Section 1: Lawful Basis and Transparency
Note: This checklist is for general guidance. UK GDPR is complex — consult a qualified data protection solicitor or DPO for specific advice.
✅ Legal basis documented for every personal data processing activity (consent, legitimate interest, contract, legal obligation, vital interests, public task)
✅ Legitimate Interest Assessments (LIAs) completed for all processing on legitimate interest basis
✅ Privacy Notice published — includes all Article 13/14 required information in plain English
✅ Cookie consent implemented correctly: affirmative opt-in, no pre-ticked boxes, easy to decline as to accept
✅ Marketing consent: PECR-compliant opt-in for email/SMS, separate from service consent
✅ Article 30 Records of Processing Activities (ROPA) maintained — updated when processing changes
Section 2: Technical Security (Article 32)
✅ Encryption at rest: database encrypted (AWS RDS encryption, Azure Transparent Data Encryption)
✅ Encryption in transit: TLS 1.2+ for all connections, HSTS enabled
✅ Access control: RBAC implemented, least privilege principle, no shared accounts
✅ MFA: multi-factor authentication for all admin access to systems containing personal data
✅ Audit logging: all access to personal data logged (who accessed what, when)
✅ Dependency scanning: automated (Dependabot) with 14-day patching for high-severity CVEs (Cyber Essentials)
✅ Penetration testing: CREST-certified pen test within last 12 months
✅ No personal data in source code, logs, or error messages
✅ Staging/test environments use synthetic data only (no real personal data)
Section 3: Data Subject Rights
✅ Right to Access: DSAR response process in place — response within 1 calendar month, free of charge
✅ Right to Erasure: technical mechanism to delete all personal data for a specific user on request
✅ Right to Portability: machine-readable export (JSON/CSV) of personal data on request
✅ Right to Rectification: user can update their personal data
✅ Right to Object: users can object to automated decisions and direct marketing
✅ Right to Restriction: ability to flag data as restricted (retain but do not process)
Section 4: Data Processors and Third Parties
✅ Article 28 Data Processing Agreements in place with all data processors (AWS, Stripe, SaaS tools)
✅ Sub-processors list maintained and disclosed in Privacy Notice
✅ International transfers: no personal data transferred outside UK/EEA without IDTA or adequacy decision
✅ US processors: UK-US Data Bridge (if applicable) or IDTA in place
✅ Processor security assessed: SOC 2 Type II, ISO 27001, or equivalent for key processors
Section 5: Privacy by Design (Article 25)
✅ Data minimisation: only collect data genuinely needed for the stated purpose
✅ Purpose limitation: personal data only used for the purpose for which it was collected
✅ Storage limitation: retention policies defined and technically enforced (automated deletion)
✅ Privacy by default: privacy-protective settings are the default, not an opt-out
✅ DPIA completed for high-risk processing (profiling, special category data, new technology)
Section 6: Special Category Data (Article 9)
✅ Special category data identified: health, biometric, genetic, race/ethnicity, religion, political opinion, trade union, sex life/orientation
✅ Explicit consent obtained for special category data (not just standard consent)
✅ Enhanced security controls for special category data (additional encryption, access controls, audit logging)
✅ DPIA completed for all special category data processing
Section 7: Breach Response
ClickMasters UK GDPR Technical Implementation: ClickMasters implements all technical controls in this checklist as standard on every project: encryption, RBAC, audit logging, DSAR support, right to erasure, UK data residency (AWS eu-west-2 or Azure UK South), Article 28 DPA in client contracts, and Cyber Essentials-aligned dependency scanning. The technical controls are built in — not bolted on.