Artifact GuideUKDeadlines and Compliance Calendar

UK GDPR Deadlines and Compliance Calendar

Deadlines and Compliance Calendar decisions under the UK GDPR should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page maps Deadlines and Compliance Calendar into a trigger, owner, deadline, required evidence, and review path so legal, privacy, security, and compliance teams can execute consistently. The main deadlines visitors usually need to track are the one-month response period for data subject requests, the 72-hour breach notification window, and the requirement to communicate a breach to the data subject without undue delay when it is likely to result in a high risk.

Section 1

Which UK GDPR deadlines should teams track in the compliance calendar?

Start by deciding whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.

The core deadlines to calendar are: respond to data subject rights requests without undue delay and within one month, with a possible two-month extension for complex or numerous requests; notify a personal data breach to the Commissioner without undue delay and, where feasible, within 72 hours of becoming aware of it; and communicate a high-risk breach to the data subject without undue delay. Where personal data are collected from the data subject, provide the Article 13 information at the time of collection. Where personal data are obtained from another source, provide the Article 14 information within a reasonable period and at the latest within one month, or earlier if the first communication or first disclosure happens sooner.

Define the exact Deadlines and Compliance Calendar trigger and the business process it affects.
Record which role, product, system, customer group, or data flow is in scope.
Attach the source-linked rule, the owner, and the evidence field before approving the control.
Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border activity, vulnerable users, or enforcement-sensitive wording.

Sources for this answer

UK ICO data security guide

ICO security guidance supports calendar entries for security-control review and breach-readiness checks under the UK GDPR.

UK ICO artificial intelligence guidance

ICO AI guidance supports calendar review triggers for AI processing, DPIA, transparency, and risk-control updates.

UK ICO data protection audit framework

ICO audit framework supports assigning evidence owners and recurring compliance-review checkpoints.

Section 2

Who should own Deadlines and Compliance Calendar, and what evidence should prove the decision?

Ownership should sit with the team that controls the processing purpose, system behavior, vendor terms, transfer mechanism, rights channel, breach process, or child-user journey.

Evidence should show role mapping, lawful basis, Article 9/10 basis where needed, transparency wording, DPIA outcome, DSAR response, breach assessment, transfer mechanism, processor terms, and ICO escalation note.

Name one accountable owner and one reviewer for the Deadlines and Compliance Calendar workflow.
Keep source screenshots or source links, decision notes, implementation tickets, and approval records together.
Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records.
Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text.

Sources for this answer

UK ICO artificial intelligence guidance

Evidence and ownership support for UK GDPR.

UK ICO data protection audit framework

Evidence and ownership support for UK GDPR.

UK data adequacy assessment guidance

UK government guidance for adequacy assessments and international data transfer context.

Section 3

Which edge cases should teams check before relying on a Deadlines and Compliance Calendar decision?

Most UK GDPR mistakes happen at the boundary between UK GDPR, DPA 2018, PECR, EU GDPR divergence, IDTA/Addendum transfer rules, children data, and processor/subprocessor duties.

Use this section before approving a new processing purpose, vendor, transfer, profiling flow, DSAR workflow, breach process, or child-facing product change.

Check whether the rule changes for minors, consumers, business users, public-sector bodies, regulated sectors, high-risk services, or cross-border transfers.
Separate binding law, regulator guidance, consultation material, standards, and enforcement commentary in the evidence record.
Do not rely on a previous answer if the data categories, user interface, vendor role, or contractual flow changed.
Track unresolved assumptions in an open-questions section and route legal interpretation points for review.

Sources for this answer

UK ICO data security guide

Boundary and edge-case support for this artifact page.

UK ICO artificial intelligence guidance

Boundary and edge-case support for this artifact page.

UK ICO data protection audit framework

Boundary and edge-case support for this artifact page.

UK data adequacy assessment guidance

UK government guidance for adequacy assessments and international data transfer context.

Section 4

How should teams operationalize Deadlines and Compliance Calendar with proportionate controls?

Use a UK GDPR workflow that captures role, purpose, lawful basis, special-category status, DPIA trigger, rights/breach/transfer trigger, evidence, owner, and review date.

The output should be a lawful-basis note, DPIA decision, privacy notice update, DSAR record, breach assessment, transfer pack, processor clause map, or ICO response record.

Create a short intake question that identifies the Deadlines and Compliance Calendar scenario.
Map the answer to a required action, evidence field, owner, reviewer, and review date.
Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates.
Update the workflow when official source material changes or when internal evidence shows recurring exceptions.

Sources for this answer

UK ICO data security guide

Operational implementation support for Deadlines and Compliance Calendar.

UK ICO artificial intelligence guidance

Operational implementation support for Deadlines and Compliance Calendar.

UK ICO data protection audit framework

Operational implementation support for Deadlines and Compliance Calendar.

Recommended next step

Turn UK GDPR Deadlines and Compliance Calendar into assigned work

This UK GDPR guide turns Deadlines and Compliance Calendar into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution.

Assessment workflow

Open Assessment Autopilot for UK GDPR

Turn Deadlines and Compliance Calendar into scoped questions, evidence fields, and review tasks.

Explore next step

Research workflow

Review UK GDPR source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step

Talk to Sorena

Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step