RequirementsUK GDPR

UK GDPR Requirements

Translate UK GDPR duties into concrete controls, owners, tests, and evidence.

A requirement matrix works when it is specific enough to drive design, implementation, and audit follow up.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 21, 2026

Sections

3

Structured answer sets in this page tree.

Primary sources

4

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 21, 2026

Overview

The UK GDPR requirement set is easiest to manage when grouped into control domains with clear evidence outputs.

1

Section 1

Core legal control domains

Start with the principles, lawful basis, transparency, rights, and accountability. These domains shape nearly every other control decision.

Principles, lawful basis, and fairness for each processing activity
Privacy notice and transparency controls at collection and change points
Article 30 records and wider documentation obligations
Rights handling with timing, verification, and exception logic

2

Section 2

Operational control domains

The operating model should then cover the system level controls that make the legal requirements real: security, processor governance, retention, incident response, and transfers.

Article 32 security measures matched to actual risk
Article 28 controller processor contracts and vendor oversight
Retention and deletion rules tied to purpose and legal hold needs
Breach escalation, notification, and post incident remediation

3

Section 3

High risk and change domains

Some requirements activate only in certain scenarios but they need clear triggers in the matrix. That includes DPIAs, children, profiling, and restricted transfers.

DPIA triggers and approval workflow
Children's Code requirements for services likely to be accessed by children
International transfer tool selection and TRA
Change management checks before new products, vendors, or data uses go live

Recommended next step

Turn UK GDPR Requirements into an operational assessment

Assessment Autopilot can take UK GDPR Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for UK GDPR Requirements

Start from UK GDPR Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk through UK GDPR

Review your current process, evidence gaps, and next steps for UK GDPR Requirements.

Explore next step

Primary sources

References and citations

ICO documentation guidance

ico.org.uk

Referenced sections

Article 30 and supporting documentation guidance.

ICO guide to accountability and governance

ico.org.uk

Referenced sections

Accountability, records, and contracts guidance.

ICO guide to data security

ico.org.uk

Referenced sections

Article 32 and security principle guidance.

ICO international transfers guidance

ico.org.uk

Referenced sections

Adequacy, IDTA, Addendum, and TRA guidance.

Related guides

Explore more topics

IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison

Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments.

UK GDPR Applicability Test | Territorial Scope and Roles

Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test.

UK GDPR Breach Notification | 72 Hour ICO Reporting Guide

Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging.

UK GDPR Checklist | Practical Compliance Checklist

Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness.

UK GDPR Children and Age Appropriate Design

Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance.

UK GDPR Compliance Program | Operating Model Guide

Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls.

UK GDPR Data Subject Rights | One Month Response Guide

Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection.

UK GDPR Deadlines and Compliance Calendar

Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines.

UK GDPR FAQ | Practical Questions and Answers

Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure.

UK GDPR Penalties and Fines | Enforcement Exposure Guide

Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier.

UK GDPR Transfers, IDTA, and UK Addendum

Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance.

UK GDPR vs Data Protection Act 2018

Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it.

UK GDPR vs EU GDPR | Practical Comparison

Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes.

UK vs EU GDPR Differences | Operational Differences List

Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance.