--- title: "UK GDPR Compliance FAQ" canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items/page/2" source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items/page/2" author: "Sorena AI" description: "Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK GDPR" - "FAQ" - "UK GDPR FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR Compliance FAQ Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *FAQ* ## UK GDPR FAQ This FAQ answers recurring UK GDPR implementation questions with source-linked operational guidance, clear owners, and reusable evidence. This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Use this FAQ hub to answer recurring questions in a UK GDPR workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply. ## Browse sub-FAQ modules ### [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md) UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md) UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md) UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md) UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md) UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md) UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md) UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md) UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md) UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md) UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md) UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/uk/general-data-protection-regulation/faq/items](/artifacts/uk/general-data-protection-regulation/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 13 of 33 items.* ### [Which mistakes create risk when handling DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md#which-mistakes-create-risk-when-handling-dpias-under-the-uk-gdpr) *Module: [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [UK data adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for adequacy assessments and international data transfer context. - [International data transfers](https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md#what-should-teams-do-about-dpos-under-the-uk-gdpr) *Module: [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md)* Teams should treat DPOs under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the DPOs decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO guidance on data protection officers](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - ICO guidance on when a DPO is required and how the role must be supported under UK GDPR Articles 37-39. - [ICO guidance on DPO support and independence](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - Supports the DPO evidence points on independence, resources, management access, and conflict-of-interest controls. - [ICO accountability and governance guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Supports governance evidence for documenting UK GDPR decisions, policies, records, and accountable ownership. ### [What evidence should teams keep for DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md#what-evidence-should-teams-keep-for-dpos-under-the-uk-gdpr) *Module: [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO guidance on DPO support and independence](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - Evidence support for DPO role records, reporting lines, resources, and conflict checks. - [ICO accountability and governance guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Evidence support for accountability records and reviewable UK GDPR governance decisions. - [UK-US data bridge: explainer](https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md#which-mistakes-create-risk-when-handling-dpos-under-the-uk-gdpr) *Module: [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ICO guidance on data protection officers](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - ICO guidance on when a DPO is required and how the role must be supported under UK GDPR Articles 37-39. - [ICO guidance on DPO support and independence](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - Risk and boundary support for DPO reporting lines, independence, resources, and conflict-of-interest checks. - [ICO accountability and governance guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Risk and boundary support for accountable UK GDPR governance records and reviewable implementation decisions. - [ICO guidance on DPO tasks](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/?ref=sorena.io) - Risk and boundary support for DPO monitoring, DPIA advice, and ICO contact-point responsibilities. ### [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md#what-should-teams-do-about-idta-addendum-and-transfer-risk-assessment-under-the-uk-gdpr) *Module: [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md)* Teams should treat IDTA addendum and transfer risk assessment under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the IDTA addendum and transfer risk assessment decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO international transfers](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/?ref=sorena.io) - ICO guidance identifies UK transfer safeguards, including the IDTA, Addendum, and transfer risk assessment/data protection test workflow. - [ICO appropriate safeguards for restricted transfers](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/appropriate-safeguards/what-are-the-rules-on-appropriate-safeguards/?ref=sorena.io) - ICO guidance links Article 46 safeguards to the UK IDTA and International Data Transfer Addendum for restricted transfers. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Directly supports the FAQ answer by tying restricted-transfer safeguards to the IDTA/Addendum and TRA decision. ### [What evidence should teams keep for IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md#what-evidence-should-teams-keep-for-idta-addendum-and-transfer-risk-assessment-under-the-uk-gdpr) *Module: [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO appropriate safeguards for restricted transfers](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/appropriate-safeguards/what-are-the-rules-on-appropriate-safeguards/?ref=sorena.io) - ICO guidance links Article 46 safeguards to the UK IDTA and International Data Transfer Addendum for restricted transfers. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - Supports the evidence recommendation by identifying the transfer decision or control record teams should retain. - [ICO data protection audit framework](https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/?ref=sorena.io) - ICO audit material supports keeping accountable evidence that transfer decisions, controls, and reviews are operating in practice. ### [How do the IDTA and Addendum work for restricted transfers?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md#how-do-the-idta-and-addendum-work-for-restricted-transfers) *Module: [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md)* The ICO says the IDTA and the International Data Transfer Addendum provide appropriate safeguards for restricted transfers when they are entered into as legally binding contracts. The GOV.UK guidance says data exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when transferring to non-adequate countries. - Use the IDTA or Addendum only for restricted transfers that need Article 46 safeguards. - Check the importer information, local laws, and review dates before the transfer starts. - Keep a copy of any TRA and the written record of the transfer decision. Sources for this answer: - [ICO international data transfer agreement](https://ico.org.uk/media2/migrated/4019538/international-data-transfer-agreement.pdf?ref=sorena.io) - The IDTA states that it is issued for Parties making Restricted Transfers and provides Appropriate Safeguards when entered into as a legally binding contract. - [ICO international data transfer addendum](https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf?ref=sorena.io) - The Addendum states that it is issued for Parties making Restricted Transfers and provides Appropriate Safeguards when entered into as a legally binding contract. - [The UK approach to international data transfers](https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation?ref=sorena.io) - GOV.UK guidance says exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making transfers to non-adequate countries. ### [How should teams choose a lawful basis under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md#how-should-teams-choose-a-lawful-basis-under-the-uk-gdpr) *Module: [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md)* Teams should treat Lawful Bases under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Lawful Bases decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ICO guide to lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/?ref=sorena.io) - ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information. - [ICO guide to data protection principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - ICO principles guidance supports linking lawful basis decisions to fairness, transparency, accountability, and documented processing controls. - [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Directly supports the FAQ answer by tying processing decisions to Article 6 lawful-basis selection and evidence. ### [What evidence should teams keep for Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md#what-evidence-should-teams-keep-for-lawful-bases-under-the-uk-gdpr) *Module: [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO guide to lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/?ref=sorena.io) - ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information. - [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material. - [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material. ### [Which mistakes create risk when handling Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md#which-mistakes-create-risk-when-handling-lawful-bases-under-the-uk-gdpr) *Module: [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [How should teams apply the PECR cookies rules before the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md#how-should-teams-apply-the-pecr-cookies-rules-before-the-uk-gdpr) *Module: [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md)* Teams should treat PECR Cookies under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the PECR Cookies decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Cookies and Similar Technologies](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/?ref=sorena.io) - ICO guidance directly supports the PECR cookies answer by setting out notice, consent, and similar-technology requirements. - [ICO guidance on PECR and the UK GDPR](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/how-do-the-pecr-rules-relate-to-the-uk-gdpr/?ref=sorena.io) - ICO guidance directly supports the PECR cookies answer by setting out notice, consent, and similar-technology requirements. - [ICO PECR storage and access technologies rules](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-the-pecr-rules/?ref=sorena.io) - ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap. ### [What evidence should teams keep for PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md#what-evidence-should-teams-keep-for-pecr-cookies-under-the-uk-gdpr) *Module: [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md)* Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ICO guidance on PECR and the UK GDPR](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/how-do-the-pecr-rules-relate-to-the-uk-gdpr/?ref=sorena.io) - Evidence support for the FAQ answer. - [ICO PECR storage and access technologies rules](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-the-pecr-rules/?ref=sorena.io) - ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap. - [ICO storage and access technologies scope](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-storage-and-access-technologies/?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md#which-mistakes-create-risk-when-handling-pecr-cookies-under-the-uk-gdpr) *Module: [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md)* The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Cookies and Similar Technologies](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [ICO guidance on PECR and the UK GDPR](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/how-do-the-pecr-rules-relate-to-the-uk-gdpr/?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [ICO PECR storage and access technologies rules](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-the-pecr-rules/?ref=sorena.io) - ICO storage-and-access guidance supports the PECR cookies workflow by setting out notice, consent, exceptions, and UK GDPR overlap. - [ICO storage and access technologies scope](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-storage-and-access-technologies/?ref=sorena.io) - Risk and boundary support for the FAQ answer. ## FAQ Pagination - Canonical index (page 1): [/artifacts/uk/general-data-protection-regulation/faq/items](/artifacts/uk/general-data-protection-regulation/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/uk/general-data-protection-regulation/faq/items.md) | [2](/artifacts/uk/general-data-protection-regulation/faq/items/page/2.md) [Previous page](/artifacts/uk/general-data-protection-regulation/faq/items.md) *Recommended next step* *Placement: after the practical guidance* ## Turn UK GDPR FAQ into assigned work This UK GDPR guide turns FAQ into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution. - [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/items/page/2