Artifact GuideUKChecklist

UK GDPR Checklist

Use this checklist to verify lawful basis, notices, rights handling, records, security, breaches, transfers, and review points under the UK GDPR before launch or review.

This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
12

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This page turns the UK GDPR into a practical checklist: confirm the lawful basis, give the required notices, document records, protect the data, prepare rights and breach workflows, and review transfers and special cases before launch or change.

Section 1

How should a Checklist workflow run under the UK GDPR?

Use the workflow as a pre-launch and change-review checklist: identify the processing, confirm the lawful basis, check special category or criminal-offence data, confirm notices, evidence, retention, security, and review triggers, then assign ownership and a next review date.

A useful UK GDPR checklist should end with a clear yes or no on each control, not a generic template description.

  • Check whether the processing is lawful under Article 6 and whether any special category or criminal-convictions rule also applies.
  • Confirm the information given to people covers the identity of the controller, purposes, lawful basis, retention, rights, complaints, and transfers where relevant.
  • Record the processing activity, the owner, the evidence, and the review cadence.
  • Confirm security controls, breach reporting steps, and any required consultation or prior review before go-live.
  • Escalate transfers, DPIAs, child-directed services, profiling, and any exception that changes the decision.
Sources for this answer
GDPR Articles 5-6, 9-10, 13-14, 30, 32-36
Core UK GDPR checklist obligations on lawfulness, transparency, records, security, breach notification, and DPIAs.
Data Protection Act 2018 contents
UK GDPR checklist context for UK-specific sections and rights.
ICO legitimate interests guidance
Checklist support for the Article 6(1)(f) balancing test and reasonable expectations.
Section 2

What fields should the UK GDPR checklist template capture?

A useful template captures the control being checked, the legal basis, the evidence, the owner, the due date, and the review outcome.

It should also show whether the item passed, failed, or needs escalation.

  • Processing purpose, lawful basis, and any linked special category or criminal-offence condition.
  • Notice content, recipient categories, retention period, and complaint route.
  • Record of processing, security measures, breach process, and DPIA or prior-consultation status.
  • Transfer mechanism, destination country or organisation, and supporting safeguards.
  • Decision result, owner, reviewer, due date, evidence link, and escalation note.
Sources for this answer
GDPR Articles 13-14 and 30
Source for notice and records fields.
GDPR Articles 32-36
Source for security, breach, DPIA, and prior consultation fields.
GDPR Chapter V
Source for transfer checks.
Section 3

How should teams review and improve the UK GDPR checklist workflow?

Review the checklist when the purpose changes, a new data category is added, the legal basis changes, a transfer is introduced, a DPIA becomes necessary, a breach occurs, or a rights request pattern shows the controls are not working.

The review should remove items that do not affect the decision and add missing checks where the evidence or ownership is unclear.

  • Check whether the notices, records, and retention periods still match the live processing.
  • Confirm the security, breach, and escalation steps are still current.
  • Review whether profiling, child-directed processing, special category data, or transfers require fresh assessment.
  • Update the checklist whenever guidance, systems, vendors, or data flows change.
Sources for this answer
GDPR Articles 5, 24, 25, 30, 32, 35 and 36
Source for accountability, review, and operational change management.
ICO legitimate interests guidance
Source for reassessing the balancing test when circumstances change.
Data Protection Act 2018 contents
Source for UK-specific review of the UK GDPR framework.
Recommended next step

Turn UK GDPR Checklist into assigned work

This UK GDPR guide turns Checklist into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution.

Assessment workflow
Open Assessment Autopilot for UK GDPR

Turn Checklist into scoped questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review UK GDPR source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

GDPR Articles 13-14 and 30
legislation.gov.uk
Referenced sections
  • Source for notice and records fields.
"the identity and the contact details of the controller"
GDPR Articles 32-36
legislation.gov.uk
Referenced sections
  • Source for security, breach, DPIA, and prior consultation fields.
"implement appropriate technical and organisational measures"
GDPR Articles 5-6, 9-10, 13-14, 30, 32-36
legislation.gov.uk
Referenced sections
  • Core UK GDPR checklist obligations on lawfulness, transparency, records, security, breach notification, and DPIAs.
"The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1"
GDPR Articles 5, 24, 25, 30, 32, 35 and 36
legislation.gov.uk
Referenced sections
  • Source for accountability, review, and operational change management.
"The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1"
GDPR Chapter V
legislation.gov.uk
Referenced sections
  • Source for transfer checks.
"Transfers of personal data to third countries or international organisations"
ICO international transfers guidance
ico.org.uk
Referenced sections
  • ICO international-transfer guidance supports checklist triage by explaining restricted transfers, safeguards, and the organisation's responsibility for transfer-rule compliance.
"Guidance on the safeguards permitted under the UK GDPR, including the UK IDTA, Addendum and UK BCRs, and when"
ICO legitimate interests guidance
ico.org.uk
Referenced sections
  • Source for reassessing the balancing test when circumstances change.
"You should consider exactly what you are trying to achieve with the particular processing activity."
International data transfers
edpb.europa.eu
Referenced sections
  • Supports Checklist under the UK GDPR.
"- Read more Codes of conduct The GDPR introduces this new tool for data transfers"
UK data adequacy assessment guidance
assets.publishing.service.gov.uk
Referenced sections
  • UK government guidance for adequacy assessments and international data transfer context.
"guide to filling out the Manual Template"
UK-US data bridge: explainer
gov.uk
Referenced sections
  • Supports Checklist under the UK GDPR.
"Instead, a data bridge ensures that the level of protection for UK individuals' personal data under the UK GDPR"
Related guides

Explore more topics

UK GDPR 72-hour Breach Reporting Guide
UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Adequacy Guide
UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR AI And Automated Decisions Guide
UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Applicability Test Guide
Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Article 30 Records Guide
UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Breach Notification Guide
UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Breach Workflow Guide
UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Children And Age Appropriate Design Guide
UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Children's Code Guide
UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Compliance FAQ
Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Compliance Guide
Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Controller And Processor Status Guide
UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Data Subject Rights Guide
UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Deadlines and Compliance Calendar Guide
UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR DPIA Workflow Guide
UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR DPIAs And DPOs Guide
UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR DSAR Workflow Guide
UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR IDTA Addendum and Transfer Risk Assessment Guide
UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR IDTA vs EU SCCs Guide
UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Lawful Bases Guide
UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR PECR Cookies Guide
UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions.
UK GDPR penalties and fines Guide
UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Requirements Guide
Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Transfer Workflow Guide
UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR Transfers, IDTA, and UK Addendum Guide
UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR UK vs EU Differences Guide
UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR UK vs EU GDPR Differences Guide
UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR vs Data Protection Act 2018 Guide
UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations.
UK GDPR vs EU GDPR Guide
UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about 72-hour Breach Reporting under the UK GDPR?
UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Adequacy under the UK GDPR?
UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about AI And Automated Decisions under the UK GDPR?
UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Article 30 Records under the UK GDPR?
UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Children's Code under the UK GDPR?
UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Controller And Processor Status under the UK GDPR?
UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about DPIAs under the UK GDPR?
UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about DPOs under the UK GDPR?
UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?
UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Lawful Bases under the UK GDPR?
UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about PECR Cookies under the UK GDPR?
UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations.