU SCCs alone don't cover UK-origin transfers. If you serve both markets, your DPAs and notices need dual coverage.

Start here

Tell us what you're dealing with.

Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.

Prefer to talk? Book a free 30-min call

Email: abhishek.adv@yahoo.com

LinkedIn: linkedin.com/in/abhishekbansiwal

Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.

Replies within 24 hours. No mailing list, no follow-up sequence.