--- title: "UK GDPR Checklist" canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/checklist" source_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/checklist" author: "Sorena AI" description: "Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness." keywords: - "UK GDPR checklist" - "UK GDPR compliance checklist" - "article 30 checklist" - "UK GDPR transfer checklist" - "Accountability" - "Article 30" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR Checklist Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness. *Checklist* *UK GDPR* ## UK GDPR Checklist Use a practical UK GDPR checklist that tracks legal duties and the evidence behind them. A good checklist ties each requirement to an owner, proof artifact, and review cadence. The fastest way to miss a UK GDPR issue is to keep separate lists for legal, product, security, and procurement. Use one checklist that joins them. ## Governance and documentation Start with accountability documents. The ICO expects records that show what you process, why you process it, who you share it with, how long you keep it, and who is responsible. - Record lawful basis and transparency decisions - Maintain Article 30 records for controller or processor activities - Keep controller processor contracts and joint controller arrangements current - Track DPIAs, legitimate interests assessments, and retention decisions ## Operational rights and security The checklist should test whether requests can be received, verified, answered within one month, and closed with evidence. It should also test whether Article 32 security matches actual risk. - Confirm request channels, verification steps, and one month response metrics - Retain denial rationales, extension notices, and exception logs - Review security measures, access control, vendor oversight, and recovery capability - Check breach logging and the 72 hour notification workflow ## Transfers, children, and change management High risk gaps often sit at the edges of the programme. Transfer tools, child facing services, and product changes should appear on the checklist as recurring review items. - Inventory restricted transfers and the legal tool used for each one - Retain IDTA or Addendum packs and TRAs - Assess whether the service is likely to be accessed by children - Run change review when products, vendors, retention periods, or data uses change *Recommended next step* *Placement: after the checklist block* ## Turn UK GDPR Checklist into an operational assessment Assessment Autopilot can take UK GDPR Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for UK GDPR Checklist](/solutions/assessment.md): Start from UK GDPR Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR Checklist. ## Primary sources - [ICO guide to accountability and governance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Accountability, records, and contracts guidance. - [ICO documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/documentation/?ref=sorena.io) - Article 30 and supporting documentation guidance. - [ICO personal data breaches guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - Article 33 and 34 operational guidance. - [ICO international transfers guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/?ref=sorena.io) - Adequacy, IDTA, Addendum, and TRA guidance. ## Related Topic Guides - [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/uk-gdpr/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments. - [UK GDPR Applicability Test | Territorial Scope and Roles](/artifacts/uk/uk-gdpr/applicability-test.md): Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test. - [UK GDPR Breach Notification | 72 Hour ICO Reporting Guide](/artifacts/uk/uk-gdpr/breach-notification.md): Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging. - [UK GDPR Children and Age Appropriate Design](/artifacts/uk/uk-gdpr/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance. - [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/uk-gdpr/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls. - [UK GDPR Data Subject Rights | One Month Response Guide](/artifacts/uk/uk-gdpr/data-subject-rights.md): Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection. - [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/uk-gdpr/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines. - [UK GDPR FAQ | Practical Questions and Answers](/artifacts/uk/uk-gdpr/faq.md): Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure. - [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/uk-gdpr/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier. - [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/uk-gdpr/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs. - [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/uk-gdpr/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance. - [UK GDPR vs Data Protection Act 2018](/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018.md): Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it. - [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/uk-gdpr/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes. - [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/uk-gdpr/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/uk-gdpr/checklist