--- title: "UK GDPR Compliance FAQ" canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items" source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items" author: "Sorena AI" description: "Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK GDPR" - "FAQ" - "UK GDPR FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR Compliance FAQ Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *FAQ* ## UK GDPR FAQ This FAQ answers recurring UK GDPR implementation questions with source-linked operational guidance, clear owners, and reusable evidence. This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Use this FAQ hub to answer recurring questions in a UK GDPR workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply. ## Browse sub-FAQ modules ### [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md) UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md) UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md) UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md) UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md) UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md) UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md) UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md) UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md) UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md) UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md) UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/uk/general-data-protection-regulation/faq/items](/artifacts/uk/general-data-protection-regulation/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 33 items.* ### [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md#what-should-teams-do-about-72-hour-breach-reporting-under-the-uk-gdpr) *Module: [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md)* Teams should run 72-hour breach reporting as an incident workflow: record when the organisation became aware of a personal data breach, assess whether it is notifiable to the ICO, submit the report without undue delay and where feasible within 72 hours, and keep any delayed or phased-reporting rationale with the incident record. - Record the awareness timestamp before drafting controls or communications. - Assess likelihood and severity of risk to individuals and document the notification decision. - Route uncertain or high-risk cases to privacy, legal, security, and incident-response owners before the 72-hour window closes. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ### [What evidence should teams keep for 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md#what-evidence-should-teams-keep-for-72-hour-breach-reporting-under-the-uk-gdpr) *Module: [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md)* Useful evidence is incident-specific: awareness timestamp, breach facts, affected categories of personal data and people, containment steps, risk assessment, ICO notification decision, ICO submission receipt, delayed-reporting explanation if relevant, and any Article 34 communication decision. - Awareness timestamp, incident timeline, and who made the notifiability decision. - Risk assessment showing likely impact on individuals and any high-risk communication decision. - ICO report copy, submission receipt, updates provided later, and reasons for any delay beyond 72 hours. - Containment, remediation, processor/controller notifications, approval record, and review date. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ### [Which mistakes create risk when handling 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md#which-mistakes-create-risk-when-handling-72-hour-breach-reporting-under-the-uk-gdpr) *Module: [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md)* The common failure pattern is treating every security event the same, missing the awareness timestamp, waiting for a complete investigation before reporting a notifiable breach, or failing to separate ICO notification from communication to affected individuals. - Using an old threshold, deadline, source page, or incident template without checking current ICO and UK GDPR wording. - Treating a low-risk decision as a general exemption without recording the risk assessment. - Letting ICO updates, individual communications, or processor notifications sit outside the incident record. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ### [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md#what-should-teams-do-about-adequacy-under-the-uk-gdpr) *Module: [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md)* Teams should treat Adequacy under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Adequacy decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [GOV.UK UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers?ref=sorena.io) - Explains the UK adequacy-assessment framework and how adequacy supports international data transfers. - [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/international-transfers/?ref=sorena.io) - Explains the UK GDPR restricted-transfer route, including when adequacy regulations or safeguards are needed. - [UK-US data bridge explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Shows how a specific UK data bridge preserves UK GDPR protection for in-scope transfers. ### [What evidence should teams keep for Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md#what-evidence-should-teams-keep-for-adequacy-under-the-uk-gdpr) *Module: [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [GOV.UK UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers?ref=sorena.io) - Explains the UK adequacy-assessment framework and how adequacy supports international data transfers. - [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/international-transfers/?ref=sorena.io) - Explains the UK GDPR restricted-transfer route, including when adequacy regulations or safeguards are needed. - [UK-US data bridge explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Shows how a specific UK data bridge preserves UK GDPR protection for in-scope transfers. ### [Which mistakes create risk when handling Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md#which-mistakes-create-risk-when-handling-adequacy-under-the-uk-gdpr) *Module: [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [GOV.UK UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers?ref=sorena.io) - Explains the UK adequacy-assessment framework and how adequacy supports international data transfers. - [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/international-transfers/?ref=sorena.io) - Explains the UK GDPR restricted-transfer route, including when adequacy regulations or safeguards are needed. - [UK-US data bridge explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Shows how a specific UK data bridge preserves UK GDPR protection for in-scope transfers. ### [When does Article 22 apply to AI And Automated Decisions?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md#when-does-article-22-apply-to-ai-and-automated-decisions) *Module: [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md)* Article 22 is about a decision that is based solely on automated processing and that produces a legal effect or a similarly significant effect for the individual. In plain English, the key question is whether a person is getting a meaningful human decision-maker, or whether the system is deciding on its own. - Write the UK GDPR AI and automated-decision decision in one sentence before drafting controls. - For UK GDPR AI or automated decisions, record whether Article 22 applies and how people can request human intervention or challenge the decision. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO rights related to automated decision-making and profiling](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/?ref=sorena.io) - Explains the UK GDPR Article 22 restriction, permitted bases, human review, challenge rights, and DPIA expectations. - [ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports AI-specific UK GDPR implementation work, including governance and data-protection risks in AI systems. ### [What evidence should teams keep for AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md#what-evidence-should-teams-keep-for-ai-and-automated-decisions-under-the-uk-gdpr) *Module: [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO rights related to automated decision-making and profiling](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/?ref=sorena.io) - Explains the UK GDPR Article 22 restriction, permitted bases, human review, challenge rights, and DPIA expectations. - [ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports AI-specific UK GDPR implementation work, including governance and data-protection risks in AI systems. ### [Which mistakes create risk when handling AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md#which-mistakes-create-risk-when-handling-ai-and-automated-decisions-under-the-uk-gdpr) *Module: [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ICO rights related to automated decision-making and profiling](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/?ref=sorena.io) - Explains the UK GDPR Article 22 restriction, permitted bases, human review, challenge rights, and DPIA expectations. - [ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports AI-specific UK GDPR implementation work, including governance and data-protection risks in AI systems. ### [What are Article 30 records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md#what-are-article-30-records-under-the-uk-gdpr) *Module: [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md)* Article 30 records are the written records of processing activities that controllers and processors must keep under Article 30. In plain English, they are the internal register that says what personal data you process, why you process it, who receives it, whether you transfer it, how long you keep it, and what security measures you use. - Write the Article 30 Records decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO Article 30 documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/what-do-we-need-to-document-under-article-30-of-the-gdpr/?ref=sorena.io) - ICO guidance lists the controller and processor information that should be documented for Article 30 records. - [ICO records of processing and lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/records-of-processing-and-lawful-basis/?ref=sorena.io) - ICO accountability framework connects ROPA completeness with documenting and justifying lawful bases under Articles 6, 9, and 10. - [ICO data protection audit framework](https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/?ref=sorena.io) - ICO audit material supports keeping accountable evidence that Article 30 records and review controls are operating in practice. ### [What evidence should teams keep for Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md#what-evidence-should-teams-keep-for-article-30-records-under-the-uk-gdpr) *Module: [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO records of processing and lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/records-of-processing-and-lawful-basis/?ref=sorena.io) - ICO accountability framework connects ROPA completeness with documenting and justifying lawful bases under Articles 6, 9, and 10. - [ICO Article 30 documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/what-do-we-need-to-document-under-article-30-of-the-gdpr/?ref=sorena.io) - ICO guidance lists the controller and processor information that should be documented for Article 30 records. - [ICO data protection audit framework](https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/?ref=sorena.io) - ICO audit material supports keeping accountable evidence that Article 30 records and review controls are operating in practice. ### [Which mistakes create risk when handling Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md#which-mistakes-create-risk-when-handling-article-30-records-under-the-uk-gdpr) *Module: [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ICO Article 30 documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/what-do-we-need-to-document-under-article-30-of-the-gdpr/?ref=sorena.io) - ICO guidance lists the controller and processor information that should be documented for Article 30 records. - [ICO records of processing and lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/records-of-processing-and-lawful-basis/?ref=sorena.io) - ICO accountability framework connects ROPA completeness with documenting and justifying lawful bases under Articles 6, 9, and 10. - [ICO data protection audit framework](https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/?ref=sorena.io) - ICO audit material supports keeping accountable evidence that Article 30 records and review controls are operating in practice. ### [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md#what-should-teams-do-about-childrens-code-under-the-uk-gdpr) *Module: [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md)* Teams should treat Children's Code under the UK GDPR as a source-linked operating decision for online services likely to be accessed by children: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Children's Code decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [UK ICO Age Appropriate Design Code](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/?ref=sorena.io) - ICO statutory Children's Code source supporting age-appropriate design duties for online services likely to be accessed by children. - [ICO Children's code design guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/designing-products-that-protect-privacy/childrens-code-design-guidance/getting-started/?ref=sorena.io) - ICO design guidance showing when teams should consider the Children's Code standards and children's best interests during product design. - [Age Appropriate Design Code](https://www.gov.uk/government/publications/explanatory-memorandum-to-the-age-appropriate-design-code-2020-2020?ref=sorena.io) - GOV.UK publication record confirming the Age Appropriate Design Code was laid before Parliament. ### [What evidence should teams keep for Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md#what-evidence-should-teams-keep-for-childrens-code-under-the-uk-gdpr) *Module: [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO Children's code design guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/designing-products-that-protect-privacy/childrens-code-design-guidance/getting-started/?ref=sorena.io) - ICO design guidance showing when teams should consider the Children's Code standards and children's best interests during product design. - [Age Appropriate Design Code](https://www.gov.uk/government/publications/explanatory-memorandum-to-the-age-appropriate-design-code-2020-2020?ref=sorena.io) - GOV.UK publication record confirming the Age Appropriate Design Code was laid before Parliament. - [Data Sharing a Code of Practice](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/?ref=sorena.io) - ICO code supporting evidence practices when Children's Code work involves data sharing decisions. ### [Which mistakes create risk when handling Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md#which-mistakes-create-risk-when-handling-childrens-code-under-the-uk-gdpr) *Module: [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [UK ICO Age Appropriate Design Code](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/?ref=sorena.io) - ICO statutory Children's Code source supporting age-appropriate design duties for online services likely to be accessed by children. - [ICO Children's code design guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/designing-products-that-protect-privacy/childrens-code-design-guidance/getting-started/?ref=sorena.io) - ICO design guidance showing when teams should consider the Children's Code standards and children's best interests during product design. - [Age Appropriate Design Code](https://www.gov.uk/government/publications/explanatory-memorandum-to-the-age-appropriate-design-code-2020-2020?ref=sorena.io) - GOV.UK publication record confirming the Age Appropriate Design Code was laid before Parliament. - [Data Sharing a Code of Practice](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/?ref=sorena.io) - ICO code supporting evidence practices when Children's Code work involves data sharing decisions. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172936/GDPR-documentation-processor-template.xlsx?ref=sorena.io) - ICO Article 30 template supporting records of processing evidence for Children's Code decisions. ### [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md#what-should-teams-do-about-controller-and-processor-status-under-the-uk-gdpr) *Module: [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md)* Teams should treat Controller And Processor Status under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Controller And Processor Status decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO - What are controllers and processors?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/?ref=sorena.io) - ICO guidance defining controller and processor status and explaining why role classification changes UK GDPR responsibilities. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - ICO controller ROPA template supporting evidence that controller-side processing responsibilities have been recorded. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172936/GDPR-documentation-processor-template.xlsx?ref=sorena.io) - ICO processor ROPA template supporting evidence that processor-side processing responsibilities have been recorded. ### [What evidence should teams keep for Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md#what-evidence-should-teams-keep-for-controller-and-processor-status-under-the-uk-gdpr) *Module: [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - ICO controller ROPA template supporting evidence that controller-side processing responsibilities have been recorded. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172936/GDPR-documentation-processor-template.xlsx?ref=sorena.io) - ICO processor ROPA template supporting evidence that processor-side processing responsibilities have been recorded. - [ICO - How do you determine whether you are a controller or processor?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/how-do-you-determine-whether-you-are-a-controller-or-processor/?ref=sorena.io) - ICO guidance supporting evidence records for role mapping and mixed controller/processor scenarios. ### [Which mistakes create risk when handling Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md#which-mistakes-create-risk-when-handling-controller-and-processor-status-under-the-uk-gdpr) *Module: [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ICO - What are controllers and processors?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/?ref=sorena.io) - ICO guidance defining controller and processor status and explaining why role classification changes UK GDPR responsibilities. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - ICO controller ROPA template supporting evidence that controller-side processing responsibilities have been recorded. - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172936/GDPR-documentation-processor-template.xlsx?ref=sorena.io) - ICO processor ROPA template supporting evidence that processor-side processing responsibilities have been recorded. - [ICO - How do you determine whether you are a controller or processor?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/how-do-you-determine-whether-you-are-a-controller-or-processor/?ref=sorena.io) - ICO guidance supporting evidence records for role mapping and mixed controller/processor scenarios. ### [When do teams need a DPIA for UK GDPR processing?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md#when-do-teams-need-a-dpia-for-uk-gdpr-processing) *Module: [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md)* Teams need a DPIA before processing when the type of processing, including the use of new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Article 35 also says a single DPIA may cover a set of similar processing operations that present similar high risks. - Do the DPIA before launch, not after the processing has started. - Use the DPIA to describe the processing, assess necessity and proportionality, identify the risks, and set out the safeguards. - If the DPIA still shows a high risk after mitigation, consult the Commissioner before processing begins. Sources for this answer: - [UK GDPR Article 35 - Data protection impact assessment](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - Primary source for when a DPIA is required and what it must contain. - [UK GDPR Article 35(3)](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - Primary source for the examples of processing that require a DPIA. - [UK GDPR Article 36](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - Primary source for prior consultation if the risk remains high. ### [What evidence should teams keep for DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md#what-evidence-should-teams-keep-for-dpias-under-the-uk-gdpr) *Module: [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Evidence support for the FAQ answer. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Evidence support for the FAQ answer. - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Evidence support for the FAQ answer. ## FAQ Pagination - Canonical index (page 1): [/artifacts/uk/general-data-protection-regulation/faq/items](/artifacts/uk/general-data-protection-regulation/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/uk/general-data-protection-regulation/faq/items.md) | [2](/artifacts/uk/general-data-protection-regulation/faq/items/page/2.md) [Next page](/artifacts/uk/general-data-protection-regulation/faq/items/page/2.md) *Recommended next step* *Placement: after the practical guidance* ## Turn UK GDPR FAQ into assigned work This UK GDPR guide turns FAQ into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution. - [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items