GDPRIQ

📊 GDPR Compliance Readiness Checklist

Answer yes, partial, or no across ten core GDPR essentials to get a weighted readiness score and a prioritised list of the gaps worth closing first.

Informational only — NOT legal advice, an audit, or proof of compliance. Consult a qualified data-protection lawyer or your supervisory authority; regulations vary by jurisdiction and change over time.

🧮 Rate your readiness

Lawful basis identified for every processing activity
Art. 6 — a documented lawful basis (consent, contract, legal obligation, vital/public interest, legitimate interests) for each purpose.
Records of Processing Activities (ROPA) maintained
Art. 30 — an up-to-date inventory of what data you process, why, who it's shared with, and retention.
DPO appointed or responsibility formally assigned
Art. 37 — a Data Protection Officer where required, or a named owner accountable for data protection.
DPIA process for high-risk processing
Art. 35 — a Data Protection Impact Assessment procedure triggered for high-risk activities before they start.
Breach detection and 72-hour notification procedure
Art. 33/34 — a documented process to detect, assess, and report breaches to the authority (and data subjects) in time.
Process to handle data-subject requests in one month
Art. 12–22 — a workflow to fulfil access, erasure, rectification, and portability requests within the deadline.
Valid consent capture and withdrawal mechanism
Art. 7 — freely given, specific, informed consent that is as easy to withdraw as to give, with records kept.
Data processing agreements with all processors
Art. 28 — Art. 28-compliant contracts in place with every vendor that processes personal data on your behalf.
Data retention and deletion policy in force
Art. 5(1)(e) — defined retention periods and a routine to delete or anonymise data once no longer needed.
Staff data-protection training programme
Accountability (Art. 5(2)) — regular, role-appropriate training so staff know their obligations and how to spot risks.

📊 Readiness score

Weighted readiness
0%
Rating
Critical
Points
0 / 80

Priority gaps to close

  • Lawful basis identified for every processing activity (not in place)
  • Breach detection and 72-hour notification procedure (not in place)
  • Records of Processing Activities (ROPA) maintained (not in place)
  • Process to handle data-subject requests in one month (not in place)
  • DPIA process for high-risk processing (not in place)
  • Valid consent capture and withdrawal mechanism (not in place)
  • Data processing agreements with all processors (not in place)
  • Data retention and deletion policy in force (not in place)
  • DPO appointed or responsibility formally assigned (not in place)
  • Staff data-protection training programme (not in place)

A high-level self-check across ten core essentials — not an audit, certification, or proof of compliance. Weightings are fixed so the score is reproducible. Informational only — not legal advice.

What this checklist does

Compliance is not one thing but a stack of connected practices. This checklist weights the ten that matter most by their regulatory significance, so a missing breach procedure or absent lawful basis moves the needle more than a lighter item. The result is a single readiness figure plus a ranked to-do list.

Scoring is fully deterministic — the same answers always give the same number — which makes it useful for tracking progress over time. It is a compass, not a certificate: it points you at the biggest gaps, and the real work is verifying each control properly.

❓ Frequently Asked Questions

What does the readiness score measure?

It is a weighted self-assessment across ten core GDPR building blocks. Each is answered yes, partial, or no; 'yes' earns the item's full weight, 'partial' half, 'no' none. The score is your weighted total as a percentage of the maximum, giving a quick sense of how far along your programme is. Informational only, not legal advice.

Which essentials does it cover?

Lawful basis for processing (Art. 6), records of processing activities (Art. 30), DPO or assigned responsibility (Art. 37), a DPIA process for high-risk processing (Art. 35), a breach detection and 72-hour notification procedure (Art. 33/34), a data-subject request workflow (Art. 12–22), valid consent capture and withdrawal (Art. 7), processor agreements (Art. 28), a retention and deletion policy (Art. 5(1)(e)), and staff training.

Does a high score mean I'm compliant?

No. This is a high-level self-check, not an audit, certification, or proof of compliance. It cannot see how well each control actually works in practice or capture obligations specific to your context. Use it to spot obvious gaps and prioritise, then verify properly.

Is this legal advice?

No. This tool is informational only and not legal advice. Real compliance depends on your specific processing and jurisdiction. Consult a qualified data-protection lawyer or your supervisory authority; requirements vary and change over time.