How to Use This Checklist
Click each checkbox to mark items as complete. Your progress is automatically saved to your browser. Use this checklist to:
✅ Three Ways to Use This Tool
1. Audit existing policies: Review your current privacy policy against all 52 UK GDPR compliance points
2. Draft new policies: Ensure you don't miss any essential data protection requirements
3. Compare with legal drafts: Verify your policy covers everything required by UK law
⚠️ Where Should Your Privacy Policy Be Placed?
🔗 Footer Link: Your privacy policy should be prominently linked in your website footer, accessible from every page. This is the standard location users expect to find it.
📄 Separate Page: Host your privacy policy on its own dedicated webpage (e.g., www.yoursite.com/privacy-policy)
✅ Registration/Checkout: Link to your privacy policy clearly during account registration, checkout, or any data collection point
🔔 First Visit: Consider showing a cookie/privacy banner on first visit with a link to your full privacy policy
⚠️ Understanding Importance Levels
🔴 Critical: Must have - omission creates serious legal risk and ICO penalties up to £17.5M or 4% of global turnover
🟡 Important: Should have - recommended for proper compliance and transparency
🔵 Recommended: Best practice - enhances user trust and demonstrates accountability
Data Controller Identity
Must clearly identify organization name, registered address, and company number. Required by UK GDPR Article 13. Users must know who controls their data.
🔴 Critical
Contact Information
Provide email address, phone number (if applicable), and physical address for privacy inquiries. Required for data subjects to exercise their rights under UK GDPR.
🔴 Critical
Data Protection Officer Details (if applicable)
If you have a DPO, provide their name and contact details. Required by UK GDPR Article 37 for public authorities, large-scale monitoring, or sensitive data processing.
🟡 Important
Policy Effective Date
Clear date showing when policy became effective. Demonstrates when data protection obligations commenced. Essential for audit trail and user transparency.
🟡 Important
Last Updated Date
Date of most recent policy revision. Shows ongoing compliance review. Helps users know if they need to re-read after changes.
🟡 Important
Scope Statement
Explain what services/activities the policy covers: website, mobile app, customer service, etc. Sets clear boundaries on data protection scope.
🔵 Recommended
⚠️ UK GDPR Transparency Requirement
UK GDPR Article 13 requires you to clearly explain what personal data you collect. Vague categories like "contact details" are insufficient. You must specify: names, email addresses, phone numbers, payment details, IP addresses, cookies, etc. Hidden data collection can result in ICO enforcement up to £17.5M.
Identity Data
List specific identity information collected: full name, username, title, date of birth, gender. Be explicit - don't use vague terms. Required by UK GDPR for informed data subjects.
🔴 Critical
Contact Data
Specify contact information types: email address, phone number, postal address, delivery address. Distinguish between mandatory and optional fields if applicable.
🔴 Critical
Financial Data (if applicable)
If you process payments, disclose: bank account details, payment card information. Explain security measures like tokenization. Note: Never store full card details unless PCI-DSS compliant.
🔴 Critical
Technical Data
Disclose technical information collected: IP address, browser type/version, device type, operating system, time zone settings, location data. Required for cookie/tracking transparency.
🔴 Critical
Usage Data
Explain behavioral data collected: pages visited, products viewed, time on site, click patterns, search queries. Essential for analytics transparency under UK GDPR.
🟡 Important
Marketing & Communications Data
Disclose preferences collected: newsletter subscriptions, marketing opt-ins, communication preferences, advertising consent. Shows respect for consent requirements.
🟡 Important
Special Category Data (if applicable)
If you process sensitive data (health, race, religion, political opinions, etc.), you MUST explicitly state this and explain additional safeguards. UK GDPR Article 9 requires explicit consent.
🔴 Critical
Data Collection Methods
Explain how you collect data: directly from users (forms, registration), automatically (cookies, analytics), from third parties (lead providers, social media). Shows comprehensive transparency.
🔵 Recommended
⚠️ Legal Basis is Mandatory
UK GDPR Article 6 requires you to identify a lawful basis for every processing activity. You cannot process personal data without one of the six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Missing legal basis is a serious compliance breach.
Legal Basis Clearly Stated
Explicitly state which UK GDPR Article 6 legal basis you rely on: consent, contract performance, legal obligation, legitimate interests, vital interests, or public task. Required by law.
🔴 Critical
Contract Performance Explained (if applicable)
If processing is necessary to fulfill a contract with the user (e.g., delivering products, providing services), explain this clearly. Common basis for customer relationships.
🔴 Critical
Legitimate Interests Explained (if applicable)
If relying on legitimate interests, explain what those interests are and why they don't override user rights. Must demonstrate balancing test. Common for fraud prevention, analytics, direct marketing.
🔴 Critical
Consent Mechanism Described (if applicable)
If you rely on consent, explain how you obtain it: checkboxes, opt-in forms, cookie banners. Consent must be freely given, specific, informed, and unambiguous under UK GDPR.
🔴 Critical
Legal Obligation Explained (if applicable)
If processing is required by UK law (tax records, employment law, regulatory requirements), cite the specific legal obligation. Demonstrates compliance necessity.
🟡 Important
Service Delivery Purposes
Explain how you use data to provide services: process orders, manage accounts, deliver content, provide customer support. Required by UK GDPR Article 13 - users must understand purposes.
🔴 Critical
Marketing & Communications Purposes
Disclose marketing uses: email newsletters, promotional offers, product recommendations, personalized advertising. Must explain opt-out rights. PECR requires consent for electronic marketing.
🔴 Critical
Analytics & Improvement
Explain use of data for website analytics, understanding user behavior, improving services, testing features. Required transparency for cookies and tracking technologies.
🟡 Important
Security & Fraud Prevention
Disclose use of data for security purposes: detecting fraud, preventing unauthorized access, monitoring abuse, protecting against malicious activity. Legitimate interest basis typically applies.
🟡 Important
Legal Compliance Purposes
Explain use of data to comply with legal obligations: tax records, regulatory reporting, law enforcement requests, dispute resolution. Legal obligation basis applies.
🟡 Important
No Purpose Creep Statement
Confirm you won't use data for purposes incompatible with those disclosed. Demonstrates commitment to purpose limitation principle under UK GDPR Article 5. Builds user trust.
🔵 Recommended
⚡
Limited Time Only
Get All 52 Points Pre-Completed
Our professionally-drafted privacy policy covers every UK GDPR compliance point automatically
Only £10 - Limited Time Offer
Lock In Lifetime Access Now
→
Buy now to lock in this price • Lifetime updates included • No subscription ever
Complete List of Third-Party Recipients
Name all categories of third parties who receive data: payment processors, email providers, analytics services, hosting providers, marketing platforms. Required by UK GDPR Article 13.
🔴 Critical
Purpose for Each Sharing Activity
Explain why data is shared with each category: "payment processors to complete transactions", "email providers to send communications". Specific purposes demonstrate transparency.
🔴 Critical
Service Providers & Processors
Identify key service providers acting as data processors: cloud hosting, CRM systems, support tools. Explain they process data only on your instructions and have data processing agreements.
🟡 Important
Legal Disclosure Circumstances
Explain circumstances when you may disclose data for legal reasons: court orders, law enforcement requests, regulatory investigations, protection of rights. Required transparency.
🟡 Important
Business Transfer Disclosure
State that data may be transferred in event of merger, acquisition, asset sale, or bankruptcy. Standard clause showing comprehensive disclosure of potential sharing scenarios.
🔵 Recommended
Disclosure of International Transfers
State whether personal data is transferred outside UK/EEA. Required by UK GDPR Article 13. Many services (Google, AWS, Microsoft) involve international transfers - must disclose.
🔴 Critical
Countries/Regions Identified
Specify destination countries or regions: United States, worldwide, etc. Users entitled to know geographic location of their data. Shows transparency about cross-border data flows.
🟡 Important
Safeguards for Transfers
Explain protection mechanisms: UK adequacy decisions, International Data Transfer Agreements (IDTA), Standard Contractual Clauses (SCCs), binding corporate rules. Required by UK GDPR Chapter V.
🔴 Critical
Retention Periods Stated
Explain how long you keep personal data or criteria for determining retention: "customer data for 6 years", "marketing data until consent withdrawn". Required by UK GDPR Article 13.
🔴 Critical
Retention Criteria Explained
Explain factors determining retention: legal requirements (tax, employment), contract performance, legitimate interests. Shows data minimization and purpose limitation compliance.
🟡 Important
Deletion Process Described
Explain what happens when retention period expires: secure deletion, anonymization, archival. Demonstrates accountability and commitment to data minimization under UK GDPR Article 5.
🔵 Recommended
⚠️ User Rights Are Mandatory
UK GDPR Chapter III grants data subjects extensive rights. You MUST explain these rights clearly and provide mechanisms to exercise them. Failing to respect user rights is a serious breach that can result in ICO fines up to £17.5M or 4% of global turnover.
Right of Access Explained
Users can request copy of their personal data. Explain how to submit access requests and typical response time (1 month). UK GDPR Article 15 - fundamental right.
🔴 Critical
Right to Rectification
Users can request correction of inaccurate data. Explain process for updating information. UK GDPR Article 16 - ensures data accuracy.
🔴 Critical
Right to Erasure ("Right to be Forgotten")
Users can request deletion of their data in certain circumstances. Explain when this right applies and any limitations (legal obligations). UK GDPR Article 17.
🔴 Critical
Right to Restriction of Processing
Users can request limited processing in certain situations: accuracy disputes, unlawful processing, or objection pending. UK GDPR Article 18.
🟡 Important
Right to Data Portability
Users can receive their data in structured, machine-readable format and transmit to another controller. Applies when processing based on consent or contract. UK GDPR Article 20.
🟡 Important
Right to Object
Users can object to processing based on legitimate interests or direct marketing. Must respect objection unless compelling legitimate grounds override. UK GDPR Article 21.
🔴 Critical
Right to Withdraw Consent
Where processing based on consent, users can withdraw at any time. Explain how to withdraw consent and that withdrawal doesn't affect lawfulness of past processing. UK GDPR Article 7(3).
🔴 Critical
Response Timeframe Stated
Confirm you'll respond to rights requests within 1 month (UK GDPR standard). Can extend to 3 months for complex requests. Shows commitment to respecting user rights promptly.
🟡 Important
Security Measures Described
List technical and organizational measures to protect data: encryption (in transit/at rest), access controls, secure servers, staff training, regular security testing. UK GDPR Article 32 requirement.
🔴 Critical
Security Limitation Disclaimer
Acknowledge that no method of transmission/storage is 100% secure. Standard disclaimer showing realistic transparency about security limitations while affirming commitment to protection.
🔵 Recommended
Breach Notification Commitment
State you'll notify ICO within 72 hours of breach and notify affected individuals if high risk to rights/freedoms. UK GDPR Articles 33 & 34 requirement. Demonstrates preparedness.
🔴 Critical
Children's Privacy Policy
If you collect data from children under 13 (or 16 in UK for online services), explain parental consent requirements, verification methods, and additional protections. UK GDPR Article 8.
🔴 Critical
Cookie Policy Reference
Link to separate cookie policy or include cookie information. Cookies are personal data requiring disclosure. PECR requires specific cookie consent and transparency.
🟡 Important
Policy Update Process
Explain how you'll notify users of material policy changes: updated date, website notice, email notification, re-consent if required. Shows ongoing commitment to transparency.
🟡 Important
ICO Complaint Information
Inform users of right to complain to ICO (Information Commissioner's Office). Include ICO contact details: website, helpline, postal address. Required by UK GDPR Article 77.
🔴 Critical
Plain English Language
Entire policy written in clear, plain language avoiding excessive legal jargon. UK GDPR requires information to be "concise, transparent, intelligible and easily accessible". User understanding is paramount.
🔴 Critical
⚡
Limited Time Pricing
Get Your Compliant Policy Now
Why check 52 boxes when you can have a professional, UK GDPR-compliant privacy policy ready in minutes?
Just £10 - Lock In This Price Today
Secure Lifetime Access Now
→
Limited time offer • Buy now for lifetime updates • Price may increase
Next Steps
Now that you've reviewed the compliance checklist, you have three options:
✅ Use Our Ready-Made Template (Recommended)
Save hours of legal research and drafting. Our professionally-crafted privacy policy covers all 52 UK GDPR compliance points with legally-sound wording. Available in both Interview Mode (guided questionnaire) and Editor Mode (direct editing) for just £10.
📝 Draft Your Own Policy
Use this checklist as your guide, but remember: getting the legal wording correct is complex. UK GDPR requires precise language around legal bases, data subject rights, international transfers, and security measures. A single compliance gap can result in ICO fines up to £17.5M or 4% of global turnover.
⚖️ Book a Legal Consultation
For complex data processing activities, special category data, or if you handle large-scale personal data, consider booking a consultation with our legal professionals for personalized UK GDPR advice tailored to your specific circumstances.
Need personalized legal advice? Book a consultation →