📊 GDPR Compliance Readiness Checklist
Answer yes, partial, or no across ten core GDPR essentials to get a weighted readiness score and a prioritised list of the gaps worth closing first.
Informational only — NOT legal advice, an audit, or proof of compliance. Consult a qualified data-protection lawyer or your supervisory authority; regulations vary by jurisdiction and change over time.
🧮 Rate your readiness
📊 Readiness score
Priority gaps to close
- Lawful basis identified for every processing activity (not in place)
- Breach detection and 72-hour notification procedure (not in place)
- Records of Processing Activities (ROPA) maintained (not in place)
- Process to handle data-subject requests in one month (not in place)
- DPIA process for high-risk processing (not in place)
- Valid consent capture and withdrawal mechanism (not in place)
- Data processing agreements with all processors (not in place)
- Data retention and deletion policy in force (not in place)
- DPO appointed or responsibility formally assigned (not in place)
- Staff data-protection training programme (not in place)
A high-level self-check across ten core essentials — not an audit, certification, or proof of compliance. Weightings are fixed so the score is reproducible. Informational only — not legal advice.
What this checklist does
Compliance is not one thing but a stack of connected practices. This checklist weights the ten that matter most by their regulatory significance, so a missing breach procedure or absent lawful basis moves the needle more than a lighter item. The result is a single readiness figure plus a ranked to-do list.
Scoring is fully deterministic — the same answers always give the same number — which makes it useful for tracking progress over time. It is a compass, not a certificate: it points you at the biggest gaps, and the real work is verifying each control properly.
❓ Frequently Asked Questions
What does the readiness score measure?
It is a weighted self-assessment across ten core GDPR building blocks. Each is answered yes, partial, or no; 'yes' earns the item's full weight, 'partial' half, 'no' none. The score is your weighted total as a percentage of the maximum, giving a quick sense of how far along your programme is. Informational only, not legal advice.
Which essentials does it cover?
Lawful basis for processing (Art. 6), records of processing activities (Art. 30), DPO or assigned responsibility (Art. 37), a DPIA process for high-risk processing (Art. 35), a breach detection and 72-hour notification procedure (Art. 33/34), a data-subject request workflow (Art. 12–22), valid consent capture and withdrawal (Art. 7), processor agreements (Art. 28), a retention and deletion policy (Art. 5(1)(e)), and staff training.
Does a high score mean I'm compliant?
No. This is a high-level self-check, not an audit, certification, or proof of compliance. It cannot see how well each control actually works in practice or capture obligations specific to your context. Use it to spot obvious gaps and prioritise, then verify properly.
Is this legal advice?
No. This tool is informational only and not legal advice. Real compliance depends on your specific processing and jurisdiction. Consult a qualified data-protection lawyer or your supervisory authority; requirements vary and change over time.