Find out in 2 minutes. Answer a few questions and get a free data-protection readiness check against the UK GDPR, the Data Protection Act 2018 and PECR, plus the documents you need (privacy policy and cookie policy) — ready to be reviewed by a UK solicitor.
A few questions about the customer data you collect, your website, cookies and marketing.
A data-protection readiness assessment against the UK GDPR and PECR, with your obligations and priority gaps.
A privacy policy and cookie policy tailored to your shop, ready to be reviewed by a UK solicitor.
It takes about 2 minutes. Answer in your own words — no technical jargon needed.
Assessing your data-protection position and preparing the documents…
This can take 10 to 40 seconds.
Yes. If you collect any personal data — customer names, emails, orders, a loyalty scheme, CCTV, a mailing list — you are a data controller under the UK GDPR and the Data Protection Act 2018, regulated by the Information Commissioner's Office (ICO). Most businesses must also pay the ICO data protection fee. The free vrisk check shows where you stand.
If your website uses non-essential cookies — analytics (e.g. Google Analytics), advertising or social pixels (e.g. a Facebook pixel) — then under PECR you must get the visitor's prior opt-in consent via a banner before those cookies load. "Carry on browsing" or "change your browser settings" is not valid consent. vrisk generates a compliant cookie policy and tells you what your banner needs.
Email and SMS marketing are governed by PECR. In general you need the recipient's opt-in consent, with a limited "soft opt-in" for existing customers buying similar products, and every message must have an easy unsubscribe. Sending to addresses collected without a clear opt-in is a common breach. vrisk produces a direct-marketing & consent policy.
A privacy policy (privacy notice) tells customers what data you hold, why, the lawful basis, who you share it with and their rights — required by Articles 13-14 of the UK GDPR. A ROPA (Record of Processing Activities) is your internal record of all the ways you process personal data, required by Article 30. vrisk generates both, tailored to your shop.
If personal data is lost, hacked or sent to the wrong person, you may have to report it to the ICO within 72 hours, and sometimes tell the affected customers. Most small retailers have no procedure for this. vrisk generates a personal data breach response procedure and an internal breach log. These documents are drafts and should be reviewed by a UK solicitor or data-protection professional before adoption.