Free Tool · No Signup Required

GDPR Readiness Assessment

Built by the PolicySuite team About us

15 questions. 5 minutes. Instant personalised gap report with specific policy recommendations for every area you're missing.

🇬🇧 UK GDPR + 🇪🇺 EU GDPR ⏱️ ~5 minutes 🔒 Private — answers never leave your browser
0 of 15 answered

1. Foundations

The core documents every organisation handling personal data needs.

Do you have a documented privacy notice published to employees and customers? Explains what personal data you collect, why, and their rights.
Is there a documented data retention schedule? Specifies how long each type of data is kept before deletion.
Do you maintain a Record of Processing Activities (ROPA)? Article 30 of the UK GDPR requires most organisations to keep one.

2. Data Subject Rights

Handling requests from individuals about their personal data.

Do you have a documented DSAR (Data Subject Access Request) procedure?
Are erasure, rectification and portability requests handled in a documented way?
Can you respond to a subject rights request within 30 days (legal limit)?

3. Breach & DPIA

Dealing with incidents and assessing risk for new processing.

Is there a documented data breach response plan with roles and steps?
Do you have a DPIA (Data Protection Impact Assessment) template and process?
Can you notify the ICO of a qualifying breach within 72 hours? Article 33 requirement. Missing this is one of the most common enforcement triggers.

4. Processors & Transfers

Third parties handling data, and cross-border transfers.

Do you have a Data Processing Agreement (DPA) with every third party that processes personal data for you?
Are international data transfers covered by SCCs, UK IDTA, or an adequacy decision?
Do you maintain a list of sub-processors with a change-notification process?

5. Governance

Accountability structures — who's responsible, training, cookie consent.

Do you have a DPO appointed, or a clear data-protection lead with time allocated?
Do staff receive GDPR / data protection training at least annually?
Do your public-facing websites use a compliant cookie-consent mechanism? Affirmative opt-in, granular categories, easy to refuse, honours withdrawal.
0
% READY

Area-by-area breakdown

Recommended policy packs to close your gaps

Ranked by the specific gaps you flagged. Pricing is live from our pricing engine.

Questions about this tool

Is this really free?

Yes. There's no charge and no signup required to see your score. We only ask for your email if you want the detailed PDF report.

How accurate is it?

It covers the 15 most common GDPR gaps we see across PolicySuite customers. It's not a formal audit but it reliably flags the highest-risk areas. We built the question set from UK ICO enforcement actions and EDPB guidance.

What happens to my answers?

Your answers are processed entirely in your browser — nothing is sent to our servers unless you submit your email for the PDF. See our privacy policy.