--- title: "UK GDPR Adequacy Guide" canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/adequacy" source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/adequacy" author: "Sorena AI" description: "UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK GDPR" - "Adequacy" - "UK GDPR Adequacy" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR Adequacy Guide UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *Adequacy* ## UK GDPR Adequacy Adequacy decisions under the UK GDPR should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed. This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Adequacy is the UK's decision that a country, territory, sector, or international organisation provides a high enough level of data protection for UK personal data to be sent there without using extra transfer safeguards. Use this page when you need to confirm whether a transfer can rely on adequacy, who should approve it, and what evidence should be kept. ## What is a UK GDPR adequacy decision, and why does it matter for international transfers? An adequacy decision is the UK's formal finding that the destination offers high standards of protection, so personal data can be transferred there freely in line with the decision. The Secretary of State grants UK adequacy, and the decision can cover a country, territory, sector, or international organisation. If adequacy applies, the transfer does not need alternative transfer mechanisms such as standard clauses or other safeguards, but the organisation still has to meet the rest of the UK GDPR, including lawful processing, security, and accountability. - Check whether the destination is covered by a current UK adequacy decision. - Confirm that the transfer is within the scope of that decision, including any country, sector, or partial coverage limits. - Keep a record of the decision relied on, the destination, and the date the adequacy status was checked. - Escalate if the decision may have been amended, revoked, or is not yet in force for the relevant transfer. Sources for this answer: - [UK data Adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for Adequacy assessments and international data transfer context. - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Primary source support for the Adequacy decision. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Primary source support for the Adequacy decision. ## Who should own an adequacy decision, and what evidence should prove the decision? Ownership should sit with the team that understands the transfer route and can confirm whether adequacy is still available for the destination. In practice that often means legal, privacy, or compliance, with input from security and the business owner for the transfer. Evidence should show the destination, the adequacy decision relied on, any scope limits, the date checked, and the review date. If the transfer depends on a later review or a new decision, that dependency should be recorded too. - Name one accountable owner and one reviewer for the transfer decision. - Keep source screenshots or source links, decision notes, implementation tickets, and approval records together. - Use dated evidence for the destination, the scope of the decision, and any review or monitoring step. - Review the evidence after transfer changes, destination changes, or updates to the official adequacy decision list. Sources for this answer: - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Evidence and ownership support for UK GDPR. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Evidence and ownership support for UK GDPR. - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Evidence and ownership support for UK GDPR. ## What should teams check before relying on an adequacy decision? Before using adequacy, confirm that the destination still appears on the current list of adequate countries, jurisdictions, sectors, or organisations and that the transfer matches the scope of that decision. The UK government says adequacy should be monitored and kept under periodic review. If the destination is only partly covered, or if the decision has been amended, revoked, or is under review, the transfer may need a different transfer route. - Check whether the decision is country-wide, sector-specific, territory-specific, or limited in some other way. - Separate the adequacy decision from other transfer tools, such as standard contractual clauses, BCRs, codes of conduct, or derogations. - Do not rely on an older approval if the destination, scope, or review status has changed. - Track unresolved assumptions in an open-questions section and route legal interpretation points for review. Sources for this answer: - [UK data Adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for Adequacy assessments and international data transfer context. - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Boundary and edge-case support for this artifact page. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Boundary and edge-case support for this artifact page. - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Boundary and edge-case support for this artifact page. ## How should teams use adequacy in day-to-day transfer planning? Use adequacy as the first check in transfer planning: if the destination is covered, the transfer can usually proceed under that decision, subject to the rest of the UK GDPR. If it is not covered, the team should move to another lawful transfer mechanism. Keep the record simple: destination, decision relied on, scope check, owner, review date, and the source used to confirm adequacy. - Create a short intake question that identifies whether the transfer destination has an adequacy decision. - Map the answer to a required action, evidence field, owner, reviewer, and review date. - Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates. - Update the workflow when official source material changes or when internal evidence shows recurring exceptions. Sources for this answer: - [UK data Adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for Adequacy assessments and international data transfer context. - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Operational implementation support for Adequacy. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Operational implementation support for Adequacy. *Recommended next step* *Placement: after the practical guidance* ## Turn UK GDPR Adequacy into assigned work This UK GDPR guide turns Adequacy into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution. - [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn Adequacy into scoped questions, evidence fields, and review tasks. - [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## Primary sources - [UK data Adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for Adequacy assessments and international data transfer context. - Quote: "guide to filling out the Manual Template" - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - EDPB transfer guidance explains adequacy as one route for international transfers and distinguishes it from safeguards and derogations. - Quote: "- Read more Codes of conduct The GDPR introduces this new tool for data transfers" - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Supports Adequacy under the UK GDPR. - Quote: "This is a section on the international data transfers 'toolkit' under the UK GDPR" - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Supports Adequacy under the UK GDPR. - Quote: "Instead, a data bridge ensures that the level of protection for UK individuals' personal data under the UK GDPR" - [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/international-transfers/?ref=sorena.io) - Supports Adequacy under the UK GDPR. - Quote: "Guidance on the safeguards permitted under the UK GDPR, including the UK IDTA, Addendum and UK BCRs, and when" ## Related Topic Guides - [UK GDPR 72-hour Breach Reporting Guide](/artifacts/uk/general-data-protection-regulation/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR AI And Automated Decisions Guide](/artifacts/uk/general-data-protection-regulation/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Applicability Test Guide](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Article 30 Records Guide](/artifacts/uk/general-data-protection-regulation/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Notification Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Workflow Guide](/artifacts/uk/general-data-protection-regulation/breach-workflow.md): UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children And Age Appropriate Design Guide](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children's Code Guide](/artifacts/uk/general-data-protection-regulation/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical guidance for the UK GDPR checklist, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance FAQ](/artifacts/uk/general-data-protection-regulation/faq.md): Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Controller And Processor Status Guide](/artifacts/uk/general-data-protection-regulation/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Data Subject Rights Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Deadlines and Compliance Calendar Guide](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIA Workflow Guide](/artifacts/uk/general-data-protection-regulation/dpia-workflow.md): UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIAs And DPOs Guide](/artifacts/uk/general-data-protection-regulation/dpias-and-dpos.md): UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DSAR Workflow Guide](/artifacts/uk/general-data-protection-regulation/dsar-workflow.md): UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA Addendum and Transfer Risk Assessment Guide](/artifacts/uk/general-data-protection-regulation/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA vs EU SCCs Guide](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Lawful Bases Guide](/artifacts/uk/general-data-protection-regulation/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR PECR Cookies Guide](/artifacts/uk/general-data-protection-regulation/pecr-cookies.md): UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions. - [UK GDPR penalties and fines Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfer Workflow Guide](/artifacts/uk/general-data-protection-regulation/transfer-workflow.md): UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfers, IDTA, and UK Addendum Guide](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU GDPR Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-gdpr-differences.md): UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs Data Protection Act 2018 Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs EU GDPR Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md): UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md): UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md): UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/adequacy