FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage

33of33items

Across 11 modules • Updated May 9, 2026

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Back to sub-FAQs

What should teams do about DPIAs under the UK GDPR?

Which mistakes create risk when handling DPIAs under the UK GDPR?

The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence.

Using an old threshold, deadline, source page, or contract template without checking current source text.
Treating a source-linked exception as a general exemption for every product or data flow.
Publishing notices, controls, or answers that do not match the actual product behavior.

Citations

UK data adequacy assessment guidance

UK government guidance for adequacy assessments and international data transfer context.

International data transfers

Risk and boundary support for the FAQ answer.

The UK approach to international data transfers

Risk and boundary support for the FAQ answer.

UK-US data bridge: explainer

Risk and boundary support for the FAQ answer.

Jump to answer Open module

What should teams do about DPOs under the UK GDPR?

Teams should treat DPOs under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify whether the organisation is a public authority or whether its core activities require regular and systematic monitoring of people on a large scale, or large-scale processing of special category or criminal offence data, before deciding if a DPO must be appointed.

Write the DPOs decision in one sentence before drafting controls.
Attach the external source URL and a short source quote to the evidence record.
Route unclear cases to legal, privacy, security, or compliance review before launch.

Citations

ICO guidance on data protection officers

ICO guidance on when a DPO is required and how the role must be supported under UK GDPR Articles 37-39.

ICO guidance on DPO support and independence

Supports the DPO evidence points on independence, resources, management access, and conflict-of-interest controls.

ICO accountability and governance guidance

Supports governance evidence for documenting UK GDPR decisions, policies, records, and accountable ownership.

Jump to answer Open module

What should teams do about DPOs under the UK GDPR?

What evidence should teams keep for DPOs under the UK GDPR?

Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together.

Source URL and quote used for the decision.
Scope notes, screenshots, data-flow or system references, and role mapping.
Implementation ticket, approval record, exception notes, and review date.

Citations

ICO guidance on DPO support and independence

Evidence support for DPO role records, reporting lines, resources, and conflict checks.

ICO accountability and governance guidance

Evidence support for accountability records and reviewable UK GDPR governance decisions.

UK-US data bridge: explainer

Evidence support for the FAQ answer.

Jump to answer Open module

What should teams do about DPOs under the UK GDPR?

Which mistakes create risk when handling DPOs under the UK GDPR?

The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence.

Using an old threshold, deadline, source page, or contract template without checking current source text.
Treating a source-linked exception as a general exemption for every product or data flow.
Publishing notices, controls, or answers that do not match the actual product behavior.

Citations

ICO guidance on data protection officers

ICO guidance on when a DPO is required and how the role must be supported under UK GDPR Articles 37-39.

ICO guidance on DPO support and independence

Risk and boundary support for DPO reporting lines, independence, resources, and conflict-of-interest checks.

ICO accountability and governance guidance

Risk and boundary support for accountable UK GDPR governance records and reviewable implementation decisions.

ICO guidance on DPO tasks

Risk and boundary support for DPO monitoring, DPIA advice, and ICO contact-point responsibilities.

Jump to answer Open module

What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?

Teams should treat IDTA addendum and transfer risk assessment under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the controller/processor role, purpose, lawful basis, special-category status, right, breach, transfer, or child-data trigger before assigning the UK GDPR action.

Write the IDTA addendum and transfer risk assessment decision in one sentence before drafting controls.
Attach the external source URL and a short source quote to the evidence record.
Route unclear cases to legal, privacy, security, or compliance review before launch.

Citations

ICO international transfers

ICO guidance identifies UK transfer safeguards, including the IDTA, Addendum, and transfer risk assessment/data protection test workflow.

ICO appropriate safeguards for restricted transfers

ICO guidance links Article 46 safeguards to the UK IDTA and International Data Transfer Addendum for restricted transfers.

The UK approach to international data transfers

Directly supports the FAQ answer by tying restricted-transfer safeguards to the IDTA/Addendum and TRA decision.

Jump to answer Open module

What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?

What evidence should teams keep for IDTA addendum and transfer risk assessment under the UK GDPR?

Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together.

Source URL and quote used for the decision.
Scope notes, screenshots, data-flow or system references, and role mapping.
Implementation ticket, approval record, exception notes, and review date.

Citations

ICO appropriate safeguards for restricted transfers

ICO guidance links Article 46 safeguards to the UK IDTA and International Data Transfer Addendum for restricted transfers.

The UK approach to international data transfers

Supports the evidence recommendation by identifying the transfer decision or control record teams should retain.

ICO data protection audit framework

ICO audit material supports keeping accountable evidence that transfer decisions, controls, and reviews are operating in practice.

Jump to answer Open module

What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?

How do the IDTA and Addendum work for restricted transfers?

The ICO says the IDTA and the International Data Transfer Addendum provide appropriate safeguards for restricted transfers when they are entered into as legally binding contracts. The GOV.UK guidance says data exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when transferring to non-adequate countries.

The IDTA also expects the exporter to carry out a transfer risk assessment where required and to keep the transfer terms, importer's local-law information, and review dates up to date.

Use the IDTA or Addendum only for restricted transfers that need Article 46 safeguards.
Check the importer information, local laws, and review dates before the transfer starts.
Keep a copy of any TRA and the written record of the transfer decision.

Citations

ICO international data transfer agreement

The IDTA states that it is issued for Parties making Restricted Transfers and provides Appropriate Safeguards when entered into as a legally binding contract.

ICO international data transfer addendum

The Addendum states that it is issued for Parties making Restricted Transfers and provides Appropriate Safeguards when entered into as a legally binding contract.

The UK approach to international data transfers

GOV.UK guidance says exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making transfers to non-adequate countries.

Jump to answer Open module

What should teams do about Lawful Bases under the UK GDPR?

How should teams choose a lawful basis under the UK GDPR?

Teams should treat Lawful Bases under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the controller/processor role, purpose, lawful basis, special-category status, right, breach, transfer, or child-data trigger before assigning the UK GDPR action.

Write the Lawful Bases decision in one sentence before drafting controls.
Attach the external source URL and a short source quote to the evidence record.
Route unclear cases to legal, privacy, security, or compliance review before launch.

Citations

ICO guide to lawful basis

ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information.

ICO guide to data protection principles

ICO principles guidance supports linking lawful basis decisions to fairness, transparency, accountability, and documented processing controls.

UK ICO artificial intelligence guidance

Directly supports the FAQ answer by tying processing decisions to Article 6 lawful-basis selection and evidence.

Jump to answer Open module

What should teams do about Lawful Bases under the UK GDPR?

What evidence should teams keep for Lawful Bases under the UK GDPR?

Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together.

Source URL and quote used for the decision.
Scope notes, screenshots, data-flow or system references, and role mapping.
Implementation ticket, approval record, exception notes, and review date.

Citations

ICO guide to lawful basis

ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information.

UK ICO artificial intelligence guidance

Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material.

Guidance on AI and Data Protection

Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material.

Jump to answer Open module

What should teams do about Lawful Bases under the UK GDPR?

Which mistakes create risk when handling Lawful Bases under the UK GDPR?

The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence.

Using an old threshold, deadline, source page, or contract template without checking current source text.
Treating a source-linked exception as a general exemption for every product or data flow.
Publishing notices, controls, or answers that do not match the actual product behavior.

Citations

Article 30 Record of Processing Activities

Risk and boundary support for the FAQ answer.

A Guide to the Data Protection Principles

Risk and boundary support for the FAQ answer.

UK ICO artificial intelligence guidance

Risk and boundary support for the FAQ answer.

Guidance on AI and Data Protection

Risk and boundary support for the FAQ answer.

Jump to answer Open module

What should teams do about PECR Cookies under the UK GDPR?

How should teams apply the PECR cookies rules before the UK GDPR?

Teams should treat PECR Cookies under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the controller/processor role, purpose, lawful basis, special-category status, right, breach, transfer, or child-data trigger before assigning the UK GDPR action.

Write the PECR Cookies decision in one sentence before drafting controls.
Attach the external source URL and a short source quote to the evidence record.
Route unclear cases to legal, privacy, security, or compliance review before launch.

Citations

Cookies and Similar Technologies

ICO guidance directly supports the PECR cookies answer by setting out notice, consent, and similar-technology requirements.

ICO guidance on PECR and the UK GDPR

ICO guidance directly supports the PECR cookies answer by setting out notice, consent, and similar-technology requirements.

ICO PECR storage and access technologies rules

ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap.

Jump to answer Open module

What should teams do about PECR Cookies under the UK GDPR?

What evidence should teams keep for PECR Cookies under the UK GDPR?

Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together.

Source URL and quote used for the decision.
Scope notes, screenshots, data-flow or system references, and role mapping.
Implementation ticket, approval record, exception notes, and review date.

Citations

ICO guidance on PECR and the UK GDPR

Evidence support for the FAQ answer.

ICO PECR storage and access technologies rules

ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap.

ICO storage and access technologies scope

Evidence support for the FAQ answer.

Jump to answer Open module

What should teams do about PECR Cookies under the UK GDPR?

Which mistakes create risk when handling PECR Cookies under the UK GDPR?

The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence.

Using an old threshold, deadline, source page, or contract template without checking current source text.
Treating a source-linked exception as a general exemption for every product or data flow.
Publishing notices, controls, or answers that do not match the actual product behavior.

Citations

Cookies and Similar Technologies

Risk and boundary support for the FAQ answer.

ICO guidance on PECR and the UK GDPR

Risk and boundary support for the FAQ answer.

ICO PECR storage and access technologies rules

ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap.

ICO storage and access technologies scope

Risk and boundary support for the FAQ answer.

Jump to answer Open module

Page 2 of 2

Previous12Next