GDPR compliance that runs in the background, not on your calendar.
Free, no signup required for assessment.
Are you in scope?
Not sure? The 5-minute assessment gives you a definitive answer.
Take the assessment- 01Any business established in the EU/EEA that processes personal data, regardless of size.
- 02Businesses outside the EU offering goods or services to EU residents, or monitoring their behaviour.
- 03Anyone handling employee data of EU residents, even without external customers in the EU.
- 04Processors of personal data on behalf of others, with separate obligations from controllers.
- 05Joint controllers must allocate responsibilities in writing.
What's required
Plain language, not legal jargon. Citations link to the source regulation.
Lawful basis for every processing activity
Document the specific Article 6 basis (consent, contract, legal obligation, vital interests, public task, legitimate interests) for each activity.
Article 6, GDPR →Transparent privacy notice
Article 13/14 disclosures: identity, purposes, lawful basis, retention, recipients, transfers, rights, and DPO contact.
Articles 13 & 14, GDPR →Data subject rights
Operate a documented workflow for access, rectification, erasure, restriction, portability, and objection, with a one-month default response time.
Records of processing activities (RoPA)
Maintain a written register under Article 30 covering purposes, categories of data subjects and data, recipients, transfers, and security measures.
Article 30, GDPR →Data Processing Agreements
Article 28 contracts with every processor handling personal data on your behalf.
Breach notification
72-hour notification to the supervisory authority for any breach likely to result in a risk to data subjects.
Deadlines
- 25 May 2018GDPR entered into application
- OngoingContinuous enforcement. Single largest fine to date exceeds €1.2 billion.
- OngoingSchrems II transfer rules, EU-US DPF developments
Consequences
Up to €20M or 4% of global turnover
Beyond fines, non-compliance can block enterprise sales contracts, expose directors personally, and trigger reportable incidents under adjacent regulations.
How Skarpix helps
RoPA generator
Build and maintain your Article 30 records of processing activities.
DPIA templates
Run Data Protection Impact Assessments for high-risk processing.
DSR workflow
Track and respond to data subject requests within statutory deadlines.
Vendor DPA register
Catalogue processors and their signed Data Processing Agreements.
Breach response playbook
Templates for the 72-hour notification cascade to supervisory authorities.
Ready to see where you stand on GDPR / Personvern?
Frequently asked
Are we GDPR-exempt as a small business?+
No. GDPR applies regardless of size. The only exemption is for processing that is exclusively personal or household, which excludes any business activity.
Do we need a DPO?+
You need a DPO if you're a public authority, your core activity involves systematic monitoring on a large scale, or you process special categories at scale. Many SMEs don't, but appointing one anyway is a strong signal of maturity.
What counts as 'personal data'?+
Any information relating to an identified or identifiable natural person: names, emails, IP addresses, cookie IDs, behavioural data, employee files, and more.
How does GDPR interact with NIS2?+
Significant overlap: NIS2 requires technical and organisational measures that overlap with GDPR Article 32 security obligations. Skarpix lets you reuse evidence across both modules.
What about transfers to the US?+
Use the EU-US Data Privacy Framework with certified US importers, or Standard Contractual Clauses with documented transfer risk assessments.
Vilken myndighet utövar tillsyn över GDPR?+
GDPR övervakas av den nationella dataskyddsmyndigheten i varje EU/EES-land. En personuppgiftsincident anmäls till den behöriga myndigheten inom 72 timmar (artikel 33), och enskilda kan lämna in klagomål dit. Sanktionsavgiften kan uppgå till 20 miljoner euro eller 4 % av den globala årsomsättningen.