GDPR Compliance Quick Check

Get instant feedback on your compliance strategy. No registration required.

This tool is designed for EU/UK based businesses, marketing to customers within the EU/UK.

The questions focus on some of the most common mistakes we see and on areas that regulators have been targeting recently.

Step 1

9 Question Quick Check

Answer the questions below. Choose the best fit answer for your organisation.

Step 2

Understanding Your Results

Score 8-9: Well done. You have a good level of compliance and/or are privacy conscious.

Score 5-7: Good work. But you are still at risk of legal action which may result in an investigation and a financial penalty. There is also a risk to the reputation of your brand. Make sure you address any issues raised. Read the explanations in Step 3 to determine what action you need to take.

Score 0-4: Don’t panic. We’ve seen this many times, companies focused on growth can end up forgetting about those pesky data laws. Be aware that right now you are at risk of legal action which may result in an investigation and a financial penalty. You are also at risk of damage to your reputation – brand and career. But this is easily fixed, and you probably won’t need any lawyers unless your data use is complex. Read below to learn more about each issue and how you can fix it. You can also join our email list which will keep you informed when the law changes.

Step 3

Why It Matters and What Action You Should Take

We’ve based this quick check on the areas most commonly targeted by regulators. Below we’ll break down what the law says about your legal responsibilities, why it’s important and what you can do to achieve compliance.

Registration with supervisory authority

Supervisory authorities enforce GDPR and other data privacy laws such as PECR/E-Privacy Regulations. They are present in every EU Member state. The ICO is the UK’s supervisory authority. You can check who your supervisory authority is in your country, using our directory. 

Cookie Consent

Learn about some of the most common mistakes in our recent article:

Data Attribution – Legal Basis for Processing

Customers have the right to request details from you about how and why you process their data under the right to be informed (GDPR). This may include the legal basis for processing. You must be able to evidence the legal basis for processing on request to a data subject (customer, prospect, employee) or to a supervisory authority. If you hold inaccurate or poorly maintained data you may be unable to fully answer such a request. You therefore could be subject to a formal complaint, an investigation and/or a fine. You must keep accurate, detailed records, especially when you are relying on consent to process customer’s data. Otherwise, you need to say goodbye to that data. It’s not worth the risk.


DPIA’s should be completed regularly. Especially following major rulings from the courts that govern the application of data privacy law like GDPR. Most companies will need to update their privacy policies after the recent EU-Schrems II case, which invalidated the EU-US privacy shield

International Transfers

Log all your international data transfers in your DPIA. You need to establish your legal mechanism for each international transfer. Remember that the EU-US Privacy Shield is no longer valid, so another legal mechanism is required to continue transferring data between the EU-US.

Privacy Policy Updates

Privacy policies require regular maintenance. Every time you add a new tool or channel to your marketing stack you should review if any changes to your privacy policy are required. Additionally, any time your reasons for processing data or the types of data you process change you should update your privacy policy. This applies even if you are relying on a legal basis other than consent, for example legitimate interests. Your data subjects have a legal right to access information about how, when and why you process their data under the right to be informed.


While the legal text of GDPR has not changed since it came into force, the way it’s applied has changed many times. New guidance from the EU, court cases and regulator’s judgements can quickly change how GDPR and other data laws are applied. For example, the recent EU-Schrems II case made data transfers between the EU and US invalid overnight. Because things change so often training should be completed frequently. This will also help you keep up with your requirements under the accountability principle of GDPR.

Get email updates from us about data privacy law

We’ll teach you how to be a more ethical with your use of data, and keep you up-to-date with some of the things you need to know to stay on the right side of the law. You’ll also get invites to contribute to our campaigns and events.