Free Tool

Privacy Policy Checker

UK GDPR Articles 13 and 14 specify every element your privacy policy must contain. GDPR Radar checks your site against the full list and flags anything missing.

Check your privacy policy for free →
What we check

Every Article 13 required element

Most privacy policies address some of these requirements. Fewer address all of them. The ICO's enforcement approach is graduated — minor gaps handled proactively carry far less risk than systematic failures.

  • 1
    Privacy policy present and linked

    A privacy policy must be accessible from every page that collects personal data. If it is absent or not linked from your footer, the threshold for Article 13 compliance has not been met.

  • 2
    Controller identity

    Your business name, registered address, and a contact point for data protection queries. "Contact us" is not sufficient — the controller must be identified specifically.

    Article 13(1)(a)
  • 3
    Lawful basis for each processing activity

    For every category of data you collect, you must state the Article 6 lawful basis. Consent, contract, legitimate interests, and legal obligation are the most common for website operators. "We process your data to provide our services" does not name a basis.

    Article 13(1)(c)
  • 4
    Retention period

    How long each category of data is kept, or the criteria used to determine this. Vague language — "as long as necessary" — does not meet the requirement.

    Article 13(2)(a)
  • 5
    Data subject rights

    The rights of access, rectification, erasure, restriction, portability, and objection must each be mentioned. Where consent is your basis, you must also explain how to withdraw it.

    Articles 13(2)(b) and 13(2)(c)
  • 6
    Right to complain to the ICO

    You must explicitly state that individuals have the right to lodge a complaint with the Information Commissioner's Office and provide the ICO's contact details or website address (ico.org.uk).

    Article 13(2)(d)
Common failures

Where most policies fall short

Missing
No lawful basis stated

The policy describes what data is collected but says nothing about why processing it is lawful. This is one of the most frequent gaps the ICO identifies in audits.

Vague
Retention period is undefined

"We keep your data as long as necessary to fulfil our obligations" appears in thousands of UK policies. It satisfies nothing. The ICO expects a specific period or specific criteria.

Missing
ICO complaint route absent

Many policies describe data subject rights but omit the right to complain to the ICO. This is a mandatory disclosure under Article 13(2)(d), not optional.

Does your privacy policy hold up?

GDPR Radar checks whether your policy link is present, whether key Article 13 elements appear, and flags specific gaps with guidance on how to fix them.

Check your privacy policy for free →