The ICO is issuing record fines. The EU AI Act is in force. AI is developing at an unprecedented pace. UK organisations are under greater scrutiny over how they collect, use and govern data than at any point in the last decade. Cambitas designs privacy and AI governance frameworks built for operational reality — not for the sake of creating a document.
DATA PROTECTION, PRIVACY & AI GOVERNANCE
Accessible and Trustworthy Data Privacy Compliance and AI Governance.
Our principals have designed and overseen data governance in major global institutions. They have advised clients at every stage of their data protection journeys; for example, helping to develop data protection strategies, managing ICO investigations and data breach incidents, and designing workable frameworks to implement new technologies.
No obligation. Confidential from the first conversation.
Why Cambitas
We can Advise the Advisors.
Cambitas principals have first-hand experience of managing privacy risk from inside major global institutions. We understand the pressures that information security, compliance and legal teams face in a rapidly changing data-led environment. under genuine commercial pressure, not as outside observers.We understand that data protection does not exist in isolation. It intersects with a host of different areas, including FCA supervision, financial crime obligations, AI governance requirements and commercial data strategies . Our advice will always take those complexities into account.
When you instruct Cambitas, you work directly with our principals. No associates. No delegation. Just commercially minded advice from professionals who have experienced your data issues.
FREE DOWNLOAD
UK GDPR & AI Governance Guide 2026
What UK GDPR requires, how the ICO enforces it, what AI governance obligations UK organisations carry and how to build a framework that covers both. Written for GCs, compliance officers and founders.
No obligation. No sales call unless you request one.
DATA PROTECTION & UK GDPR
The Foundation Every Organisation Needs
These four services form the core compliance framework that every UK organisation processing personal data must have in place — and that the ICO assesses first.
1. UK GDPR Compliance Implementation
UK GDPR documentation that was accurate at implementation is often significantly out of date by the time the ICO investigates.
What we see in practice
The accountability principle requires organisations to demonstrate compliance — not just assert it. Organisations with privacy policies from 2018 that have never been updated, records of processing activities that predate their current data infrastructure, and consent mechanisms built for an earlier product version are all examples of holding documentation that won’t survive ICO scrutiny. An ICO audit will check whether governance reflects what the organisation actually does today.
What we do
We implement UK GDPR compliance programmes as live operational frameworks — data flow mapping of current systems, lawful basis documentation for current processing, data subject rights processes that are easy to manage, records of processing that reflect current activities, and privacy notices that are accurate and sensible.
2. Data Governance & Data Lifecycle Management
Data governance fails when it exists in documents but not in operations — and the ICO has become very good at finding the difference.
What we see in practice
The three patterns the ICO most consistently finds in investigations: retention policies that are written but never enforced, data flows that were mapped once and never updated, and governance structures with no accountability.. These are not documentation problems. They are governance problems that documentation has been used to paper over.
What we do
We design data governance frameworks built around operational accountability — data flow mapping that reflects current systems, retention schedules that are capable of being enforced, lifecycle policies tailored to organisational needs , and governance structures with real ownership at every stage. Every element is designed to function, not to file.
3. International Data Transfers & Transfer Risk Assessments
Navigating international data transfers can be complex for businesses operating across borders, particularly in the wake of the UK's post-Brexit data protection framework.
What we see in practice
Cross-border transfers in vendor agreements and internal policies that aren’t properly documented, and confusion around the best transfer mechanism to use.
What we do
We can guide you through the legal mechanisms available for transferring personal data outside the UK, such as the UK's International Data Transfer Agreements (IDTAs), the UK Addendum to the EU Standard Contractual Clauses, and adequacy decisions recognised by the UK government. We can also conduct transfer impact assessments (TIAs) to evaluate the risks associated with sending data to specific jurisdictions, ensuring that the level of protection afforded to personal data remains consistent with UK GDPR standards.
4. Data Breach & Cyber Incident Response
The ICO assesses breach response on speed and quality. Most organisations discover the weaknesses in their response plan during an actual breach.
What we see in practice
The 72-hour notification window runs from awareness — not from confirmation of every fact. The ICO does not expect a complete account in the initial notification, but it expects prompt notification and credible updates. Delayed notifications, incomplete notifications and a response that appears to minimise the situation are each cited in ICO enforcement decisions as aggravating factors that increase penalties.
What we do
We advise on data breach response in real time — assessing seriousness preparing communications as required, , managing the ICO engagement and advising on commercial risk. We also design and test incident response plans before breaches occur so that there is no procedural panic when a breach does occur.
AI, PRIVACY-BY-DESIGN & PRODUCT OBLIGATIONS
Privacy Risk in T Business Models
5. AI & Automated Decision-Making Privacy Compliance
Article 22 of UK GDPR gives individuals specific rights over automated decisions. Most organisations deploying AI have not assessed whether those rights apply to their systems.
What we see in practice
Automated decision-making that produces legal or similarly significant effects on individuals — credit decisions, recruitment screening, fraud scoring, insurance pricing, customer segmentation — triggers Article 22 obligations. Organisations using these systems without assessing their Article 22 position are exposed to both ICO enforcement and direct legal claims from affected individuals. The ICO has made clear it considers failure to assess automated decision-making obligations a priority enforcement area.
What we do
We assess AI and automated decision-making systems against UK GDPR Article 22 obligations, advise on transparency requirements, design human oversight mechanisms where they are required, conduct DPIAs for high-risk AI processing and advise on the intersection with EU AI Act obligations for systems in scope of that framework.
6. Privacy-by-Design & Product Privacy Assessments
Privacy-by-design is a legal obligation under UK GDPR Article 25 — not a design philosophy. Products launched without a privacy assessment are in breach from day one.
What we see in practice
The ICO has been explicit: Article 25 applies to anyone who designs systems or products that process personal data. Products that collect more data than necessary, that default to maximum data sharing, that have never been reviewed against the data minimisation principle, or that use consent as a design afterthought are in breach of a specific, enforceable legal obligation. These are the products most likely to attract ICO attention when a complaint or breach occurs.
What we do
We conduct product privacy assessments across the development lifecycle — reviewing data collection against minimisation, assessing default settings against the privacy-by-default requirement, identifying mandatory DPIAs and advising product teams on embedding compliance into development sprints from the start rather than retrofitting it after launch.
7. Data Protection Impact Assessments (DPIAs)
Failing to conduct a mandatory DPIA is itself an infringement of UK GDPR — separate from any other compliance issue the processing might raise.
What we see in practice
The ICO's list of processing activities that always require a DPIA includes large-scale processing of sensitive data, systematic monitoring, profiling with significant effects, use of new technologies and biometric processing. AI tools that process personal data, employee monitoring systems, behavioural analytics and customer profiling platforms typically require DPIAs. Most organisations have at least one processing activity that requires a DPIA and has never had one conducted.
What we do
We conduct DPIAs for high-risk processing activities — identifying risks, assessing mitigation measures and documenting the process in a format that satisfies ICO expectations. Where prior ICO consultation is required, we manage that engagement. We also design DPIA procedures so organisations can conduct future DPIAs correctly without external support for every new processing activity.
8. AI Governance Frameworks
The UK's approach to AI regulation is principles-based.
What we see in practice
Organisations using AI without any governance structure or accountability. The tools are developing at an unprecedented speed; AI governance structures need to be agile and workable.
What we do
We not only design robust AI governance frameworks for organisations but also advise on the intersection of AI governance with data protection law, ensuring that automated decision-making processes comply with GDPR requirements around transparency and individual rights. Beyond documentation and initial design, we can provide ongoing support as the regulatory landscape evolves — monitoring domestic and international developments, assessing the implications of emerging guidance, and helping you adapt your frameworks accordingly. The result is a governance structure that not only manages legal and reputational risk, but also instils stakeholder confidence in the responsible and ethical deployment of AI across the organisation.
SPECIALIST ADVISORY SERVICES
Areas of Expertise
Each service below addresses a specific compliance obligation.
9. Data Sharing & Commercialisation
Commercial data sharing requires a lawful basis, appropriate contractual protections and, in some cases, a DPIA. Organisations treating data sharing as a business development matter rather than a privacy compliance matter risk creating legal exposure that surfaces at the worst possible time — during a transaction, a regulatory investigation or a partnership due diligence.
10. Marketing & Communications Data Compliance
Marketing is one of the ICO's most active enforcement areas. Consent mechanisms that do not meet PECR and UK GDPR standards, email lists without adequate consent records, cookie banners that default to acceptance and adtech arrangements without a valid lawful basis are among the most common enforcement triggers. We translate complex regulatory requirements into workable marketing operations.
11. ICO Regulatory Investigations & Engagement
The quality of the first response to an ICO investigation shapes the entire engagement. Organisations that respond promptly, accurately and in a way that demonstrates genuine accountability consistently achieve better outcomes. We advise on ICO investigation responses, prepare submissions and manage the regulatory dialogue throughout.
12. Employee Data & Workplace Monitoring
CCTV, email monitoring, productivity tracking, biometric access and device monitoring all require a lawful basis, a documented legitimate interests assessment where applicable and transparency to employees. The ICO's enforcement focus on workplace monitoring has increased significantly since the expansion of remote working. We advise on UK GDPR requirements for all forms of employee data processing.
13. Third-Party Processor Compliance
Article 28 requires data processing agreements with every processor acting on the organisation's behalf — with specific mandatory terms. Controllers are responsible for processor compliance. Many organisations have supplier relationships predating GDPR without compliant DPAs, and no audit process for processor compliance. We design third-party data governance frameworks and review all existing processor agreements.
14. Privacy Training & Governance Programmes
The ICO's accountability standard requires relevant staff to understand their data protection obligations. Training delivered once at induction does not satisfy this requirement. Effective privacy training is role-specific, regularly updated and documented. We design training programmes for specific roles — from board-level governance awareness through to operational training for staff handling personal data in high-risk contexts.
15. Outsourced Data Protection Officer (DPO)
We can advise on whether your organisation is required to, or should, appoint a DPO. The DPO must be independent, expert and accessible to the ICO. Cambitas provides an outsourced DPO service fulfilling all statutory requirements — regulatory monitoring, query advisory, DPIA oversight, ICO liaison and board-level reporting on data protection risk. This provides a high quality, low cost alternative to employing a DPO.
A Data Protection or AI Governance Question on Your Desk?
Bring it directly to us. No obligation.
HOW A PRIVACY & AI COMPLIANCE REVIEW WORKS
What Cambitas Covers in a Privacy and AI Governance Review
A data privacy audit is always a good idea – and it’s better to know the answers before an ICO investigation, or a corporate transaction – this is how we like to approach:
Data Flow Mapping
Every category of personal data is mapped — where it comes from, how it is used, where it goes, on what legal basis and into what AI or automated systems.
The highest-risk flows — to third-party processors, AI tools, international destinations and automated decision systems — are the ones most often missing from existing maps.
Step 01
Lawful Basis & Purpose Review
The lawful basis for each processing activity is assessed against current UK GDPR requirements and the specific nature of the processing.
Organisations that defaulted to consent as their primary lawful basis often face the highest remediation cost when the ICO finds consent mechanisms are inadequate.
Step 02
AI System Assessment
Every AI tool in use is catalogued, the personal data it processes is identified, and its obligations under UK GDPR Article 22 and applicable AI governance frameworks are assessed.
Most organisations find at least one AI tool in production use that requires a DPIA and has never had one. This is the fastest-growing area of ICO enforcement attention.
Step 03
Accountability Documentation Review
Records of processing activities, privacy notices, DPIAs, data subject rights procedures, data classification and retention policies are reviewed against current UK GDPR requirements.
Documentation that was accurate at implementation is often significantly out of date. The accountability principle requires it to reflect current processing.
Step 04
Third-Party & Transfer Assessment
Data processor relationships, processor agreements and international data transfer instruments are assessed against current UK requirements.
Third-party risk is consistently the largest compliance gap in organisations that have not recently reviewed this area — particularly post-Brexit transfer instruments.
Step 05
Gap Analysis & Prioritised Action Plan
A gap analysis is produced identifying areas of non-compliance, with a prioritised action plan ordered by ICO enforcement risk, then operational risk, then best-practice improvement.
The action plan is specific — each item has an owner, a remediation approach and a timeline. It is a working document, not a report to file.
Step 06
WHEN A COMPLIANCE REVIEW ADDS MOST VALUE
Before an ICO investigation. Before a significant product launch. Before a data breach forces a reactive response. Before a transaction where a buyer will conduct data protection due diligence. All four of these events will surface the same compliance gaps. The difference is who finds them first.
GO DEEPER
Explore Our Advisory Guides
Each page below provides detailed practical guidance — what the law requires, what the ICO looks for and what good practice looks like.
UK GDPR Compliance
Lawful basis, data subject rights, accountability documentation, the ICO's enforcement framework and what a compliant UK GDPR programme looks like in practice.
AI Governance UK
UK GDPR Article 22, FCA AI governance expectations, EU AI Act scope for UK organisations and how to build a framework that addresses all three simultaneously.
Data Breach Response
The 72-hour notification window, how notifiability is assessed, what the ICO expects in a breach response and how to be ready before a breach occurs.
UK & EU FRAMEWORKS
UK GDPR, EU GDPR and the AI Act: What Differs
UK organisations with EU operations, EU customers or AI systems in scope of the EU AI Act must address both the UK and EU frameworks — as separate, coordinated compliance programmes.
| Area | UK GDPR | EU GDPR & AI Act |
|---|---|---|
| Legal basis | UK GDPR — retained EU law post-Brexit. Enforced by the ICO. Currently equivalent to EU GDPR but diverging over time as the UK develops its own reforms. | EU GDPR — enforced by national DPAs in each member state. Lead supervisory authority handles cross-border processing. EU AI Act adds additional obligations for AI processing. |
| Transfer mechanisms | International Data Transfer Agreements (IDTAs) and the UK Addendum to EU SCCs for UK-origin transfers. EU SCCs alone do not satisfy UK transfer requirements. | EU Standard Contractual Clauses. Binding Corporate Rules. Adequacy decisions. EU SCCs cannot be used without the UK Addendum for UK-origin data. |
| Maximum fines | Up to £17.5m or 4% of global annual turnover for serious infringements. Lower tier: up to £8.7m or 2%. The ICO's enforcement activity has increased significantly since 2022. | Up to €20m or 4% of global annual turnover. Lower tier: €10m or 2%. EU DPAs have issued significantly larger fines than the ICO to date — including multi-hundred-million euro fines. |
| AI obligations | UK GDPR Article 22 applies to automated decisions with legal or significant effects. UK has not adopted EU AI Act. FCA AI governance expectations apply to UK financial services firms. | EU GDPR Article 22 applies as under UK GDPR. EU AI Act additionally applies — risk classification, conformity assessments for high-risk AI, transparency requirements and human oversight obligations. |
| DPO requirement | Mandatory for public authorities, large-scale systematic monitoring and large-scale special category data processing. Outsourced DPO permitted. | Same threshold as UK GDPR. For cross-border EU processing, the DPO must be accessible to the lead supervisory authority. Outsourced DPO permitted. |
| UAE note | UK GDPR applies to UAE-based organisations offering services to UK individuals or monitoring UK individuals' behaviour — regardless of where the organisation is based. ICO can investigate and fine non-UK entities. | EU GDPR applies similarly to organisations outside the EU offering services to EU individuals. DIFC and ADGM have their own data protection frameworks for UAE operations. |
EU Standard of it.
WARNING SIGNS
Three Signs Your Privacy or AI Governance Needs Attention
These are the three patterns most consistently found in UK organisations that subsequently face ICO investigation or regulatory scrutiny.
Outdated Data
Map
Records of processing activities have not been updated in over 12 months, despite new AI tools, SaaS products or third-party suppliers being added.
Unassessed AI Deployment
AI tools are in production use processing personal data and influencing decisions — without a DPIA, an Article 22 assessment or an AI governance review.
Unchecked
Processors
SaaS tools, cloud providers and analytics platforms are in use without Article 28-compliant data processing agreements.
RECOGNISE ANY OF THESE?
All three are straightforward to address with the right advisory support before the ICO investigates. They become significantly more expensive after.
WHO WE WORK WITH
The Organisations We Advise
Cambitas works primarily with UK organisations across financial services, technology and professional services — and with international businesses that have UK data obligations.
| Financial Services & Fintech Firms |
|---|
| FCA-regulated businesses where UK GDPR intersects with FCA conduct obligations, financial crime requirements and AI governance expectations. We design frameworks that satisfy both the ICO and the FCA simultaneously. |
| Technology & AI Companies |
|---|
| UK technology businesses and AI developers where complex data flows, large-scale processing and automated decision-making create specific UK GDPR obligations — including DPIAs and Article 22 assessments. |
| Health, Legal & Professional Services |
|---|
| Organisations processing special category data — health information, legal professional privilege, financial vulnerability data — where ICO enforcement attention is concentrated and governance requirements are most demanding. |
| Marketing & E-Commerce Businesses |
|---|
| Businesses relying on marketing data, behavioural profiling and cookie-based targeting — where PECR, UK GDPR consent requirements and ICO adtech enforcement create significant and often underestimated compliance risk. |
| Early-Stage Businesses |
|---|
| Startups and scale-ups building data-driven products. Embedding privacy compliance into product architecture from the start costs a fraction of what remediation costs after the ICO investigates. |
| International Businesses with UK Operations |
|---|
| International organisations with UK customers or UK-facing digital products — where UK GDPR applies regardless of where the organisation is based. The ICO can assert jurisdiction and issue enforcement actions and fines against non-UK entities. |
SITUATIONS WE WORK THROUGH
Questions we are Asked Every Week
Direct answers to data protection and AI governance questions UK organisations bring to us most often.
"We have a data breach — what do we do in the next 72 hours?"
Start the ICO notification process. The 72-hour clock runs from awareness — not from confirmation of every fact. The ICO expects prompt initial notification and credible updates as the investigation progresses. The immediate actions are: scope the breach, assess notifiability under UK GDPR, submit an initial notification if the threshold is met, and prepare communications to affected individuals if required. Delayed and incomplete notifications are cited in every major ICO enforcement decision as aggravating factors.
"We use AI tools across the business — are there privacy obligations we are missing?"
Almost certainly. Any AI tool that processes personal data and makes or significantly influences decisions about individuals — recruitment, credit, fraud, pricing, customer segmentation — is likely to require a DPIA and may trigger UK GDPR Article 22 obligations. An AI system inventory is the starting point: cataloguing every AI tool, what data it processes and what decisions it influences. Most UK organisations find multiple unaddressed compliance obligations at this stage.
"The ICO has contacted us following a subject access complaint"
The ICO's complaint investigation requests specific information about the processing described in the complaint. The organisation responds within the period specified. The ICO assesses the response against UK GDPR requirements and issues an outcome. The quality and accuracy of the first response shapes the ICO's view of the organisation's broader compliance culture. Organisations that respond incompletely or appear to minimise the complaint receive more detailed scrutiny.
"Our marketing team is using customer data in ways we are not sure are compliant"
The specific risk depends on what the marketing team is doing. Email marketing without adequate PECR consent, behavioural profiling without a valid lawful basis, cookie banners that do not meet UK GDPR consent standards and adtech arrangements without documented legal basis are the most common triggers. A marketing data compliance review identifies the specific gaps and produces a prioritised remediation plan.
"We are a UK business — does the EU AI Act apply to us?"
The EU AI Act applies to providers and deployers of AI systems placed on the EU market or affecting EU users — regardless of where the organisation is based. UK businesses with EU customers, EU-facing AI products or EU operations are in scope. The UK has not adopted the EU AI Act and is developing its own principles-based approach to AI regulation. UK financial services firms additionally face FCA AI governance expectations under the FCA's existing supervisory framework.
"We are a UAE-based business with UK customers — does UK GDPR apply to us?"
Yes. UK GDPR applies to any organisation that processes personal data about UK individuals in the context of offering goods or services to them or monitoring their behaviour — regardless of where the organisation is based. UAE businesses with UK-facing websites, UK marketing activity or UK customer bases must comply with UK GDPR. This includes appointing a UK representative under Article 27 and responding to data subject rights requests from UK individuals within one month.
Ready to Talk?
No obligation. No sales pitch. Just a direct conversation.
FREQUENTLY ASKED QUESTIONS
Direct Answers to the Questions We Hear Most
Focused on UK data protection and AI governance obligations. Answered directly and completely.
Q1. What is the difference between a data protection lawyer and a data protection advisor?
A data protection advisor provides compliance implementation support — policy drafting, DPIA facilitation, training and process design. A data protection lawyer provides legal analysis of how UK GDPR applies to specific processing activities, advises on enforcement risk and represents organisations in ICO investigations. Cambitas provides both in a single engagement — legal analysis alongside practical implementation, delivered by principals with in-house experience.
Q2. When is a DPIA legally required under UK GDPR?
A DPIA is required before processing that is likely to result in high risk to individuals. The ICO’s list of processing types that always require a DPIA includes large-scale processing of sensitive data, systematic monitoring, profiling with significant effects, use of new technologies and biometric processing. AI systems that process personal data, employee monitoring tools, large-scale customer profiling and behavioural analytics platforms typically require DPIAs. Failing to conduct a mandatory DPIA is itself an independent infringement of UK GDPR.
Q3. Does UK GDPR apply after Brexit?
Yes. The UK retained the EU GDPR framework as UK domestic law, creating UK GDPR. It is enforced by the ICO and is currently substantively similar to EU GDPR — though the two frameworks are diverging as the UK develops its own reforms, including the Data (Use and Access) Act 2025 . UK organisations with EU operations must comply with both UK GDPR and EU GDPR as separate legal frameworks.
Q4. What are the ICO's enforcement powers under UK GDPR?
The ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious UK GDPR violations — whichever is higher. It can issue enforcement notices requiring organisations to stop processing activities, assessment notices requiring access to premises and information, and reprimands for less serious violations. The ICO’s enforcement activity has increased significantly since 2022, with a particular focus on security failures, inadequate consent and data breach response quality.
Q5. What does UK GDPR require for automated decisions and how is AI use impacted?
Article 22 of UK GDPR gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. Organisations using AI for credit decisions, recruitment screening, fraud scoring, insurance pricing or similar applications must assess their Article 22 obligations, provide transparency to individuals about automated processing, and implement human oversight mechanisms where required. A DPIA is also required for high-risk automated processing.
Q6. Does UK GDPR apply to international businesses?
Yes, where an international organisation processes personal data about UK individuals in the context of offering goods or services to them or monitoring their behaviour. International businesses with UK customers, UK-facing websites or UK marketing campaigns are subject to UK GDPR obligations — including the requirement to appoint a UK representative under Article 27 and to respond to data subject rights requests from UK individuals. The ICO investigates and fines non-UK entities.
FREE DOWNLOAD
UK GDPR & AI Governance Guide 2026
Still assessing your compliance position? Download our free guide first.
No obligation. No sales call unless you request one
Privacy and AI governance problems are cheaper to fix before the ICO investigates.
Every UK ICO enforcement case in the last three years could have been resolved at a fraction of the cost with the right advisory support before the investigation began.
Cambitas designs and implements data protection, privacy and AI governance frameworks for UK organisations — all 15 service areas above, delivered by principals with decades of in-house experience.
or
Confidential from the first conversation.
Cambitas
- +62 812 3456 7890
- 123 Corporate Avenue, Jakarta, Indonesia
- contact@lawfirm.com