Free tool · No signup

Policy Health Check

Ten yes/no questions. Two minutes. Get an honest score on your policy posture and three concrete next steps. We don't store your answers.

1 / 10

Do you have a written, signed-off Data Protection Policy?

A top-level policy approved by an owner or director, reviewed in the last 12 months.

2 / 10

Do you maintain a Record of Processing Activities (RoPA)?

Article 30 register listing your processing purposes, lawful bases and data categories.

3 / 10

Could you respond to a Subject Access Request inside 30 days?

A documented procedure, an inbox to route them to, and someone trained to handle them.

4 / 10

Do you have a documented incident response plan with a 24/7 contact?

Includes severity classification and who to call out of hours.

5 / 10

Have you tested your breach notification path in the last 12 months?

A tabletop exercise or live drill that practised the 72-hour ICO notification path.

6 / 10

Do you have an information classification standard staff actually use?

e.g. Public / Internal / Confidential / Restricted with handling rules per tier.

7 / 10

Do you have a written Access Control Policy with MFA on privileged accounts?

8 / 10

Do you have a current Retention Schedule covering all major record types?

HR, payroll, customer records, marketing, IT logs, contracts.

9 / 10

Do suppliers handling your data sign a written data-processing or security agreement?

10 / 10

Do you have a named Data Protection Lead or DPO?

A specific person, not just "the owner deals with it".

0 of 10 answered