GDPR Risk Assessment That Produces Audit-Ready Evidence
You’re not here because you need GDPR explained. You’re here because you need documented proof that your organisation has assessed and addressed risk, and you need it in a format that holds up when a supervisory authority, an enterprise customer’s privacy team, or your DPO asks for it.
Our GDPR risk assessment produces that documentation. RoPA, DPIA, gap analysis, and a prioritised remediation roadmap – structured as evidence, not just a report.
Assessments from $4,500. Scope confirmed before work begins.
What GDPR Actually Requires From Your Security Program
Article 32 of the GDPR requires controllers and processors to implement “appropriate technical and organisational measures” – and to be able to demonstrate they’ve done so. That word, demonstrate, is doing a lot of work.
A supervisory authority or enterprise customer won’t take your word for it. They want to see evidence: a documented assessment of what personal data you process, where the risks are, what controls you’ve applied, and how you determined those controls were proportionate to the risk.
Article 32 specifically references the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems. That means your technical controls – access management, encryption, logging, incident response – need to have been reviewed and tested, not just listed in a policy.
Three things regulators look for beyond a policy document:
- A current, accurate Record of Processing Activities (RoPA)
- A completed Data Protection Impact Assessment for any high-risk processing activity
- Evidence that security controls were assessed, not assumed
If your organisation has any of the following, special category data, systematic profiling, large-scale processing, or automated decision-making, a DPIA isn’t optional under Article 35. It’s required before processing begins.
Why a Scanner Won’t Satisfy Article 32 – or a DPA Auditor
Automated vulnerability scanners produce a list of CVEs. They don’t produce data flow diagrams. They don’t identify which systems touch personal data, whether your processors have adequate DPAs in place, or whether your consent mechanism actually meets the standards in Articles 6 and 7.
A scanner gives you a technical snapshot of your attack surface. A GDPR risk assessment gives you an evidence trail that maps processing activities to legal bases, identifies gaps against specific Articles and Recitals, documents your DPIA reasoning, and tells you in writing what your residual risk is and how you’re managing it.
Those are different documents. Only one of them is useful when a supervisory authority asks for your compliance file.
How Our Assessment Works
We run GDPR risk assessments as structured, scoped engagements, not open-ended retainers. Here’s what the process looks like in practice.
1️⃣ Discovery and Scoping (Days 1–3)
We review your products, data categories, processing purposes, user regions, and existing privacy controls. This produces an agreed scope document so you know exactly what’s covered before we start.
2️⃣ Data Mapping and RoPA Build (Days 3–8)
We conduct structured interviews with your product, engineering, and ops teams to trace personal data through your systems. Inputs, outputs, storage locations, processors, retention periods, transfer mechanisms, all documented in a workbook that becomes your RoPA.
3️⃣ Control Review Against GDPR Articles (Days 8–14)
We review your consent flows, DSR (data subject request) handling, security controls, vendor DPA coverage, SCCs, and breach notification readiness against the specific Articles that apply to your processing activities.
4️⃣ DPIA (where required, Days 10–18)
If your processing triggers Article 35, we scope and document the DPIA, identifying the necessity and proportionality of the processing, the risks to data subjects, and the mitigating measures. This is produced as a standalone document suitable for DPA consultation if required.
5️⃣ Remediation Roadmap (Days 14–21)
All findings are translated into a prioritised backlog: critical gaps, medium-risk items, and lower-priority hygiene fixes. Each item includes a description of the gap, the applicable Article, recommended remediation, and an effort estimate. See our Remediation Services if you need hands-on help implementing fixes.
6️⃣ Executive Readout (Day 21–28)
We present findings to your DPO, legal team, or leadership. The session is recorded and can be shared with your board or with enterprise customers who request evidence of your compliance posture.
What You Get: The Evidence Pack
This is what you’ll have at the end of the engagement – and what you’d hand to a DPA auditor or enterprise procurement team.
| Deliverable | What it is | Why it matters to an auditor |
|---|---|---|
| GDPR Gap Report | Article-by-Article gap analysis with risk ratings | Shows documented assessment against the regulation |
| RoPA Workbook | Complete Record of Processing Activities | Required by Article 30; first thing a DPA requests |
| Data Flow Diagrams | Visual maps of personal data movement | Demonstrates you know what you process and where |
| DPIA Report(s) | Completed assessments for high-risk processing | Mandatory under Article 35; must precede processing |
| Vendor DPA Register | Processor inventory with DPA status and gap flags | Demonstrates processor due diligence (Article 28) |
| Remediation Backlog | Prioritised fix list with effort and ownership | Evidence of a response plan, not just gap awareness |
| Executive Summary Deck | Board-ready summary | For DPO, legal, and senior stakeholder briefings |
All documents are formatted for DPA review – not internal housekeeping. If a supervisory authority opened an inquiry into your organisation tomorrow, this is the file you’d submit.
What an Auditor or DPA Inspector Looks For
Most organisations reach the end of a compliance engagement with a gap report and little else. That’s a problem when an auditor arrives expecting an evidence trail.
Supervisory authorities conducting investigations under Article 58 typically ask for:
- Your RoPA (produced, current, and role-assigned)
- Evidence that DPIAs were completed before high-risk processing was started
- Your processor agreements (DPAs) and evidence they cover the required Article 28 elements
- Documented DSR procedures and evidence they’ve been followed
- Your breach notification log and response procedure
- Evidence that security controls were assessed, not just policy statements
We build our deliverables around this list. Every document we produce is designed to answer a specific question an auditor might ask, not to describe your privacy program in general terms.
For organisations under active DPA inquiry or facing a customer-mandated audit, we can prioritise delivery of specific artifacts. Tell us your timeline when you scope.
Pricing
| Package | Starting Price | Best For |
|---|---|---|
| Starter – Gap Analysis | From $4,500 | Baseline assessment, gap report, remediation roadmap |
| Professional – RoPA + Vendors | From $8,500 | Full data mapping, vendor DPA review, security control review |
| Enterprise – DPIA Support | From $14,000 | High-risk processing, DPIA documentation, stakeholder reporting |
Pricing depends on the number of products in scope, data mapping depth, processor count, and whether DPIAs are required. All engagements are fixed-price with scope confirmed before work begins. See our Pricing page for a full breakdown.
Early-stage teams with a simpler processing footprint can request the GDPR Risk Snapshot from $3,500.
Timeline Expectations
A standard engagement runs 2–4 weeks from kickoff to final deliverables. Enterprise engagements with multiple DPIAs or large processor registers may run 4–6 weeks.
If you’re working toward a specific audit date or customer review deadline, tell us at scoping. We can prioritise the RoPA and gap report in the first two weeks, with DPIA documentation and the remediation backlog following.
We don’t offer accelerated timelines that compress the work, but we can sequence deliverables so the most audit-critical documents land first.
Frequently Asked Questions
Tell us where you are in your GDPR compliance cycle. We’ll confirm what’s in scope and quote it with a fixed price.
If you’re 6–8 weeks from a customer audit, a DPA inquiry deadline, or a contract renewal that requires compliance evidence, that’s the right time to start. A standard engagement produces your RoPA, gap report, and primary deliverables within two weeks of kickoff.
Already know you have gaps to fix? Visit our GDPR Remediation Services page.