UK GDPR Technical Requirements for Software
| Requirement | Technical Implementation | Evidence for ICO | Common Mistake |
|---|---|---|---|
| Data residency | AWS eu-west-2 (all production data). No personal data in US regions. | AWS region confirmation in architecture diagram | Using Vercel/Firebase US default regions for personal data |
| Lawful basis documentation | PostgreSQL table: data_processing_activities (GDPR Article 30 record) | Article 30 processing record -- ICO expects this documented | Processing without documented lawful basis |
| Right to erasure | PostgreSQL CASCADE DELETE + TanStack Query cache.clear() + audit log | Erasure request log with timestamp and confirmation | Deleting from one table but not related tables (no CASCADE) |
| DPIA | ICO DPIA template for: AI profiling, health data, systematic monitoring | DPIA document + ICO prior consultation if high residual risk | Starting high-risk processing without DPIA |
| DPA with processors | AWS DPA, Stripe DPA, Anthropic DPA, Onfido DPA -- all signed | Signed DPAs in contract management system | Using a processor (Firebase, Vercel) without signed DPA |
| Data minimisation | Collect only fields needed. Delete when purpose ends. No indefinite retention. | Data retention policy + automated deletion (PostgreSQL TTL pattern) | Collecting email, DOB, phone when only email is needed |
| Consent (PECR for marketing) | OneTrust or Cookiebot -- explicit PECR consent for analytics cookies | Consent log with timestamp, IP, consent version | Pre-ticked boxes, implied consent, no consent for analytics |
UK GDPR Article 9 -- Special Category Data
ICO enforcement 2026: ICO issued 14 enforcement notices in H1 2026, the highest since UK GDPR came into force. Top violations: (1) insufficient data residency documentation, (2) missing DPAs with processors, (3) DPIA not completed before high-risk processing. ClickMasters includes UK GDPR architecture review in all client engagements -- GDPR compliance is built in, not bolted on.