Full Assessment · GDPR + RoPA

Complete GDPR assessment
with draft RoPA

Deep dive into your GDPR compliance across 6 areas. We'll generate a draft Record of Processing Activities, fine exposure analysis, and a step-by-step remediation plan — tailored to your company.

6 compliance areas
Draft RoPA included
Fine exposure analysis
~10 minutes
Company profile Step 1 of 4
Step 1 of 4

Your company profile

Tell us about your organisation so we can tailor the assessment to your specific GDPR obligations.

Step 2 of 4

Processing activities

Add your main data processing activities. These will be used to generate your draft Record of Processing Activities (RoPA) as required by Art. 30 GDPR. Add at least one, up to five.

Step 3 of 4

Compliance questionnaire

Assess your current status across 6 GDPR compliance areas. Answer honestly — the more accurate your responses, the more useful your assessment.

Legal Basis & Consent
Art. 6, 7, 9
Each processing activity has a documented lawful basis (consent, contract, legitimate interest, etc.)
Where you rely on consent, it is freely given, specific, informed, and unambiguous — and you can demonstrate it was obtained.
Where you rely on Legitimate Interest, a Legitimate Interest Assessment (LIA) has been conducted and documented.
Personal data is not used for purposes incompatible with the original purpose for which it was collected.
Privacy Notices & Transparency
Art. 13, 14
Your privacy notice / policy is publicly available, up to date, and covers all mandatory Art. 13/14 information.
Data subjects are informed of their rights (access, rectification, erasure, portability, objection) at the point of collection.
Retention periods for each category of personal data are defined and communicated to data subjects.
Cookie consent is implemented correctly — non-essential cookies are not loaded before the user accepts.
Data Subject Rights
Art. 15–22
There is a documented process to respond to Data Subject Access Requests (DSARs) within 30 days.
The right to erasure ('right to be forgotten') can be exercised, including with third-party processors.
Your organisation can provide data portability (machine-readable format) where applicable.
A procedure exists for handling objections to processing based on legitimate interest or for direct marketing purposes.
Third-Party Processors
Art. 28, 29
All third-party processors (cloud services, CRM, email tools, etc.) have signed Data Processing Agreements (DPAs).
You have a complete inventory of all sub-processors and have verified their compliance (Art. 28(2)).
Processors are contractually obligated to notify you of data breaches and assist with data subject rights requests.
Processor contracts are reviewed and updated when their services or sub-processors change.
Technical & Organisational Security
Art. 25, 32
Personal data is encrypted at rest and in transit, and access is restricted on a need-to-know basis.
A data breach response procedure exists and staff know how to report incidents within the 72-hour regulatory window (Art. 33).
Privacy-by-design and data minimisation principles are applied when building new products or processes.
Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities (Art. 35).
International Transfers
Art. 44–49, SCCs
You have identified all transfers of personal data to countries outside the EEA (including cloud services hosted in the US).
All international transfers are covered by an appropriate safeguard — adequacy decision, SCCs, or BCRs.
Transfer Impact Assessments (TIAs) have been completed for transfers to countries without an adequacy decision.
International transfers are disclosed in your privacy notice, including the destination country and safeguard mechanism.
Step 4 of 4

Get your full assessment

Enter your email to receive the complete GDPR assessment with your draft RoPA, fine exposure analysis, and implementation roadmap.

Generating your assessment…

Our AI is analysing your GDPR compliance and drafting your RoPA.

Analysing processing activities
Scoring compliance areas
Drafting Record of Processing Activities
Calculating fine exposure
Building remediation roadmap
GDPR Assessment
Analysing…
Compliance by Area

Need help implementing these recommendations?

Verdaio can guide you through remediation — from updating your privacy notices to negotiating DPAs and conducting DPIAs.

Talk to us →

This assessment is AI-generated guidance only and does not constitute legal advice. Consult a qualified data protection professional for legal decisions.