GDPR Privacy Checklist

GDPR Privacy Checklist

In need of advice on putting together a GDPR-compliant privacy policy? Here’s a GDPR Privacy Checklist for you.

You may already be aware that a privacy notice is an essential element when it comes to producing appropriate documentation for a GDPR-compliant website. If you are not sure what GDPR is or need further clarification then see this post.

So, whether you’ve already published a privacy policy up in time for the new legislation, or whether you’re only just getting round to sorting out your privacy policy – this GDPR Privacy Checklist post is here to help.

1. An introduction

The best place to start is with a little introduction. What is this privacy policy people are about to read, why is it needed and when it is effective from? I find this is a good way to start as it’s just common courtesy.

2. Who you are

When you’re referring to yourself in your privacy policy (most likely as ‘we’ and ‘us’ or in some cases ‘I’ or ‘me’) then you should make it clear who you are – company name or perhaps refer to yourselves as the owners’ of your business (including business name).


“In terms of this privacy policy, ‘we’ or ‘us’ or ‘our’ means; the owners of 23 Business Street, based in Happy Town, located in the Happy Islands.”

2. What types of data you’re collecting

Now, you should make it clear the types of data you’re collecting, and how you’re collecting it. This could include, for example, names, email addresses, details of bookings, payment details etc.

You may be storing information provided to you directly as well as indirectly. What are the different sources you’ll be collecting this data from? (Personal information coming from other sites, as well as website cookies and social media? It’s important to mention them here)

Perhaps personal information is being passed onto you by third parties (more about that below).

3. The reason for collecting it

What legitimate business reasons do you have for collecting an individual’s personal data?

Be as specific as possible, and detail all of the reasons you need to process the personal data of your guests. (But also don’t be afraid to question it – are you storing any data you DON’T need? Now’s the time to rectify that.)

4. Any third parties involved

Whether you’re sharing any personal data with third parties (your service providers or colleagues, for example) or receiving data for third parties, it’s important to mention them here.

You may also want to reserve the right to disclose personal data to third parties under a couple of special conditions, such as buying or selling business assets (perhaps if you sell properties as holiday lets) or your assets are acquired by a third party.

5. How personal data will be used

How you use personal data is also a vital element to include in your privacy policy, and I highly recommend you be as specific and explicit as possible here; including bullet pointing all the ways you have, will and plan to use personal data in future.

You can include things such as sending out emails, keeping a record of your relationship with guests, contacting guests with offers, to meet legal obligations, respond to complaints, and to send any correspondence at all regarding a guests’ stay.

6. How long data will be stored for

You can be specific here, or you can state that you have specific guidelines in place determined by both legal and operational considerations for how long you store personal data associated with your holiday let.

You can also give an example, such as the need to store some information for tax purposes (a fairly common practice).

7. How an individual’s data is protected

Telling potential clients that you care about their privacy and will practice due diligence to protect their personal data goes a long way to providing the necessary reassurance they’ll need to make a booking with you. You may want to mention you use a secure network (if applicable).

You may also want to mention that you’ll never sell an individual’s data to third parties for marketing purposes. That’s usually a big one!

8. The rights of the individual

Ensure potential guests can see their rights, and explain in a little more depth what each one means for them. Their rights are as follows:

  • The right to access their personal information
  • The right to have incorrect personal information corrected
  • The right to restrict use of personal information
  • The right to be forgotten
  • The right for their personal information to be portable
  • The right to object to the use of their personal information

9. How individuals can make data requests

Everyone should be able to make a request to access, amend or have their personal data deleted, so it’s important to tell them how they can do this. Who can they get in touch with?

It may also be worth mentioning that once they get in touch with you, you’ll then have a month to comply.

10. Use of cookies

If you have a website, you may also want to mention cookies and how you collect them. If you use third party cookies from the likes of Google Analytics or any other online app or software that’s helping you learn more about your visitors’ activity, mention them.

Your safest bet is to also link to the privacy policies of these third parties, just to ensure you’re covered.

11. Changes to your privacy policy

Let people know that your privacy policy is subject to change in future, and if any significant changes occur, this will be made clear on your website – and in an email to anyone whose personal data you store.

12. Contact details

Finally, finish off by including your key contact (if you don’t want to use a name, you can say ‘The Data Protection Officer’, postal address, email address and phone number.

Once you’ve put together your privacy policy for all to see, your next step is to diligently display it whenever you’re capturing a user’s data. This helps ensure that you can prove you’re making the effort to comply with the new legislation – and that’s really all anyone can ask for!

Key GDPR resources to keep bookmarked

%d bloggers like this: