About this program
A practical 30-minute self-check on the GDPR controls that fail most audits — not a full DPIA.
Risks addressed
- High No basis recorded for processing categories of data
- Critical Breach notification timeline missed (>72h)
- High No DPA with a Tier-1 processor
Controls (7)
-
Article-30 Record of Processing Activities maintained
HighArticle-30 Record of Processing Activities maintained
How to test + evidence
Testing procedure: RoPA exists, covers all processing activities, dated within 6 months.
Evidence to collect: RoPA file.
-
Lawful basis recorded per processing activity
HighLawful basis recorded per processing activity
How to test + evidence
Testing procedure: Each activity has a documented basis (consent, contract, legitimate interest, …).
Evidence to collect: RoPA — basis column.
-
DPAs in place for all processors
HighDPAs in place for all processors
How to test + evidence
Testing procedure: Article-28 contracts on file for every Tier-1/2 processor.
Evidence to collect: DPA inventory.
-
Breach notification process tested
CriticalBreach notification process tested
How to test + evidence
Testing procedure: Workflow tested; named DPO + comms templates; <72h timeline understood.
Evidence to collect: Tabletop AAR.
-
Subject access (DSAR) workflow tested
MediumSubject access (DSAR) workflow tested
How to test + evidence
Testing procedure: Test request handled end-to-end within statutory window.
Evidence to collect: DSAR test report.
-
Privacy notice up to date
MediumPrivacy notice up to date
How to test + evidence
Testing procedure: Public-facing notice reflects current processing + last reviewed within 12 months.
Evidence to collect: Notice + review date.
-
Cross-border transfers via SCCs / adequacy
HighCross-border transfers via SCCs / adequacy
How to test + evidence
Testing procedure: Transfers outside EEA covered by SCCs or adequacy decision; TIAs done.
Evidence to collect: SCC inventory + TIAs.