Free Tool · No Signup Required

GDPR Readiness Assessment

15 questions. 5 minutes. Instant personalised gap report with specific policy recommendations for every area you're missing.

🇬🇧 UK GDPR + 🇪🇺 EU GDPR ⏱️ ~5 minutes 🔒 Private — answers never leave your browser

Quick answer. A GDPR readiness assessment scores your current data-protection posture against the UK GDPR and EU GDPR Article 5(2) accountability requirements: documented privacy notice, ROPA (Article 30), DPIA process (Article 35), DSAR procedure, breach notification (72-hour ICO window), processor DPAs (Article 28) and lawful-basis register. This free tool covers the 15 highest-risk areas and produces an instant ICO-shaped gap report — no sign-up, browser-only, five minutes.

0 of 15 answered

1. Foundations

Quick answer. This section covers the documents the ICO expects every controller to hold before anything else: a published privacy notice, a data retention schedule with periods per data type, and a record of processing activities under UK GDPR Article 30. Gaps here usually cascade into every other area.

The core documents every organisation handling personal data needs.

Do you have a documented privacy notice published to employees and customers? Explains what personal data you collect, why, and their rights.
Is there a documented data retention schedule? Specifies how long each type of data is kept before deletion.
Do you maintain a Record of Processing Activities (ROPA)? Article 30 of the UK GDPR requires most organisations to keep one.

2. Data Subject Rights

Quick answer. These questions check how you handle access, rectification, erasure and portability requests under UK GDPR Articles 15–20. The legal response limit is one month, so the check asks whether your DSAR procedure is documented and tested — not just whether one nominally exists.

Handling requests from individuals about their personal data.

Do you have a documented DSAR (Data Subject Access Request) procedure?
Are erasure, rectification and portability requests handled in a documented way?
Can you respond to a subject rights request within 30 days (legal limit)?

3. Breach & DPIA

Quick answer. This section covers incident readiness: a breach response plan with named roles, a DPIA template and trigger process under Article 35, and whether you could notify the ICO of a qualifying breach within the 72-hour window Article 33 requires. All three need written procedures, not informal awareness.

Dealing with incidents and assessing risk for new processing.

Is there a documented data breach response plan with roles and steps?
Do you have a DPIA (Data Protection Impact Assessment) template and process?
Can you notify the ICO of a qualifying breach within 72 hours? Article 33 requirement. Missing this is one of the most common enforcement triggers.

4. Processors & Transfers

Quick answer. These questions test the third-party layer: a data processing agreement with every processor (Article 28), transfer safeguards such as standard contractual clauses or the UK IDTA, and a maintained sub-processor list. Transfer paperwork dates quickly, because sub-processor lists change faster than contracts get reviewed.

Third parties handling data, and cross-border transfers.

Do you have a Data Processing Agreement (DPA) with every third party that processes personal data for you?
Are international data transfers covered by SCCs, UK IDTA, or an adequacy decision?
Do you maintain a list of sub-processors with a change-notification process?

5. Governance

Quick answer. The final section covers accountability: whether a DPO or named data-protection lead is in place, whether staff receive data protection training at least annually, and whether public-facing sites use a compliant cookie-consent mechanism. The ICO’s accountability framework treats these as the evidence that everything else is real.

Accountability structures — who's responsible, training, cookie consent.

Do you have a DPO appointed, or a clear data-protection lead with time allocated?
Do staff receive GDPR / data protection training at least annually?
Do your public-facing websites use a compliant cookie-consent mechanism? Affirmative opt-in, granular categories, easy to refuse, honours withdrawal.
0
% READY

Area-by-area breakdown

Quick answer. Your answers are scored across the five areas above. Green means the documentation for that area is broadly in place, amber means partial or untested, red means missing. Remediate the red areas first — they carry the regulatory exposure the ICO acts on most often.

Recommended policy packs to close your gaps

Quick answer. These recommendations are ranked by the specific gaps you flagged. Each pack generates the missing documents — privacy notice, retention schedule, breach-response plan, DPIA template — citing the UK GDPR articles they implement, so every policy traces back to the obligation it satisfies.

Ranked by the specific gaps you flagged. Pricing is live from our pricing engine.

Questions about this tool

Quick answer. Short answers on scope and accuracy. The check covers the fifteen most common UK GDPR documentation gaps, built from ICO enforcement actions and EDPB guidance — but it is a directional check, not a formal audit and not legal advice.

Is this really free?

Yes. There's no charge and no signup required to see your score. We only ask for your email if you want the detailed PDF report.

How accurate is it?

It covers the 15 most common GDPR gaps we see across PolicySuite customers. It's not a formal audit but it reliably flags the highest-risk areas. We built the question set from UK ICO enforcement actions and EDPB guidance.

What happens to my answers?

Your answers are processed entirely in your browser — nothing is sent to our servers unless you submit your email for the PDF. See our privacy policy.

How the GDPR readiness check works

Quick answer. The readiness check walks the eight ICO accountability framework areas and the GDPR Article 30 ROPA requirements, then surfaces the policies most controllers find missing or outdated against current EDPB guidance. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

The documents that survive enterprise vendor review and regulator scrutiny cite their primary sources clause by clause. Many UK SMEs first discover a policy gap when a buyer’s legal team challenges a generic phrase — for example, a citation to guidance that has since been revised. Checking each policy against the sources above closes that gap before someone else finds it.