the data compliance frameworks you'd own in-house — and what we handle for you

TL;DR When you handle customer data in-house you sign up for: ICO registration, UK GDPR / Data Protection Act 2018 compliance, signed DPAs with every data vendor, DPIAs on new processing activities, a 72-hour breach notification procedure, cookie consent under PECR, international transfer agreements, audit logging, and a sub-processor register. Most agency owners don’t realise this until something breaks. With Chartica, your data lives inside our compliant infrastructure as a sub-processor — most of the technical and processing burden is already covered. You still own your lawful basis and your privacy notice. Book a 20-min call to walk through exactly where the line sits.

What “compliance” actually means when you process data

The UK data protection regime is not theoretical. The Information Commissioner’s Office issued more than £14.3 million in fines across 2023 — including a single £12.7m penalty against TikTok for processing children’s data without proper consent — and a separate £2.59m+ in nuisance-marketing fines under PECR since April 2023. More often than fines, the real cost is the hours your team spends responding to a subject access request you weren’t prepared for, or the awkward conversation when a client asks which third parties can see their customer data.

If your analytics stack touches personal data — and it almost certainly does — you are a data controller. That status comes with obligations, not just best practices.

The frameworks you’d own

UK GDPR and the Data Protection Act 2018

The UK retained GDPR post-Brexit and embedded it into the Data Protection Act 2018. In practice, the rules are near-identical to EU GDPR with a few UK-specific nuances. What this means for your analytics:

• You need a lawful basis for every type of processing (legitimate interests and consent are the most common, but they have different implications)
• Data minimisation: you can only collect what you actually need
• Purpose limitation: data collected for analytics can’t be repurposed for, say, outbound sales without a new legal basis
• Retention policies: you need to define how long data is kept and delete it on schedule
• Subject access requests (SARs): anyone whose data you hold can ask to see it. You have one calendar month to respond
• Right to erasure: if someone asks you to delete their data, you need a documented process to do it — including deleting it from your data warehouse

ICO registration

Every organisation that processes personal data must register with the Information Commissioner’s Office and pay the annual data protection fee. The current tiers are £52 (micro, ≤10 staff and turnover ≤£632k), £78 (small/medium, up to 249 staff or turnover ≤£36m), and £3,763 (large or financial-sector tier 3). Registered charities pay the £40 fee. Failure to pay isn’t a criminal matter, but the ICO can issue a civil monetary penalty of up to £4,350 for non-payment under the Data Protection (Charges and Information) Regulations 2018. Registration also sets your public record — if someone wants to understand what data you collect and why, the ICO register is where they look.

Data Processing Agreements

Every vendor whose tool touches personal data needs a signed Data Processing Agreement (DPA) before you use them. This list is longer than most people expect:

• Google Analytics 4 — Google’s DPA is baked into the Terms of Service, but you need to configure data retention settings, disable IP logging correctly, and confirm the appropriate data transfer mechanism (see international transfers below)
• Meta Pixel / CAPI — Meta’s Business Tools Terms serve as the DPA, but you must confirm you have the right consent in place before sending event data
• Shopify — covered if you’re using Shopify-hosted data, but if you’re pulling data into your own warehouse, that extraction becomes your processing activity
• Your warehouse provider (BigQuery, Snowflake, Redshift) — all have DPAs available; you need to sign them, not just accept default terms
• Your BI tool (Looker Studio, Tableau, Power BI) — each is a processor; each needs a DPA

If you don’t have signed DPAs with all of the above, you are technically in breach from day one of using those tools.

DPIAs — Data Protection Impact Assessments

A DPIA is required under UK GDPR Article 35 any time you begin a “high-risk” processing activity. The ICO considers analytics involving large volumes of personal data, behavioural tracking, or profiling to be high-risk. In plain terms: most analytics setups need at least one DPIA.

A DPIA is a structured risk assessment. It documents what data flows where, what the risks to data subjects are, and what mitigations you’ve put in place. It’s not a one-time exercise — if you add a new data source or change how you use the data, you may need to run one again.

PECR and cookie compliance

The Privacy and Electronic Communications Regulations (PECR) sit alongside GDPR but are entirely separate legislation. They govern cookies and electronic marketing. Key points:

• Analytics cookies (including GA4 in its default configuration) require prior, informed consent unless they are strictly necessary
• Consent must be freely given, specific, and as easy to withdraw as to give — this rules out pre-ticked boxes and dark patterns
• You need to keep records of consent: when each user consented, what they consented to, and from which version of your cookie policy
• The ICO has been significantly more active on cookie enforcement since 2023, issuing reprimands and fines to publishers and retailers

A cookie banner is not the same as cookie compliance. The banner is visible; the consent records, the correct categorisation of cookies, and the “reject all” option that actually works are the parts that get examined in an audit.

Breach notification — the 72-hour rule

Under UK GDPR Article 33, if you experience a personal data breach that poses a risk to individuals, you must notify the ICO within 72 hours of becoming aware of it. That clock starts when anyone in your organisation knows about the breach — not when you’ve finished investigating it.

This means you need:

• An incident response runbook: a documented process for what to do when something goes wrong
• The ability to identify a breach in the first place (audit logs, access monitoring)
• A designated person who knows their obligations and can make the notification
• Criteria for deciding whether a breach is “likely to result in a risk to individuals” — this is a judgment call that needs to be made quickly and documented

Most small teams find out they don’t have this when they need it.

International data transfers

If data leaves the UK — including being processed by servers physically located outside the UK — you need an approved transfer mechanism. The most common are:

• International Data Transfer Agreements (IDTAs): the UK’s post-Brexit equivalent of EU Standard Contractual Clauses
• UK addendum to EU SCCs: used when transferring to or from EU entities under the existing EU SCC framework

Nearly every US-headquartered analytics tool (Google, Meta, Salesforce, HubSpot, Segment) processes data on servers in the United States at some point. Most have IDTAs or UK addenda available, but you need to confirm they’re in place — they aren’t automatic.

Audit logging and access controls

GDPR Article 30 requires a Record of Processing Activities (RoPA) — a documented register of every type of data processing you carry out. Article 32 requires technical and organisational measures to ensure security, which includes controlling who can access personal data and keeping a log of that access.

In practice this means: role-based access on your data warehouse, access logs you can actually query, and a process for revoking access when someone leaves.

Sub-processor management

If you are a data processor for your clients (for example, you’re an agency handling their customer data), you need to keep a register of every sub-processor you use and notify your clients when that list changes. This is often missed — agencies routinely add new tools to their stack without realising they’ve changed their sub-processor list and triggered a notification obligation.

The 4-week reality of getting in-house compliance live

This is the honest workload — not a scare story, just a realistic picture of what it takes to start processing data correctly.

The hidden management cost of compliance

Setup is a one-time cost. What most teams underestimate is the ongoing work. Compliance is not a project with a completion date.

This doesn’t include the time required to respond to an actual incident — a breach or an audit request. Those are unplanned and expensive.

What Chartica handles by default

Chartica operates as a data sub-processor on your behalf. That means your data is processed inside our infrastructure, and we carry the technical compliance obligations for that layer. Here is an honest split of what that looks like in practice.

You still own this

Compliance cannot be fully outsourced. The data controller relationship — the legal connection between you and the people whose data you collect — stays with you. That means your privacy notice, your cookie consent setup, your lawful basis decisions, and your direct obligations to your end-users are yours to manage.

What Chartica covers is the processing layer: the infrastructure, the pipelines, the warehouse, the dashboards, and the technical controls around all of that. We make the processing secure, documented, and within compliant infrastructure. You make the decisions about why you’re collecting the data and what you tell your customers about it.

That is an honest picture. Some providers imply they make compliance disappear. They don’t. But with the right sub-processor, the workload reduces significantly.

Frequently asked questions

Are you ICO-registered?

Yes. Chartica has been registered with the ICO as a data processor since 2022. Our registration number is available on request.

Where does our data live?

By default, all data is processed and stored in Google Cloud Platform’s UK or EU regions. No data is transferred to the United States unless you connect a US-based data source — in which case we document the transfer mechanism and ensure an IDTA or UK SCC addendum is in place.

Can you sign a DPA with us?

Yes, and we do this as standard on every engagement. We provide a DPA before work begins, outlining Chartica’s role as sub-processor, the technical and organisational measures in place, and the terms for data deletion. If your legal team has a preferred template, we’ll work from that.

What happens to our data if we cancel?

We provide a full export of your data in your preferred format, then delete all copies from our systems within 30 days of contract end. You receive written confirmation once deletion is complete. Your BigQuery environment stays yours — we do not retain any copy.

Do you have ISO 27001 or SOC 2 certification?

Not yet — and we won’t claim otherwise. The underlying Google Cloud Platform infrastructure is SOC 2 Type II and ISO 27001 certified, which covers the physical and cloud infrastructure layer. Chartica itself follows GCP-equivalent security controls, and we are currently documenting our internal controls against the ISO 27001 and SOC 2 frameworks with the intention of formal certification. If independent certification is a hard requirement for your procurement process, we’d rather tell you that upfront than after you’ve signed.

What happens if there’s a breach?

We have a documented incident response runbook. If a breach affecting your data is identified — whether through our monitoring or reported externally — we assess severity within 24 hours and notify you immediately. We make a joint decision on whether the threshold for ICO notification is met (it does not always require notification). You retain the controller decision on whether to notify your end-users. We provide written documentation of the incident timeline and our response to support your own regulatory obligations.

Making a considered decision

A CFO or COO handing customer data to any third party should ask three questions: where does the data go, what controls are in place, and what happens when something goes wrong. Those aren’t awkward questions — they’re the right ones.

We’ve tried to answer them honestly here. Chartica covers the processing and infrastructure compliance layer. We sign DPAs, maintain audit logs, keep a sub-processor register, and operate on UK/EU infrastructure. You retain your data controller obligations — lawful basis, privacy notices, consent records — because those are yours to own, regardless of who processes the data.

If you want to go through this in detail before committing — which we’d recommend — book a 20-min call. We’ll walk through what we cover, what stays with you, and whether our setup meets your specific compliance requirements.

References

This guide cites several specific UK data protection rules, fines, and frameworks. The primary sources are:

Legislation and regulator guidance

• UK GDPR Article 30 — Records of processing activities (legislation.gov.uk)
• UK GDPR Article 33 — 72-hour breach notification (full text)
• UK GDPR Article 35 — Data Protection Impact Assessments (legislation.gov.uk)
• Article 35 — When do we need to do a DPIA? (ICO)
• Article 37 — Data Protection Officer designation criteria (full text)
• Personal data breaches — a guide (ICO)
• Time limits for responding to subject access requests (ICO — confirms one calendar month, with up to two-month extension for complex requests)

Registration, fees, and penalties

• Guide to the data protection fee (ICO — current tiers: £52, £78, £3,763)
• Pay the data protection fee (gov.uk)
• Data Protection (Charges and Information) Regulations 2018 (the statutory instrument creating the fee regime)
• Data protection fee regime — proposed changes (gov.uk consultation, 2024)

International transfers (IDTA / UK Addendum)

• What are standard data protection clauses (the UK IDTA and the Addendum)? (ICO)
• International Data Transfer Addendum (ICO PDF — IDTA in force from 21 March 2022)
• New UK Standard Contractual Clauses for Personal Data Transfers (Bird & Bird summary)

Cookies, PECR, and ICO enforcement

• Guidance on the use of storage and access technologies (ICO)
• Cookies and similar technologies (ICO PECR guide)
• Action taken against Sky Betting and Gaming for using cookies without consent (ICO, September 2024 reprimand)
• ICO 2023 fines analysis (£14.3m total, £12.7m TikTok) (ITPro)
• Analysis of fines imposed by the ICO in 2023 (URM Consulting)
• ICO direct marketing fines round-up 2024 (Lewis Silkin)
• ICO Annual Report 2023–24 (ICO PDF)

Google Cloud Platform certifications

• SOC 2 — Compliance (Google Cloud — confirms BigQuery is covered in the semi-annual SOC 2 report)
• ISO/IEC 27001 — Compliance (Google Cloud — GCP, Workspace, and Apigee certified to ISO/IEC 27001:2022)

A note on accuracy: data protection law evolves. The figures and tiers above were current at time of writing (May 2026). Any dates, fees, or fine totals referenced here should be verified against the ICO’s current published guidance before being cited externally — the ICO updates its fee regime, enforcement powers, and guidance regularly. The Data Use and Access Act 2025, for instance, raised the maximum PECR penalty from £500,000 to £17.5m or 4% of global annual turnover, bringing PECR penalties into line with UK GDPR.