GDPR-Compliance (UK) — PRD Section

Scope & Roles

We act as controller for customer/admin data in the app (accounts, billing, support) and as processor for customers’ end-user analytics/events, processing only under their instructions and DPA. (Information Commissioner's Office)

Lawful Bases (Article 6)

• Contract: core service delivery, account management, billing.
• Legitimate Interests: service security, fraud prevention, product diagnostics (document LIA).
• Consent: direct marketing emails; any non-essential tracking on public site.
  Only one lawful basis is chosen per purpose and recorded. (Information Commissioner's Office)

Data Protection Principles

We design and operate to the seven principles: lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; accountability. Engineering and policy controls are mapped to each principle. (Information Commissioner's Office)

Data Subject Rights Operations

We provide workflows to fulfil UK GDPR rights: to be informed, access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. SLA: acknowledge within 7 days, complete within 30 days; processors assist controllers. (Information Commissioner's Office)

Processor Contract (Article 28) & Sub-processors

Our DPA includes Article 28 clauses: process only on documented instructions; confidentiality; security measures; assist with rights/DPIA/breach; sub-processor controls; deletion/return on termination; audits. Sub-processor list is published and kept current. (Information Commissioner's Office, GOV.UK)

Security of Processing (Article 32)

Risk-based technical/organisational measures: encryption in transit/at rest, access control/least privilege, logging & monitoring, vulnerability management, backup & DR, regular testing of controls. (Information Commissioner's Office, gdpr-info.eu)

DPIA (Data Protection Impact Assessment)

We run a DPIA for any processing likely to pose high risk (e.g., large-scale tracking, new profiling). DPIAs are also good practice for major product changes and are reviewed before launch. (Information Commissioner's Office)

International Transfers (UK)

Where UK personal data leaves the UK, we use approved transfer tools: UK IDTA or the UK Addendum to EU SCCs, plus a transfer risk assessment. (Information Commissioner's Office)

Personal Data Breach Response

We maintain a breach runbook and register. Notifiable breaches are reported to the ICO within 72 hours of awareness; where there’s high risk to individuals, we notify them without undue delay. (Information Commissioner's Office, gdpr-info.eu)

Accountability & Records

We maintain a ROPA (record of processing activities), link it to lawful bases, retention, security measures, and DPIAs, and review it regularly. (Information Commissioner's Office)

DPO (if required)

We will appoint a Data Protection Officer if legally triggered (public authority; large-scale regular/systematic monitoring; or large-scale special-category/criminal-offence data). Otherwise we document why a DPO isn’t required and name a privacy lead. (Information Commissioner's Office)

Retention & Deletion

Default retention schedules are documented per data class in line with storage-limitation; data is deleted or anonymised at end of retention or contract, with verified deletion for processor data. (Information Commissioner's Office)

---

Deliverables checklist (for build & sign-off)

• ✔ DPA signed + sub-processor list live
• ✔ ROPA completed and linked to features in this PRD
• ✔ LIA(s) for legitimate-interest purposes
• ✔ DPIA screen completed (if high-risk), with mitigations tracked
• ✔ Security controls mapped to Art. 32; encryption verified
• ✔ Rights handling runbooks + admin tooling (export, delete, restrict)
• ✔ Breach runbook tested (table-top), 72-hour timer in playbook
• ✔ Transfer tool in place for any UK-outbound processing (IDTA/Addendum)
• ✔ Privacy Notice published and consistent with the above