Wedissimo Documentation

Appearance

Policy Gap Analysis - Current vs GDPR Strategy

CRITICAL GAPS (High Risk of Fines)

1. Missing GDPR User Rights Implementation

Current Policy Claims vs Reality

  • Policy States: "Right to request data deletion" via "Account/Settings"
  • Reality: No evidence of functional data export, deletion, or portability systems
  • GDPR Requirement: Must respond to requests within 30 days with structured data export
  • Risk Level: HIGH - Direct GDPR violation if requests cannot be fulfilled

Missing User Rights

  • Data Portability (Article 20): No machine-readable export functionality
  • Right to Rectification: Basic profile editing ≠ comprehensive data correction
  • Detailed Data Access: Policy mentions access but no structured export system
  • Objection to Processing: No granular consent withdrawal beyond marketing opt-out

2. Inadequate Legal Basis Documentation

Current Policy Issues

  • Vague Legal Basis: "Legitimate business purposes" is too broad
  • Missing Specific Legal Grounds: No Article 6 GDPR basis specified per processing activity
  • Consent Confusion: Mixing consent with legitimate interest inappropriately
Current: "Legitimate business purposes"
Required:
- Contract performance: Booking processing, vendor payments
- Legal obligation: Tax records, dispute resolution
- Legitimate interest: Platform security, analytics (with balancing test)
- Consent: Marketing communications, non-essential cookies

3. No Data Retention Periods

Current Policy

  • States: No specific retention periods specified
  • GDPR Violation: Article 5(1)(e) requires defined retention periods
  • Business Risk: Retaining data indefinitely = compliance breach

Required Retention Framework

  • User profiles: Until account deletion + 30 days
  • Booking data: 7 years (tax/legal compliance)
  • Marketing data: Until consent withdrawn
  • Analytics data: 2 years (anonymized)

4. Insufficient Consent Mechanisms

Current Gaps

  • Granular Consent: No separate consent for different processing purposes
  • Easy Withdrawal: No evidence of consent management system
  • Consent Records: No proof of when/how consent was obtained
  • Cookie Consent: Basic mention but no proper consent management

SIGNIFICANT GAPS (Medium Risk)

5. Two-Sided Marketplace Not Addressed

Missing Vendor-Specific Provisions

  • No distinction between couple data vs vendor business data
  • No business data retention policies (tax/legal requirements)
  • No vendor-specific user rights (business profile management)
  • No cross-user dependency handling (booking relationships)

6. Third-Party Data Processing

Current Issues

  • Lists services (Google, ActiveCampaign, etc.) but no DPA references
  • No data transfer safeguards mentioned
  • International transfer basis unclear
  • No processor vs controller distinction

Required Updates

  • List all data processors with purpose
  • Confirm adequate safeguards for non-EEA transfers
  • Reference Data Processing Agreements
  • Specify data localization where relevant

7. Children's Data Protection

Current Policy

  • States "not intended for under 18"
  • No active verification measures
  • Wedding planning often involves parents/families

Potential Risk

  • Family involvement in wedding planning may include minors
  • Need age verification for account creation
  • Parental consent mechanisms for under-16s

ADEQUATE AREAS (Minor Updates Needed)

8. Contact Information

  • Data protection email provided
  • Clear contact mechanism for queries
  • Consider dedicated DPO contact if processing volumes require

9. Jurisdiction

  • English courts jurisdiction appropriate for UK business
  • GDPR compliance assumed under UK GDPR post-Brexit

POLICY UPDATE REQUIREMENTS

Immediate Updates Required (Before Migration)

Privacy Policy Must Add

  1. Explicit GDPR Rights Section

    • Step-by-step process for each user right
    • Timescales for responses (30 days maximum)
    • Contact information for requests
    • Identity verification requirements

  2. Legal Basis Mapping

    Data Type → Legal Basis → Purpose
Profile data → Contract → Service delivery
Payment data → Contract → Transaction processing
Marketing data → Consent → Communications
Analytics → Legitimate Interest → Service improvement

  3. Data Retention Schedule

    Data Category → Retention Period → Deletion Process
User profiles → Account lifetime + 30 days → Automated
Booking records → 7 years → Manual review
Messages → 1 year post-wedding → Automated
Logs → 6 years → Automated

  4. Two-Sided Marketplace Provisions

    • Separate sections for couples vs vendors
    • Business data handling for vendors
    • Cross-user data dependencies explanation
    • Vendor business compliance requirements

  5. Third-Party Processor List

    Service → Purpose → Data Types → Location → Safeguards
Stripe → Payments → Financial data → Global → Adequacy decision
Google → Analytics → Usage data → US → SCCs
Twilio → Communications → Phone numbers → US → SCCs

Terms & Conditions Must Add

  1. Data Processing Terms

    • Reference to updated privacy policy
    • User responsibility for accurate data
    • Consent to data processing for service delivery

  2. Vendor-Specific Terms

    • Business data retention obligations
    • Customer data processing responsibilities
    • GDPR compliance requirements for vendors

Technical Implementation Requirements

Must Build Before Go-Live

  • [ ] Data Export System: JSON/CSV download for all user data
  • [ ] Granular Consent Management: Separate consent for different purposes
  • [ ] Data Deletion Workflow: Automated soft delete with business rule checks
  • [ ] Consent Withdrawal Interface: Easy opt-out mechanisms
  • [ ] Data Request Portal: User interface for GDPR requests

Post-Launch Enhancements

  • [ ] Privacy Dashboard: User control over all privacy settings
  • [ ] Audit Trail System: Complete log of data access/changes
  • [ ] Automated Retention: Scheduled deletion based on retention policies

IMMEDIATE ACTION REQUIRED

High-Priority Fixes (This Week)

  1. Update Privacy Policy: Add explicit GDPR rights and contact process
  2. Legal Basis Documentation: Map all processing to specific legal grounds
  3. Data Retention Policy: Define and publish retention schedules
  4. Consent Audit: Review and update all consent mechanisms

Medium-Priority (Next 2 Weeks)

  1. DPA Collection: Obtain signed DPAs from all processors
  2. Two-Sided Policy: Separate couple/vendor data processing terms
  3. Technical Planning: Scope user rights implementation system

Before Migration Go-Live

  1. Full Policy Rewrite: Comprehensive privacy policy covering all gaps
  2. Technical Implementation: All user rights systems functional
  3. Staff Training: Customer service team trained on GDPR requests
  4. Legal Review: External legal sign-off on updated policies

COMPLIANCE COST ASSESSMENT

  • Current exposure: £10M+ potential fine (4% of turnover)
  • Probability: HIGH if GDPR requests cannot be fulfilled
  • Timeline: Immediate risk upon receiving first data request

Update Costs

  • Legal review: £3,000-£5,000
  • Policy rewriting: £2,000-£3,000
  • Technical implementation: 15-20 developer days
  • Total: ~£15,000-£20,000 investment to avoid £10M+ risk

SUCCESS METRICS

Compliance Metrics

  • [ ] 100% of GDPR rights functional and tested
  • [ ] <30 days response time for all data requests
  • [ ] 100% legal basis documentation complete
  • [ ] All processors covered by valid DPAs
  • [ ] Data retention automated and compliant

Bottom Line: Current policies have significant GDPR gaps that create high fine risk. Immediate policy updates and technical implementation required before migration go-live.

Wedissimo API Documentation

Copyright © 2025 Wedissimo