| Scope and covered activity | UK: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | EU Differences: test its own scope boundary, exclusions, and covered activity; do not copy the UK conclusion without a separate source-linked finding. | Write two scope findings first: where UK applies, where EU Differences applies, and which facts are outside one side even if evidence can be reused. |
|---|
| Who must act | UK: identify the controller, processor, joint controller, UK representative, DPO, importer, exporter, or public authority that owns the UK GDPR duty. | EU Differences: assign the comparator duty to its own accountable actor and note when counterparties, subsidiaries, importers, providers, or customers differ. | Name each role separately because one entity can hold different obligations in different workflows. |
|---|
| Trigger or threshold | UK: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim. | EU Differences is triggered only by the facts named in its source, such as thresholds, regulated status, risk tier, designation, incident, market placement, certification need, or supervisory notice. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | UK GDPR requires lawful bases, ROPA, DPIAs, DPO appointment where required, 72-hour breach notification to the ICO, data subject request responses within one calendar month, and international transfer mechanisms laid by the UK Secretary of State, including the IDTA and UK Addendum. | EU GDPR requires the same documentation and accountability obligations but routes supervisory authority oversight through each EU member state's national DPA under the one-stop-shop mechanism, mandates transfer tools approved by the European Commission, and applies EU Charter of Fundamental Rights standards to cross-border enforcement. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | UK: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | EU Differences: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | UK: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | EU Differences: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | UK: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | EU Differences: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | UK: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | EU Differences can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | UK: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | EU Differences: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | Choose one practical next step: proceed under UK, proceed under EU Differences, run both in parallel, or document why neither side controls the present fact pattern. |
|---|