< Back

Share |

Privacy Policy Checklist

June 2017

This checklist is designed to help you gather the information you will need to put a GDPR-compliant privacy policy on your website or in-app.

Company information

  • What is the URL address of the site that the user's information is collected from?
  • What is the full company name in control of the user information being processed (including trading names)?
  • Registered office address?
  • Business address?

Who are the data controllers?

  • Are there any joint controller arrangements? (If yes, include details of the essence of this arrangement)?

Website hosting and data location

  • Who is the website hosting provider?
  • Where is the website located?
  • Where is the data located?

Who will be using the website and other channels?

  • What channels are available? (e.g. website/app/other)?
  • Is the website directed at consumers/businesses/other?
  • Is the site/service directed at those under 16?
  • Can those under 16 access the site/service?

What information is collected about users?

(indicate if electronic, audio or visual data)

  • Is registered user information collected? e.g.
    • Registration information
    • Profile information
    • Are any decisions based solely on automated processing including profiling that significantly affect the subject or have legal effects for him/her?
  • Is activity information (including user behaviour data and any transcripts or other records) collected? e.g.
    • Information from synching with other software or services
    • Interaction with social media (functional and/or marketing) and what information is available?
    • Information about payments
    • Access to social media profiles
    • Demographic information
    • Anonymous information
    • Pseudonymous data
    • 'My account' feature (describe the features and the settings including privacy settings available to the user within this user area of the site/service)
  • Information collected automatically from use of the service? e.g.
    • Device information (nature of device and/ or identifiers)
    • Log information (including IP address)
    • Location information (how is location collected/inferred)
    • Device sensor information
    • Site visited before arriving
    • Browser type and or OS
    • Interaction with email messages
  • Information from other sources? (identify the sources) e.g.
    • Referral or recommendation programmes
    • Publicly accessible sources
  • Information from cookies or similar technologies (incl. in-app codes) (including whether session or persistent) e.g.
    • Essential login/authentication or navigation
    • Functionality – remember settings
    • Performance & Analytics – user behaviour
    • Advertising/retargeting
    • Any third party software served on users
    • Other

Nature of any outbound communications with registered users

  • Email
  • Telephone (voice)
  • Telephone (text)
  • Other

Site security measures

Does the site comply with:

  • Cyber Essentials?
  • ISO/IEC 27000 Series?
  • Other standards?


  • What disclosures of information are made?
  • Are any external links included in the website?
  • Does the website have message boards, social or chat areas?
  • Can information be shared by the user?
  • Can information be shared by others?
  • What information is shared by the organisation?
    • With group companies
    • With partners (identified)
    • With other third parties
  • Is information shared automatically?
  • Are there Third Party Applications (APIs)?

Rights and choices

  • How can a user remove content?
  • How can a user suspend, restrict or hide their account?
  • How can a user get data corrected or erased?
  • How can a user get access to their data?
  • Can users opt-out of uses for their information for purposes other than provision of the service?
  • How can a user opt-out of any marketing communications?
  • Can an account be deleted?
  • How long will specific account details be retained post account deletion?
  • How are data portability requests made and handled?
  • How can the user withdraw their consent to further processing?

Process for making changes to the policy

  • How will changes be alerted to new users?
  • How will user consent be collected (where relevant)?
  • Will an 'at a glance' summary of the key changes be available to users?
  • Will users be able to access past versions of the policy?

Data transfers outside the EEA

(NB : Exporting data for hosting or processing outside the EEA as well as access from outside the EEA to EU hosted data).

  • Is personal data transferred outside the EEA?
    • By group companies?
    • By service providers?
    • Other?

What are the legal adequacy safeguards?

  • Country adequacy decision
  • Model transfer contracts
  • Binding Corporate Rules
  • Privacy Shield
  • Lawfulness condition (specify)

Contact details and information to provide

  • Who to contact
  • How (online)
  • How (mail)
  • Telephone
  • Physical address
  • Data Protection officer
  • Contact details (if different)
  • Right to lodge a complaint with the ICO

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.