GDPR-Compliant Data Collection with Power Pages
What UK Business Leaders Need to Know Before They Build a Customer-Facing Portal
Microsoft Power Pages makes it straightforward to build professional, external-facing websites and portals that collect data from customers, suppliers, and partners. But collecting data from members of the public or business contacts carries significant legal obligations under UK GDPR and the Data Protection Act 2018. Get it right, and a Power Pages portal can become a powerful, compliant data asset for your business. Get it wrong, and you're exposed to ICO enforcement, fines up to £17.5 million or 4% of global annual turnover, and reputational damage that's hard to recover from. This guide gives UK business leaders a clear picture of what compliance requires — and how Power Pages, properly configured, can support it.
The UK GDPR Landscape: What Actually Applies
Since the UK left the EU, data protection in the UK is governed by UK GDPR — which closely mirrors the EU version — alongside the Data Protection Act 2018. The Information Commissioner's Office (ICO) is the UK's supervisory authority and has the power to investigate, enforce, and fine organisations that fall short.
If your Power Pages portal collects any personal data — names, email addresses, phone numbers, IP addresses, or anything that could identify an individual directly or indirectly — UK GDPR applies. There are no thresholds based on company size or sector for this. A 10-person SME has the same obligations as a FTSE 100 company when it comes to the principles of data processing.
UK GDPR vs EU GDPR — Key Differences for UK Businesses
Post-Brexit, UK GDPR is a standalone regime. If your Power Pages portal collects data from individuals in the EU as well as the UK, you may need to comply with both regimes. The ICO provides guidance on this. For most UK-only businesses, UK GDPR and the Data Protection Act 2018 are the relevant frameworks.
The Six Principles — Applied to Power Pages
UK GDPR is built around six data protection principles. Every decision you make about your Power Pages portal should be tested against these:
| Principle | What It Means in Practice | Power Pages Implication |
|---|---|---|
| Lawfulness, Fairness & Transparency | You must have a legal basis for collecting data, and be open about how you use it | Privacy notice must be accessible from every page. Legal basis must be identified before build. |
| Purpose Limitation | Data collected for one purpose cannot be reused for another incompatible purpose | Don't add data from your portal into a marketing list unless you have separate consent for that. |
| Data Minimisation | Only collect what you actually need | Every form field must have a justified reason. Remove fields that are "nice to have" but not necessary. |
| Accuracy | Data must be kept accurate and up to date | Build in a mechanism for users to update their own data. Consider periodic data hygiene processes. |
| Storage Limitation | Data should not be held longer than necessary | Define and implement retention periods. Power Pages data stored in Dataverse should have automated deletion or archival. |
| Integrity & Confidentiality | Data must be protected against unauthorised access, loss, or destruction | Azure security, role-based access, SSL, and appropriate Dataverse permissions must all be configured correctly. |
Establishing a Lawful Basis — Getting This Right Before You Build
Before a single line of configuration is written, you must identify your lawful basis for processing the data your portal will collect. This is not a box-ticking exercise — it shapes how you communicate with users, what rights they have, and what you can do with the data.
Common Mistake: Defaulting to Consent for Everything
Many organisations assume consent is the correct basis for all data collection because it feels "safest." It isn't. Consent is the most burdensome basis to manage — it can be withdrawn at any time, and withdrawal must be honoured immediately. If you have a stronger basis (contract or legitimate interests), use it for the appropriate data, and reserve consent for genuinely optional processing like marketing.
Power Pages Configuration: What Compliance Requires
Power Pages is a well-architected platform with strong security foundations — but compliance is not automatic. It requires deliberate configuration choices. Here is what must be addressed:
1. SSL and Secure Connections
All Power Pages portals must use HTTPS. Power Pages provides SSL certificates as standard, but you must ensure your custom domain is correctly configured and the certificate is valid and renewed. Any page that collects personal data transmitted over HTTP rather than HTTPS is a basic security failure and a UK GDPR breach waiting to happen.
2. Privacy Notice Accessibility
A clear, plain-English privacy notice must be accessible from every page of your portal — typically via a persistent footer link. The notice must cover: what data you collect, why you collect it, the lawful basis, how long you retain it, who you share it with (including Microsoft as a data processor), and how individuals can exercise their rights.
What Your Privacy Notice Must Cover (ICO Checklist)
- Identity and contact details of your organisation (the data controller)
- Contact details of your Data Protection Officer (if applicable)
- Purposes and lawful basis for each type of processing
- Any legitimate interests relied upon (if applicable)
- Categories of data collected
- Who the data is shared with and why
- Details of any transfers outside the UK
- Retention periods or criteria used to determine them
- Individual rights (access, rectification, erasure, restriction, portability, objection)
- Right to withdraw consent (where consent is the lawful basis)
- Right to lodge a complaint with the ICO
3. Consent Capture for Marketing
If your portal collects email addresses and you intend to send marketing communications, consent must be captured explicitly at the point of collection — a clearly labelled, unticked checkbox with a plain-English description of what the person is agreeing to. Power Pages forms support this natively, but it must be deliberately designed into the form — it does not happen automatically.
4. Role-Based Access Control in Dataverse
Data submitted through Power Pages is stored in Microsoft Dataverse. Access to that data must be restricted to staff who genuinely need it. Dataverse has a sophisticated role-based access control system, but it requires explicit configuration. By default, broad permissions may be assigned that are inappropriate for personal data. Review and restrict access as part of every portal build.
5. Data Retention and Deletion
Define how long data submitted through your portal will be retained — and build automated processes to enforce it. Power Automate can be used to trigger archival or deletion of Dataverse records after a defined period. Without this, data accumulates indefinitely, which is a violation of the storage limitation principle.
6. Subject Access Request (SAR) Process
Under UK GDPR, individuals have the right to request a copy of all personal data you hold about them — and you must respond within one calendar month. If your portal collects data into Dataverse, you need a process for identifying and exporting all records relating to a specific individual. Plan this before go-live, not after.
Rights Under UK GDPR Your Portal Must Support
- Right of Access: Individuals can request a copy of their data (Subject Access Request)
- Right to Rectification: Individuals can ask for inaccurate data to be corrected
- Right to Erasure: The "right to be forgotten" — individuals can request deletion in certain circumstances
- Right to Restriction: Individuals can ask you to pause processing of their data
- Right to Data Portability: Individuals can ask for their data in a machine-readable format
- Right to Object: Individuals can object to processing based on legitimate interests or for direct marketing
Microsoft as Your Data Processor — What This Means
When data is stored in Dataverse (the back-end for Power Pages), Microsoft acts as a data processor on your behalf. You remain the data controller — meaning you are legally responsible for the data, and Microsoft processes it according to your instructions.
This relationship is governed by Microsoft's Data Processing Agreement (DPA), which is part of the Microsoft Product Terms. For UK businesses, this means:
Key Points from Microsoft's Data Processing Agreement
- Microsoft commits to processing data only on your documented instructions
- Microsoft implements appropriate technical and organisational security measures
- Microsoft will assist you in responding to Subject Access Requests and security incidents
- Microsoft will notify you of any personal data breaches without undue delay
- Microsoft's UK data centres can be used to store data within the UK — this should be explicitly configured
Data Residency: Confirm Where Your Data Is Stored
By default, Microsoft may store data in any of its global data centres. For UK GDPR compliance — particularly if your privacy notice states data is held in the UK — you must configure your Dataverse environment to use UK data centres. This is available in the Power Platform admin centre and must be confirmed at the point of environment setup, not retrofitted later.
A Real Example: A Compliant Customer Enquiry Portal
To make this practical, here is how a compliant Power Pages customer enquiry portal is built for a UK professional services firm. The portal collects enquiry details from prospective clients and routes them to the relevant team.
The Compliance Decisions Made Before Build
- Lawful basis identified: Legitimate interests — the firm has a legitimate interest in processing enquiry data to respond to prospective clients, and this is proportionate given that the individual has proactively contacted the firm.
- Legitimate Interests Assessment completed and documented in the firm's data processing register before build begins.
- Data minimisation review: The form only collects name, email, phone number, company, and enquiry description. No date of birth, address, or other data that isn't needed at this stage.
- Retention period defined: Enquiry data is retained for 12 months. If the enquiry does not convert to a client, the record is automatically deleted by a Power Automate flow triggered on the 12-month anniversary.
- Marketing consent: A separate, unticked checkbox allows prospective clients to opt into the firm's newsletter. This is handled as a distinct, consent-based data stream — not mixed with the enquiry data.
What Is Built Into the Portal
Compliance Features Built Into the Portal
- HTTPS enforced — HTTP redirects to HTTPS automatically
- Privacy notice link in the persistent footer on every page
- Explicit statement on the form: "We will use your details to respond to your enquiry. See our Privacy Notice for full details of how we handle your data."
- Separate unticked marketing consent checkbox with clear description
- Dataverse environment configured to UK data centre
- Role-based access restricts enquiry data to the Business Development team only
- Power Automate flow runs monthly and deletes records older than 12 months with no associated opportunity
- SAR process documented: designated staff member can export all records for a given email address within 30 minutes
What the Firm Can Demonstrate to the ICO if Challenged
Because the decisions above were made, documented, and built into the system, the firm can demonstrate accountability — the seventh overarching obligation under UK GDPR. They can show the ICO exactly what data they collect, why, for how long, who has access, and how they handle individual rights requests. This is the position every business should be in before their portal goes live.
The Compliance Mistakes UK Businesses Most Commonly Make
Mistake 1: Launching Without a Privacy Notice
Any portal that collects personal data without a privacy notice is in breach of UK GDPR from the moment it goes live. This is one of the most common and easily avoidable errors — and one of the first things the ICO looks for when investigating a complaint.
Mistake 2: Pre-Ticked Marketing Consent Boxes
A pre-ticked box does not constitute valid consent under UK GDPR. Consent must be an active, positive action. Using pre-ticked boxes for marketing opt-ins is a specific area the ICO has enforced against — and it's trivially easy to fix before launch.
Mistake 3: Collecting Data "Just in Case"
Every field on a form must have a clear, documented justification. Collecting fields that might be useful one day violates the data minimisation principle. Before building any form, ask: "What decision or action does this field enable?" If the answer is unclear, remove the field.
Mistake 4: No Retention Policy — Data Held Indefinitely
Many businesses build a portal, collect data, and never delete anything. Years later they hold thousands of records of people who submitted a form in 2019 with no ongoing relationship. This is a storage limitation breach — and creates significant liability if a data breach occurs, because you're responsible for all that data.
Mistake 5: No Plan for Data Breaches
If personal data collected through your portal is accessed, lost, or stolen, you have 72 hours to report it to the ICO. Most businesses that haven't prepared for this will miss that deadline — which compounds the original breach with a procedural one. A simple breach response plan, documented before go-live, is all that's needed.
Do You Need a Data Protection Officer?
Under UK GDPR, a Data Protection Officer (DPO) is mandatory in specific circumstances: public authorities, organisations that carry out large-scale systematic monitoring of individuals, or organisations that process special category data (health, biometric, criminal records, etc.) at scale.
Most UK SMEs using Power Pages for standard business purposes — enquiry forms, supplier portals, customer registration — will not be required to appoint a DPO. However, the ICO recommends that all organisations designate a named individual responsible for data protection, even if a formal DPO is not required. This person should be involved in any decision to build a new portal that collects personal data.
Practical Recommendation for UK SMEs
Designate a Data Protection Lead — typically someone in a senior operations, legal, or IT role — whose responsibilities include reviewing any new data collection initiative before it launches. Build this into your project governance so that compliance is considered at design stage, not after deployment.
Further Reading & Resources
📚 ICO: UK GDPR Guidance and Resources ⚖️ ICO: Guide to Lawful Basis for Processing 🔒 Microsoft Learn: GDPR and Power Pages 🌐 AT Technical: Power Pages Services 📋 AT Technical: Data Protection PolicyBuild Your Power Pages Portal the Right Way from Day One
A compliance problem discovered after launch is far more costly — in time, legal fees, and reputational damage — than building correctly in the first place. AT Technical designs and builds Power Pages portals with UK GDPR compliance built in from the initial specification, not bolted on afterwards.
What AT Technical Includes as Standard:
- Lawful basis review and documentation before build begins
- Data minimisation assessment of every form field
- Privacy notice integration and consent capture configuration
- UK data residency configuration in Dataverse
- Role-based access control scoped to business need
- Automated retention and deletion workflows
- Documented SAR and breach response process on handover
We work with UK businesses across sectors to build Power Pages portals that collect data efficiently, securely, and in full compliance with UK GDPR — so you can focus on your customers, not your compliance exposure.
Book a Free Power Platform Consultation