Your data practices are under scrutiny.
Know where you actually stand.

A Data Protection Impact Assessment (DPIA) is a formal process required under GDPR Article 35 to identify and minimise privacy risks before beginning a high-risk data processing activity. It assesses the necessity and proportionality of the processing, the risks to individuals' rights and freedoms, and the measures in place to mitigate those risks. A DPIA must be completed before processing begins. It cannot be conducted retrospectively to legitimise processing that has already started. The ICO must be consulted (Article 36) if residual risks cannot be reduced to an acceptable level. DPIA is mandatory for: large-scale profiling with legal effects, large-scale processing of special category data (health, biometric, criminal records), systematic monitoring of publicly accessible areas, processing children's data at scale, innovative use of technology (AI, ML, new biometric applications), data matching or combining datasets from different sources, processing that prevents access to services or contracts, use of personal data for profiling, behavioural prediction, or targeted advertising at scale, and large-scale processing of location data.

The data controller, the organisation deciding how and why personal data is processed, is legally responsible for completing or commissioning a DPIA under GDPR Article 35. In practice, this responsibility falls to the Data Protection Officer (DPO) where one is appointed, or to the senior individual with accountability for the processing activity where no DPO exists. The DPO must be consulted on the DPIA and their advice documented, even if it is not followed. For complex processing involving new technology, AI systems, or large-scale special category data, organisations without in-house DPIA expertise typically commission an independent DPIA from a specialist consultancy to ensure completeness and defensibility.

GDPR compliance services at Precursor Security are fixed-price, scoped before engagement begins. Typical pricing: - GDPR gap analysis and readiness assessment (SME 50-200 staff): £5,000-£8,000 - Data Protection Impact Assessment (single high-risk processing activity): £3,000-£6,000 - DPIA for AI/ML or large-scale profiling systems: £5,000-£9,000 - Full GDPR implementation programme (gap analysis, data mapping, policy development, SAR procedures, staff training): £12,000-£20,000 - Large organisations with complex data processing, special category data, or multiple jurisdictions: £20,000-£40,000+ - DPO-as-a-Service retainer: from £1,500/month We provide fixed-price quotes after a no-obligation scoping call. Most scoping calls take 30 minutes.

Yes. The UK implemented the UK GDPR (identical to EU GDPR) through the Data Protection Act 2018. UK businesses processing personal data of UK residents must comply with UK GDPR enforced by the ICO. If you process data of EU residents, you must also comply with EU GDPR and may need an EU representative under Article 27. Penalties remain identical: up to £17.5 million or 4% of global annual turnover for serious breaches.

The ICO identifies nine criteria for high-risk processing. If your processing meets two or more, a DPIA is required before processing begins: 1. Systematic and extensive automated profiling with significant effects 2. Large-scale processing of special category data (health, biometric, criminal records, political opinions, racial or ethnic origin) 3. Large-scale systematic monitoring of public areas 4. Processing children's data at scale 5. Innovative use of technology (AI, ML, new biometric applications) 6. Data matching or combining datasets from different sources 7. Processing that prevents access to services or contracts 8. Use of personal data for profiling, behavioural prediction, or targeted advertising at scale 9. Large-scale processing of location data DPIA is mandatory under Article 35 for processing likely to result in high risk to data subject rights and freedoms. If you are deploying a new AI-powered tool, cloud HR platform, or any system meeting multiple criteria, a DPIA is not optional.

You must notify the ICO within 72 hours of becoming aware of a personal data breach (Article 33), unless the breach is unlikely to risk individuals' rights and freedoms. 'Becoming aware' does not require certainty about the full scope of a breach. A cloud provider notification, evidence of unauthorised access, or a lost unencrypted device starts the 72-hour clock. Delayed awareness investigations must be documented and justifiable. For high-risk breaches (unencrypted health data exposed, large-scale identity theft), you must also notify affected data subjects without undue delay. The ICO distinguishes between organisations that detected and reported promptly and those that delayed. Enforcement history reflects this consistently.

You must respond to SARs within 30 days (one month) of receiving the request, extendable by two additional months for complex or numerous requests. You must inform the individual within the first month if an extension applies. The 30-day period begins when you receive the request, not when you have verified identity. Start identity verification immediately. You must provide: copies of personal data, processing purposes, data categories, recipients, retention periods, and information about data subject rights including rectification and erasure. Missing the deadline, even for operationally understandable reasons, creates a formal complaint record with the ICO.

GDPR violations carry two-tier penalties. Tier 1 (up to £8.5M or 2% of global turnover): violations of processor obligations, lack of security measures, or failure to notify breaches. Tier 2 (up to £17.5M or 4% of global turnover): violations of core principles (lawfulness, fairness, transparency), legal basis requirements, data subject rights, or international transfer rules. The ICO considers severity, duration, whether the violation was negligent or intentional, and mitigation efforts when calculating penalties. ICO enforcement actions are public, creating reputational damage beyond the financial penalty. The ICO issued £16.4M in penalties in the 2024-25 financial year.

Cookie consent is governed by the Privacy and Electronic Communications Regulations (PECR), not GDPR directly. Requirements include: clear information about cookie purposes before placement, affirmative consent (opt-in, not pre-ticked boxes), granular consent for different cookie categories (strictly necessary vs. analytics vs. marketing), and easy withdrawal mechanism. Strictly necessary cookies (session cookies, load balancing) do not require consent. Analytics and marketing cookies require explicit consent before placement. Cookie consent must also meet UK GDPR consent standards: freely given, specific, informed, and unambiguous.

International data transfers outside the UK and EEA require adequate safeguards. Options include: transfers to countries with adequacy decisions, Standard Contractual Clauses (SCCs) as legally binding contracts between data exporters and importers, Binding Corporate Rules (BCR) for multinational groups, certification schemes, or explicit data subject consent. Post-Schrems II, transfers to the US require additional safeguards beyond SCCs, including Transfer Impact Assessments (TIA) evaluating US surveillance law risks. We implement appropriate transfer mechanisms for cloud providers, third-party processors, and international business operations.