---
title: "UK GDPR Applicability Test"
canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/applicability-test"
source_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/applicability-test"
author: "Sorena AI"
description: "Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test."
keywords:
  - "UK GDPR applicability test"
  - "UK GDPR territorial scope"
  - "article 3 UK GDPR"
  - "controller processor UK"
  - "UK GDPR applicability"
  - "Article 3"
  - "Controller and processor"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK GDPR Applicability Test

Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test.

*Applicability* *UK GDPR*

## UK GDPR Applicability Test

Decide if UK GDPR applies and which obligations trigger first.

Use Article 3 scope tests, role mapping, and risk triggers to avoid shallow or overbroad scoping.

A good UK GDPR scope memo shows why the law applies, which entity acts as controller or processor, and which high risk workflows need follow up work.

## Article 3 territorial scope

UK GDPR has applied in the United Kingdom since January 1, 2021. Start with whether the processing is tied to a UK establishment, offering goods or services to people in the UK, or monitoring behaviour in the UK.

- Map each processing activity to the relevant UK entity, product, vendor, and destination country
- Record why the activity is linked to a UK establishment, UK targeting, or UK behaviour monitoring
- Capture out of scope activities with the legal rationale
- Version the scope record after product or vendor changes

## Role and risk analysis

For each activity, decide whether the organisation is a controller, joint controller, or processor and note whether children, profiling, special category data, or transfers are involved.

- Assign controller or processor status per activity and contract
- Escalate joint controller cases where purpose and means are shared
- Flag DPIA triggers for profiling, children, or sensitive data uses
- Identify restricted transfers and any adequacy, IDTA, or Addendum need

## Minimum evidence pack

An applicability decision is useful only if it can be defended later. Keep the output close to the processing inventory and vendor register.

- Applicability memo linked to the Article 30 style inventory
- Role matrix for controllers, processors, and key subprocessors
- Risk trigger register for DPIA, breach, child privacy, and transfer work
- Review schedule tied to launches and major supplier changes

*Recommended next step*

*Placement: after the applicability result*

## Turn UK GDPR Applicability Test into an operational assessment

Assessment Autopilot can take UK GDPR Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for UK GDPR Applicability Test](/solutions/assessment.md): Start from UK GDPR Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR Applicability Test.

## Primary sources

- [ICO UK GDPR guidance and resources](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/?ref=sorena.io) - Primary ICO guidance hub.
- [ICO guide to accountability and governance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Accountability, records, and contracts guidance.
- [ICO documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/documentation/?ref=sorena.io) - Article 30 and supporting documentation guidance.
- [UK GDPR on legislation.gov.uk](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - UK legislative text.

## Related Topic Guides

- [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/uk-gdpr/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments.
- [UK GDPR Breach Notification | 72 Hour ICO Reporting Guide](/artifacts/uk/uk-gdpr/breach-notification.md): Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging.
- [UK GDPR Checklist | Practical Compliance Checklist](/artifacts/uk/uk-gdpr/checklist.md): Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness.
- [UK GDPR Children and Age Appropriate Design](/artifacts/uk/uk-gdpr/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance.
- [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/uk-gdpr/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls.
- [UK GDPR Data Subject Rights | One Month Response Guide](/artifacts/uk/uk-gdpr/data-subject-rights.md): Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection.
- [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/uk-gdpr/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines.
- [UK GDPR FAQ | Practical Questions and Answers](/artifacts/uk/uk-gdpr/faq.md): Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure.
- [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/uk-gdpr/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier.
- [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/uk-gdpr/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs.
- [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/uk-gdpr/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance.
- [UK GDPR vs Data Protection Act 2018](/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018.md): Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it.
- [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/uk-gdpr/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes.
- [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/uk-gdpr/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/uk-gdpr/applicability-test