---
title: "UK GDPR FAQ"
canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/faq"
source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq"
author: "Sorena AI"
description: "Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "UK GDPR FAQ"
  - "UK GDPR questions"
  - "UK GDPR lawful basis"
  - "UK GDPR breach"
  - "UK GDPR IDTA"
  - "ICO guidance"
  - "UK privacy questions"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK GDPR FAQ

Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure.

*FAQ* *UK GDPR*

## UK GDPR FAQ

Answer the UK GDPR questions that usually block implementation decisions.

Use these answers to align legal, engineering, procurement, and support teams before work starts.

The same UK GDPR questions come up repeatedly in implementation work. Treat the answers as decision rules and link them to documented evidence.

## Scope and accountability questions

Common questions include whether a non UK company is in scope, whether a vendor is a processor or a controller, and whether a small company must still keep Article 30 records.

- Does the service target or monitor people in the UK
- Who decides purpose and essential means for each processing activity
- Is there special category data, child data, or profiling that increases risk
- What documentation already exists to support the decision

## Transfer, rights, and incident questions

Most practical disputes are about whether adequacy is enough, when to use the IDTA instead of the Addendum, whether a request can be extended, and what starts the 72 hour breach clock.

- Use adequacy where available and a transfer tool where it is not
- Use the Addendum if the EU SCCs already sit in the deal pack
- Start the rights clock once you have a valid request
- Start breach timing when the controller is aware a breach has occurred

## Children and enforcement questions

If children are likely to use the service, the question is not whether the product is intended for children but whether the evidence shows that children are likely users. On enforcement, the ICO looks at whether the organisation can prove what it did and why.

- Apply the Children's Code when services are likely to be accessed by children
- Keep records of lawful basis, rights handling, transfers, and incidents
- Expect higher fine exposure for principle failures and weak lawful processing
- Use the programme to reduce complaint volume as well as fine risk

*Recommended next step*

*Placement: after the FAQ section*

## Use UK GDPR FAQ as a cited research workflow

Research Copilot can take UK GDPR FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for UK GDPR FAQ](/solutions/research-copilot.md): Start from UK GDPR FAQ and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR FAQ.

## Primary sources

- [ICO UK GDPR guidance and resources](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/?ref=sorena.io) - Primary ICO guidance hub.
- [ICO guide to individual rights](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/a-guide-to-individual-rights/?ref=sorena.io) - Operational rights guidance.
- [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/?ref=sorena.io) - Adequacy, IDTA, Addendum, and TRA guidance.
- [ICO age appropriate design code](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/?ref=sorena.io) - Children's Code standards.

## Related Topic Guides

- [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments.
- [UK GDPR Applicability Test | Territorial Scope and Roles](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test.
- [UK GDPR Breach Notification | 72 Hour ICO Reporting Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging.
- [UK GDPR Checklist | Practical Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness.
- [UK GDPR Children and Age Appropriate Design](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance.
- [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls.
- [UK GDPR Data Subject Rights | One Month Response Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection.
- [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines.
- [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier.
- [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs.
- [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance.
- [UK GDPR vs Data Protection Act 2018](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it.
- [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes.
- [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq