Free tool

GDPR maturity self-assessment.

Eighteen questions across five areas of a GDPR programme. It takes about five minutes and gives you an indicative maturity score, with a sense of where to focus next. No sign-up to begin.

This is a self-assessment to start a conversation, not a formal audit. Your answers are sent to me so I can give you a more useful response if you choose to get in touch.

0 of 18 answered

01 Governance and Accountability

1. How clearly are roles and responsibilities for data protection defined?

1Not defined. No one owns data protection in particular. 2Informally understood. The right people know roughly what they handle, but nothing is written down. 3Partly defined. Some roles are documented, others are assumed. 4Mostly documented, though awareness across the business is still patchy. 5Clearly set out in policies, procedures, and job descriptions, with staff who know where to turn and feel able to raise concerns.

2. What is the state of your data protection policies and procedures?

1None in place. 2Established ways of working exist, but nothing is documented. 3Some written policies exist, but they have not been reviewed in a while. 4A solid policy set exists, though it could be applied more consistently in practice. 5Version-controlled policies reviewed at least annually, embedded in induction and training, with evidence they are followed.

3. How is data protection training delivered?

1No training takes place. 2Basic training is part of onboarding, with an annual refresher. 3Training is tailored to actual processes and delivered through more than one format. 4Induction and annual training for all staff, plus specialist training for managers and those in compliance roles. 5Comprehensive annual training for all relevant people, alongside an ongoing awareness programme.

4. How is compliance checked and audited?

1No auditing or compliance checking takes place. 2Audits have happened in the past, but there is no ongoing programme. 3A regular external review takes place, with results seen by senior management. 4The above, plus internal spot checks to confirm staff follow policies. 5A rolling internal audit programme and an annual external audit, with findings reported to leadership and tracked to closure.

02 Records and Data Mapping

5. Do you maintain a record of processing activities (RoPA)?

1No record exists. 2An informal or partial list exists, but it is not complete. 3A RoPA exists but has not been updated recently. 4A reasonably complete RoPA, reviewed occasionally. 5A complete, current RoPA covering all processing, reviewed on a defined cycle.

6. How well do you understand what personal data you hold and where it flows?

1No clear picture of what data is held or where it goes. 2A general sense, but no documented data map. 3Key systems are mapped, but gaps remain. 4Most data flows are mapped and reasonably current. 5A complete, maintained data map covering systems, flows, and third parties.

7. Is a lawful basis identified and recorded for each processing activity?

1Lawful basis has not been considered. 2Considered informally, but not documented. 3Recorded for some activities, not all. 4Recorded for most activities, with occasional review. 5Documented for every activity, reviewed when processing changes, and reflected in privacy notices.

03 Individual Rights

8. How do you handle data subject requests (access, erasure, and similar)?

1No defined process. Requests would be handled ad hoc. 2Handled case by case, with no written procedure. 3A basic procedure exists, but it is not consistently followed. 4A documented procedure with assigned responsibility and tracking. 5A documented, tested procedure with logging, deadline monitoring, and staff trained to recognise requests.

9. Are you confident you can meet the one-month response deadline?

1Unsure we could meet it. 2We could probably manage, but it would be a scramble. 3We can usually meet it, but tracking is manual. 4We meet it reliably, with reminders and oversight. 5We meet it consistently, with logged evidence of timing and outcomes.

10. Are your privacy notices clear, accurate, and current?

1No privacy notices, or seriously out of date. 2Notices exist but are generic and not tailored. 3Notices exist but have not been reviewed recently. 4Notices are reasonably accurate and cover the main processing. 5Notices are clear, specific, reviewed regularly, and aligned to the RoPA.

04 Security and Breach Management

11. What technical and organisational security measures are in place?

1No defined security measures for personal data. 2Basic measures exist, but they are not documented or assessed. 3Reasonable measures in place, though not formally reviewed. 4Documented measures aligned to recognised good practice, reviewed periodically. 5A managed security programme with documented controls, regular review, and risk-based improvement.

12. Do you have a tested data breach response process?

1No breach process exists. 2We would work it out if a breach happened. 3A written process exists but has never been tested. 4A documented process with assigned roles, tested at least once. 5A documented, regularly tested process with clear roles, logging, and lessons captured.

13. How prepared are you to meet the 72-hour breach notification deadline?

1Not prepared. We are unsure what the deadline requires. 2Aware of it, but with no process to meet it. 3We could likely notify in time, but it would be reactive. 4We have a process designed to meet it, with responsibilities assigned. 5We can meet it confidently, with a tested process and a breach log in place.

14. Do you keep an internal record of breaches and near-misses?

1No record is kept. 2Significant incidents might be noted informally. 3A basic log exists but is not consistently maintained. 4A maintained log covering actual breaches. 5A maintained log covering breaches and near-misses, reviewed for patterns and improvement.

05 Third Parties and International Transfers

15. Are data processor relationships governed by written contracts?

1No data processing contracts in place. 2Some contracts exist, but coverage is incomplete. 3Most processors are covered, though terms vary. 4Most processors covered with appropriate data processing terms. 5All processors covered by current contracts with Article 28 terms, tracked centrally.

16. Do you carry out due diligence on processors before engaging them?

1No due diligence takes place. 2Informal checks only, when convenient. 3Some due diligence for larger suppliers. 4A defined due diligence step for most new processors. 5A consistent, documented due diligence process applied to all processors.

17. Do you know whether personal data leaves the EU or EEA, and on what basis?

1We do not know whether data leaves the EU/EEA. 2We think some does, but the basis is unclear. 3We know transfers happen and have a partial view of the safeguards. 4Transfers are mapped, with transfer mechanisms identified for most. 5All transfers are mapped, with valid transfer mechanisms and transfer risk assessments where needed.

18. How do you keep the programme improving over time?

1We do not review or improve it in any structured way. 2We make changes reactively, usually after a problem. 3We review occasionally, but without a set plan. 4We review on a defined cycle and act on findings. 5Continuous improvement is built in, with reviews, metrics, and findings reported to leadership.

06 Your details

So I can send your result and follow up if you would like.

Name

Work email

Organisation (optional)

Anything you would like to add? (optional)

Your result

0/ 90

band

Want to turn this into a concrete plan? A short call is the fastest way.

Book a 15-minute call →

Back to home