GDPR & UK DPA 2018 Compliance Checker:
European Union - General Data Protection Regulation (Regulation (EU) 2016/679) - EU GDPR
United Kingdom – UK General Data Protection Regulation (as retained by the Data Protection Act 2018) – UK GDPR
Created by: Ankit Bhargava.
If you have customers located in both the EU & the United Kingdom (UK), this compliance checker can help you identify what data privacy rules apply to you and what steps you need to take next. It's free, easy, and simple. No email or sign up required.
If you have customers located in both the EU & the United Kingdom (UK), this compliance checker can help you identify what data privacy rules apply to you and what steps you need to take next. It's free, easy, and simple. No email or sign up required.
When your users/customers are located in: EU and UK.
Your Takeaway:
Your customers are in both the European Union and the United Kingdom. That means you need to follow two separate but very similar laws: the EU GDPR and the UK GDPR / Data Protection Act 2018. The good news is they are about 95% the same – same core principles, same rights for individuals, same obligations for businesses. The bad news is they are legally separate. A decision by an EU court doesn't automatically apply in the UK, and vice versa. You also need to watch for small but important differences, like the UK's "soft opt‑in" for email marketing and different fine amounts. And if you're based outside both the EU and the UK, you may need to appoint a representative in each.
Your Privacy Best Practices:
– Get a copy of the UK ICO's "Guide to the UK GDPR" – it's free and written in plain English. Read the summary, not the full law.
– Check if you need a UK representative. If you have customers in the UK but your business is outside the UK, you likely do. Same for an EU representative if you're outside the EU.
– Keep a simple table comparing EU and UK requirements for the areas that affect you most – typically marketing rules, transfer mechanisms, and supervisory authorities.
– Don't assume a UK‑only policy works for EU customers, or vice versa. Write your documentation to cover both, or write two separate versions.
How I Can Help:
I can help you know exactly which version of GDPR, EU or UK (incl.UK DPA, 2018) applies to which customers, whether you need representatives, and where the differences actually matter for your daily operations.
Select Your Scenario Below — I'll Show You What To Fix & How.
QUESTION 1: What type of personal data do you collect?
QUESTION 3: What is your legal basis for processing personal data?
QUESTION 5 : Do you share customer personal information with others or third parties?
QUESTION 2: Why do you collect customer data?
QUESTION 4: How long do you keep customer personal information?
We collect only basic personal data of our users/customers:
Your Takeaway:
You collect only basic contact or identification details – name, email, phone number, and address. Under both EU and UK GDPR, basic data is treated similarly and is considered lower risk than sensitive data. You still need a valid legal basis (consent or contract works well), a privacy notice that tells people what you're doing, and a retention policy. The good news: basic data is much easier to manage. The UK ICO tends to be slightly more pragmatic in enforcement for small businesses, but the rules are almost identical to the EU.
Your Privacy Best Practices:
– Create a simple one‑page document listing each type of basic data you collect and why you need it. Do this separately for EU and UK customers if you process them differently, but usually the same list works.
– Write a short privacy notice (one page max) that covers both EU and UK requirements. Include the following: what data, why, how long, who gets it, and how to complain to the ICO (UK) and your lead EU supervisory authority.
– Set a retention period – For example: 2 years after last activity is a good default for basic data.
– Test your ability to delete one customer's data within one month. The UK ICO checks this.
How I Can Help:
I will help you create a consolidated “data inventory” for each data type you collect and a basis for collecting your users' personal information.
We collect both basic and sensitive personal data of our users/customers.
Your Takeaway:
You collect sensitive data – health records, financial account details, biometrics, criminal history, political opinions, or religious beliefs. Under both EU and UK GDPR, this is called "special category data", and the rules are strict. You cannot rely on a simple "legitimate interest" or basic "contract" basis. You need explicit, written consent from each customer or one of a very few other specific conditions (like employment law or public health). You almost certainly need a Data Protection Impact Assessment (DPIA). The UK has slightly more flexibility for health research and social care, but for most businesses, the rules are identical to the EU – and they are strict.
Your Privacy Best Practices:
– First, challenge yourself: do you really need this sensitive data? Many businesses collect it because "we always have" or "it might be useful". If you can deliver your service without it, stop collecting it.
– If you truly need it, get explicit written consent. Not a pre‑ticked box. Not a hidden clause. A clear, separate "Yes, I agree" that you store as proof. The UK ICO has example consent forms – use them.
– Conduct a DPIA. The UK ICO has a free DPIA template. It's a structured way to think through risks. Don't skip this – regulators ask for it.
– Limit access to sensitive data to only those employees who absolutely need it. Keep access logs. Encrypt the data wherever possible.
– If you transfer sensitive data outside the UK or EU, the rules are even stricter. Get legal advice.
How I Can Help:
I can help you run a DPIA specific to your business operation(s). We’ll go through each sensitive data field together, identify where things could go wrong, and write down the required fixes. If we find that you don’t actually need the sensitive data, I’ll help you plan a safe deletion process.
We collect our users'/customers' personal data for Selling our products/services.
Your Takeaway:
Your customers expect you to use their data only to deliver what they bought from you. Under both EU and UK GDPR, this is the lowest‑risk expectation. You still need a privacy notice, but it can be very short. The UK ICO is generally more pragmatic than some EU authorities, but the rules are nearly identical. The biggest risk is accidentally crossing the line – for example, adding a customer's email to a marketing list without asking, or using purchase history for analytics without telling them.
Your Privacy Best Practices:
– Write a one‑sentence notice on your checkout page: "We use your information only to complete your purchase, send order confirmations, and provide customer support."
– Do not add customers to any marketing list unless they separately and actively opt in. The UK's soft opt-in does not apply here – that's for existing customers you already have a relationship with, but even then it's only for similar products.
– Train your team: if someone asks "can we use this customer's email for a newsletter?" the answer is no unless there's a separate, unchecked checkbox that they ticked.
– Review your order confirmation emails. They should not contain marketing messages unless the customer opted in separately.
How I Can Help:
I’ll look at your checkout process, order confirmation emails, and any automated messages you send. I’ll tell you exactly where you might be accidentally using data beyond “delivery only” – and how to fix it.
We collect our users'/customers' personal data for Marketing & Promotion.
Your Takeaway:
Your customers expect you to use their data for marketing or promotions. Under both EU and UK GDPR, this requires opt‑in consent – with one important exception for the UK. The UK has a "soft opt-in" rule: if you sold a customer something before and you gave them a clear chance to opt out at the time, you can email them about similar products without explicit consent. This only applies to email, not SMS, not phone calls, not WhatsApp. For new customers, or for any customer in the EU, you need explicit opt‑in consent. You must keep records of consent and make unsubscribing as easy as signing up.
Your Privacy Best Practices:
– For new customers everywhere, and for all EU customers regardless of history, use an unchecked checkbox: "Yes, please send me offers and updates."
– For existing UK customers, you may use soft opt‑in, but you must have given them a clear opt‑out when they first shared their details. If you didn't, get consent now.
– Keep a consent log: customer email, date of consent, and exact wording they agreed to. A simple spreadsheet works.
– In every marketing email, include a one‑click unsubscribe link that works immediately. No "login to manage preferences". The UK ICO has fined companies for making unsubscribing difficult.
– Separate your EU and UK marketing lists. Apply the stricter EU rules to everyone if you want to keep it simple.
How I Can Help:
I’ll review your current signup forms and email marketing setup. I’ll tell you which forms are safe and which ones could get you a warning letter from a regulator. If you need to re‑obtain consent from existing customers,
We collect our users'/customers' personal data for Monitoring & Profiling.
Your Takeaway:
You monitor customer behaviour – tracking clicks, time on site, pages viewed – or you build profiles based on that behaviour. Under both EU and UK GDPR, this requires consent unless the monitoring is strictly necessary for the service you provide. "Necessary" means the service literally wouldn't work without it – for example, keeping items in a shopping cart. Profiling that leads to legal or similarly significant effects (like automatically rejecting a loan or flagging someone as high‑risk) is heavily restricted under Article 22. The UK ICO has published specific guidance on analytics consent – they expect you to get consent for non-essential cookies and tracking.
Your Privacy Best Practices:
– Separate your tracking into two groups: "essential for service" (shopping cart, security, fraud prevention) and "everything else" (Google Analytics, heatmaps, personalisation, session recording). Get consent for the second group.
– Use a consent management banner that lets people say no to non‑essential tracking – and honour that choice. The UK ICO has example banners.
– If you use profiling that affects customers (credit scoring, insurance pricing, job application screening, or loan decisions), stop immediately and get legal advice. Article 22 is strict.
– Document your tracking tools. Keep a list of each script, what it does, and whether you have consent.
How I Can Help:
If you’re doing any kind of automated profiling, I’ll help you assess whether it’s allowed or if you need to change it.
We collect our users'/customers' personal data for Third‑Party sharing.
Your Takeaway:
You share customer data with third parties – analytics providers, advertising networks, payment processors, email marketing platforms, or business partners. Under both EU and UK GDPR, you must disclose every single recipient in your privacy notice. For sharing that isn't strictly necessary for your service (like sharing with advertisers), you usually need separate, explicit consent. You also need a written Data Processing Agreement (DPA) with each third party that processes data on your behalf. If the third party is outside the UK or EU, you need additional safeguards like Standard Contractual Clauses (SCCs) or the UK Addendum.
Your Privacy Best Practices:
– Create a vendor table with columns: vendor name, what data they see, where they are located (country), and why you share with them. Put this table on your website – not buried, but easy to find.
– For each vendor, ask: "Do they really need this data?" If not, stop sharing or find a vendor that doesn't need it.
– Sign a DPA with every vendor that processes customer data. Most major vendors (Stripe, Mailchimp, Google, AWS, and Zoom) have DPAs in their legal centre – you just need to accept or download them.
– For vendors outside the UK/EU, add SCCs (for EU data) or the UK Addendum (for UK data). Many vendors provide these automatically – check their legal centre.
– Review your vendor list every six months. Vendors change their practices.
How I Can Help:
I can review your existing DPA and tell you which vendors are safe, which ones need a DPA, and which ones you should stop using. I also help you prepare a new DPA in plain English which you can send to any vendor that doesn’t have their own.
We have not informed our users/customers anything.
Your Takeaway:
You haven't told your customers what you do with their data. Under both EU and UK GDPR, this is a direct violation of Article 13 – the right to be informed. It's also the most common and easiest violation to fix. The UK ICO has issued fines for lack of transparency, even for small businesses. You don't need a perfect privacy notice overnight, but you do need to take immediate steps to inform people. The good news: fixing this is usually simple and cheap. A basic privacy notice takes an hour to write.
Your Privacy Best Practices:
– Publish a privacy notice by the end of this week. Start simple: "We collect [list data]. We use it for [list purposes]. We keep it for [time period]. We share it with [list third parties, or 'no one']. You can contact us at [email]. You can complain to the ICO at [link]."
– Put a link to your privacy notice everywhere you collect data: signup forms, checkout, email footers, and website footers.
– If you already have customer data, send a short email or notification: "We've updated our privacy notice." You can read it here."
– For UK customers specifically, make sure your notice includes the ICO's contact details. For EU customers, include your lead supervisory authority.
How I Can Help:
I can help you design & create a well-drafted privacy notice compliant with your concerned privacy law(s) specifically for businesses that only collect basic data. I can also review your existing template and point out any missing pieces of mandatory requirements. We can finalise where to place your policy link so you’re fully covered.
We do 'personal data processing' based on our users’/customers’ consent.
Your Takeaway:
You rely on customer consent as your legal basis. Under both EU and UK GDPR, consent is valid – but it's also the most misunderstood and most challenged basis. Consent must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, inactivity, or "by using our service you agree" do not count. You must keep records of when, how, and what the customer agreed to. And you must make withdrawal as easy as giving consent – ideally one click or one email. The UK ICO has fined companies for making unsubscribing difficult. If you can't prove consent, you don't have consent.
Your Privacy Best Practices:
– Use double opt‑in for important data: the customer checks a box, then you send a confirmation email and they click a link to verify. This gives you clear proof.
– Keep a consent log: customer ID, date and time, exact wording they saw (copy and paste it), and a screenshot or copy of the form.
– On every consent form, include a sentence: "You can withdraw your consent at any time by clicking here [link] or emailing us at [email]."
– Never bundle consent with terms of service or other checkboxes – they must be separate.
– Review your consent requests every year. Do they still make sense? Are they still specific?
How I Can Help:
I’ll review your consent forms and consent logs. I’ll tell you if they would survive an inspection by a regulator. If not, I’ll show you exactly how to fix them – usually with required wording changes. I can also help you set up a consent logging system for your users’ consent management.
We do 'personal data processing' based on contract.
Your Takeaway:
You rely on contract as your legal basis. This means you collect and process data only because you need it to fulfil a contract with the customer – delivering a product, providing a service, sending invoices, or handling support tickets. A contract is a strong basis, but it has a hard limit: you can only process data that is strictly necessary for that contract. You cannot use a contract as an excuse to collect data for marketing, analytics, or any other purpose. If the customer doesn't provide the necessary data, you can refuse to enter into the contract. After the contract ends (customer stops using your service), you must delete the data unless another basis applies (like legal obligation for tax records).
Your Privacy Best Practices:
– In your signup or checkout form, clearly mark which fields are "required for contract" and which are "optional". The required ones are the only ones you can rely on contract for.
– Create a simple list: each piece of data you collect and a one‑sentence explanation of why it's strictly necessary for the contract. Keep this list in your files.
– Do not use contract‑collected data for any other purpose without a separate legal basis (like consent for marketing).
– After the contract ends, set a timer to delete the data – or move it to a different basis if one applies.
How I Can Help:
I’ll help you separate your “contract necessary” data from your “nice to have” data. We’ll go through your forms together, and I’ll point out which fields you can remove or make optional. This often simplifies your business and reduces your privacy risk at the same time.
We do 'personal data processing' based on legal obligation.
Your Takeaway:
You collect data because a specific law requires you to – for example, tax laws, anti‑money laundering rules, health and safety regulations, or employment laws. Under both EU and UK GDPR, this is a valid basis, but you must be able to point to the exact law that creates the obligation. You cannot collect more data than that law requires, and you cannot keep it longer than the law says. This basis is narrow – don't stretch it. If you're in the UK, you need a specific UK law. If you're in the EU, you need a specific EU or member state law.
Your Privacy Best Practices:
– For each legal obligation data point, write down the exact law name, article number, and section. For example: "Article 226 of the EU VAT Directive" or "UK Money Laundering Regulations 2017, Regulation 27".
– Keep a one‑page "legal basis register" that lists: data point → law → retention period required by that law.
– Do not use data collected for legal reasons for any other purpose (like marketing) without a separate legal basis.
– Review your legal obligations once a year – laws change, especially post‑Brexit. UK laws may diverge from EU laws over time.
How I Can Help:
I’ll help you create a legal basis register. You fill in what you collect and why. I’ll review it and tell you if any of your claimed legal obligations are actually too broad. I’ve seen many businesses claim “legal obligation” for things that aren’t really required – I’ll help you clean that up.
We do 'personal data processing' based on legitimate interest.
Your Takeaway:
You believe it's in your legitimate business interest to collect and process the data – for example, to prevent fraud, improve your website, or send certain types of non-marketing communications (like service updates). Under both EU and UK GDPR, legitimate interest is allowed, but you must conduct a Legitimate Interest Assessment (LIA) before you start. You need to balance your interest against the customer's rights and expectations. If the customer wouldn't reasonably expect the processing, or if it causes harm, legitimate interest fails. Marketing by email almost never qualifies. The UK ICO has specific LIA guidance and templates – use them.
Your Privacy Best Practices:
– Conduct an LIA using the UK ICO's three‑question template:
1) What is our interest?
2) Is the processing necessary for that interest? 3) Do the customer's rights override our interest? Write down your answers in plain English.
– Be honest with yourself. If you're unsure, switch to consent instead – it's safer.
– Do not use legitimate interest for sensitive data, marketing emails, or tracking behaviour across websites.
– Keep your LIA on file. The ICO and EU authorities can ask to see it.
– Review your LIAs every year. Circumstances change.
How I Can Help:
I’ll help you conduct a LIA pre-processing of personal data. I’ll review your answers and tell you if your legitimate interest claim would hold up. If it won’t, I’ll help you switch to a safer basis like consent or contract.
We are not sure about our lawful basis of users' personal data processing.
Your Takeaway:
You don't have a clear legal reason for collecting customer data. Under both EU and UK GDPR, this means you are likely processing personal data unlawfully. Article 6 requires a legal basis – there's no exception for "I didn't know" or "everyone does it". The UK ICO has fined businesses for this. This is urgent. You should stop collecting any data you can't justify immediately. For data you already have, assign a legal basis as soon as possible. Consent and contract are your safest starting points. If you can't assign a basis within two weeks, delete the data.
Your Privacy Best Practices:
– Stop all optional data collection right now – you can always restart after you have a legal basis.
– For existing data, go through each type and ask, "Do we have a contract with this person? If yes, the contract may work. If no, can we get consent? If no, delete it."
– Document every legal basis you assign. Write it down simply: "Data type X → Basis: contract because we need it to deliver service."
– If you cannot assign a basis within two weeks, delete the data. Keeping it is not safe.
– For UK customers specifically, check the ICO's "legal basis" guidance. –
it's free and clear.
How I Can Help:
If you are unsure about your legal basis for processing your personal data, I can assist you in deciding the appropriate lawful basis to use for your users’ personal data processing.
We keep our users’/customers’ personal information for a Definite time.
Your Takeaway:
You keep customer data only for a defined period of time – for example, two years after their last purchase, or seven years for tax records. Under both EU and UK GDPR, this is exactly what the storage limitation principle (Article 5) requires. You've already avoided one of the most common compliance mistakes. The remaining tasks: document that definite time in writing, include it in your privacy notice, and make sure your team actually follows the rule. Also, "only with us" means no sharing – but double‑check that your cloud provider, email service, or analytics tool doesn't count as sharing. The UK ICO expects you to have documented retention periods.
Your Privacy Best Practices:
– Write down your retention periods in a simple document. Example: "Customer contact data → deleted 2 years after last activity. Transaction data → kept 7 years for tax purposes (UK VAT rules). Support tickets → deleted 1 year after ticket closed."
– Add a sentence to your privacy notice: "We keep your data for [X years] after your last interaction. For tax records, we keep transaction data for 7 years as required by law."
– Set up an automated reminder or script to delete old data – don't rely on memory. Many CRMs and email tools have auto‑delete rules.
– For cloud tools, check their data retention policies. Some keep data even after you delete it from your account. You need to know.
How I Can Help:
I’ll review your current retention practices. I’ll ask you a few simple questions about each data type, and then I’ll write a custom retention schedule for you – including exactly what to put in your privacy notice.
We keep our users’/customers’ personal information for an Indefinite time
Your Takeaway:
You keep customer data for an indefinite period – basically, forever. Under both EU and UK GDPR, this is a direct violation of the storage limitation principle (Article 5). The UK ICO has fined companies for this exact practice. You need to set a retention period, even a rough one, and you need to be able to delete data when that period ends. You also need to be able to delete an individual customer's data within one month if they ask (right to erasure). Indefinite retention is not "safe" – it's actually riskier than having a short retention period, because it's an easy violation for a regulator to spot.
Your Privacy Best Practices:
– This week, pick a default retention period. For most small businesses, 2 years after last activity works well for customer data. For transaction data, 7 years for tax purposes. Write it down.
– Go through your existing customer data. Delete anything older than your new retention period. Yes, delete it. You can keep aggregated statistics if you need them.
– Set a calendar reminder every quarter to review and delete old data.
– Make sure you can find and delete one customer's data within one month – test this with a colleague pretending to be a customer. The UK ICO checks this during audits.
– Document your retention policy. The ICO expects to see it if they ask.
How I Can Help:
I’ll help you set up a simple retention policy specific to your business. We’ll decide on retention periods for each data type, write them down in a document, and add the right wording to your privacy notice. I’ll also help you create a step‑by‑step process for deleting old data from common tools like your CRM, email platform, and cloud storage.
We do No Sharing of our users’/customers’ personal information with others/third parties.
Your Takeaway:
You don't share customer data with anyone outside your business. Under both EU and UK GDPR, this is the cleanest and lowest‑risk scenario. However, "outside your business" includes third‑party tools like your website hosting provider, email delivery service, analytics tool, customer support software, and even your email platform. If any of those tools can see customer data – even temporarily – that counts as sharing. You need to verify each tool carefully. The UK ICO considers using a third‑party email service as sharing, even if you have a contract with them. Even with no sharing, you still need a privacy notice and a legal basis.
Your Privacy Best Practices:
– List every single online tool your business uses, including free ones, one‑off tools, and even tools you forgot about. For each tool, ask: "Does this tool ever see a customer's name, email, IP address, or any other personal data?" Be honest.
– If the answer is yes, you are sharing. Update your answer to "Yes, sharing" and follow those best practices.
– If the answer is truly no (very rare – only possible if you run everything on your own servers with no external services), document your verification and keep it on file.
– Even with no sharing, publish a privacy notice that says, "We do not share your data with anyone outside our company" – but only if it's true.
How I Can Help:
I’ll help run a “data flow scan” of your business. We can identify which tools are silently receiving customer data – you’re often surprised. Once we have the real picture, I’ll help you either stop the sharing or disclose it properly.
Yes, We Do Share our users’/customers’ personal information with others/third parties.
Your Takeaway:
You share customer data with third‑party vendors or business partners. Under both EU and UK GDPR, this is allowed but comes with serious obligations. First, you must disclose every single recipient in your privacy notice (Article 13). Second, you need a valid legal basis – for sharing that isn't strictly necessary for your service, you usually need explicit consent. Third, you must sign a Data Processing Agreement (DPA) with each vendor that processes data on your behalf. Fourth, if the vendor is outside the UK or EU, you need Standard Contractual Clauses (SCCs) for EU data, or the UK Addendum for UK data. These are not optional – the UK ICO and EU authorities have fined companies for missing DPAs and missing SCCs.
Your Privacy Best Practices:
– Create a vendor table with columns: vendor name, what data they see, where they are located (country), whether they are a processor (acting on your instructions) or a controller (using data for their own purposes), and whether you have a DPA signed.
– For every processor, sign a DPA. Most major vendors (Google, Stripe, Mailchimp, AWS, Zoom, and Shopify) have DPAs in their legal centre – you just need to accept or download them.
– For vendors outside the UK/EU, add SCCs (for EU data) or the UK Addendum (for UK data). Many vendors provide these automatically – check their legal centre. If they don't, ask them.
– Put your vendor table on your website as part of your privacy notice. Be honest – customers appreciate transparency.
– Review your vendor list every six months. Vendors change their practices, locations, and sub‑processors.
How I Can Help:
I’ll review your vendor list and tell you exactly what’s missing. I can also help you create a plain English DPA template you can send to any vendor that doesn’t have their own. If you have cross-border transfers, I’ll help you add SCCs (if required).
Ready to take your next step?
Let's put people first in your data & technology.
I'm just one click away!
Spread the word. Someone out there may need this.
Disclaimer: This information is for general informational purposes only and does not constitute legal advice. Privacy laws vary by jurisdiction and change over time. Feel free to connect with me for further clarification or your specific case matter.