GDPR Readiness Score

1

Data Foundations

5 questions · 25 points

Section 1 · Q1

Do you have a current Record of Processing Activities (ROPA)?

Section 1 · Q2

Is your privacy notice published and accurate?

Section 1 · Q3

Are you registered with the ICO (if required)?

Section 1 · Q4

Do you have documented procedures for handling data subject requests (access, erasure, portability)?

Section 1 · Q5

Do you conduct regular staff training on data protection?

2

AI Tools & Data Processing

5 questions · 25 points

Section 2 · Q1

Have you identified all AI tools in your business that process personal data?

Section 2 · Q2

Have you documented the lawful basis for each AI data processing activity?

Section 2 · Q3

Do you have Data Processing Agreements (DPAs) with all AI vendors?

Section 2 · Q4

Have you assessed whether any AI processes require a DPIA?

Section 2 · Q5

Are there clear procedures if an AI vendor suffers a breach affecting your data?

3

Contracts & Third Parties

5 questions · 25 points

Section 3 · Q1

Do your client contracts include data protection clauses covering how you process their data?

Section 3 · Q2

Have you reviewed your AI vendor terms for data use and training clauses?

Section 3 · Q3

Do you have a process for managing third-party data sharing agreements?

Section 3 · Q4

Are your supplier contracts updated to reflect current GDPR requirements?

Section 3 · Q5

Do you conduct due diligence on new vendors before processing personal data with them?

4

Incident Response

5 questions · 25 points

Section 4 · Q1

Do you have a documented personal data breach response plan?

Section 4 · Q2

Do you know the 72-hour reporting deadline to the ICO for notifiable breaches?

Section 4 · Q3

Can you identify and contain a breach quickly if one occurs?

Section 4 · Q4

Do you maintain records of data breaches (even those not reported to the ICO)?

Section 4 · Q5

Do you have a current Record of Processing Activities (ROPA)?

Is your privacy notice published and accurate?

Are you registered with the ICO (if required)?

Do you have documented procedures for handling data subject requests (access, erasure, portability)?

Do you conduct regular staff training on data protection?

Have you identified all AI tools in your business that process personal data?

Have you documented the lawful basis for each AI data processing activity?

Do you have Data Processing Agreements (DPAs) with all AI vendors?

Have you assessed whether any AI processes require a DPIA?

Are there clear procedures if an AI vendor suffers a breach affecting your data?

Do your client contracts include data protection clauses covering how you process their data?

Have you reviewed your AI vendor terms for data use and training clauses?

Do you have a process for managing third-party data sharing agreements?

Are your supplier contracts updated to reflect current GDPR requirements?

Do you conduct due diligence on new vendors before processing personal data with them?

Do you have a documented personal data breach response plan?

Do you know the 72-hour reporting deadline to the ICO for notifiable breaches?

Can you identify and contain a breach quickly if one occurs?

Do you maintain records of data breaches (even those not reported to the ICO)?

Have you carried out a mock breach exercise or tabletop simulation in the last 2 years?