Methodology
Methodology & Scope
Purpose of the Snapshot
The GDPR Risk Snapshot is designed to help businesses gain a clearer internal view of how personal data is currently handled in day-to-day work, and where uncertainty or inconsistency may exist under GDPR or UK GDPR.
It provides a structured way to surface areas that may benefit from further clarification or internal discussion.
How the Snapshot Works
The snapshot uses a structured set of questions that focus on how data handling is understood and described across a business, rather than how it is documented or formally approved.
Participants respond based on current practices, typical workflows, and shared understanding within their business.
The questions are intentionally phrased to identify patterns of uncertainty, such as unclear ownership, fragmented tooling, or informal processes that have not been recently revisited.
These areas are not assessed in isolation. The snapshot looks for combined patterns that may indicate uncertainty rather than single point issues.
Areas Covered
The snapshot explores multiple dimensions that commonly influence how GDPR considerations show up in day-to-day work, including:
Data Handling
What personal data the business handles, where it originates, and how it moves through day-to-day work.
Shared Understanding
Whether the people involved in the work have a consistent picture of how personal data is handled, or whether that understanding sits with one person.
Tools and Platforms
How personal data moves across the tools and systems used in normal work, and how clearly that movement is understood.
Third-Party Tools and Services
Whether external tools, platforms, and services that handle personal data are clearly understood, and how that understanding is maintained.
Ownership and Responsibility
Where responsibility for data handling decisions currently sits, and whether that is explicitly held or informally understood.
Decision Clarity
How clearly it is understood who is involved and who decides when a data-related question or situation arises outside normal work.
Alignment Between Practice and Process
How closely day-to-day practices reflect what is documented or understood across the business, and where those two things may have drifted apart.
Confidence
How clearly GDPR considerations are understood in day-to-day work, and whether that understanding is consistent across the people involved.
How Responses Are Interpreted
Responses are evaluated by looking for consistency across answers, indicators of clarity or ambiguity, and alignment between understanding and practice.
The outcome is a written description that reflects the patterns present in the responses. No score or category is shown.
What the Snapshot Is Designed For
The snapshot is intended to support internal discussion, help identify areas where further clarity may be needed, and provide a shared reference point across the people involved in the work.
It can be useful as a starting point before reviewing internal documentation or involving a solicitor or DPO.
Data Handling and Privacy
The snapshot is designed to minimise data collection. No personal data is requested to complete the assessment. Responses are processed solely for the purpose of generating the snapshot outcome.
Payment is handled separately by a third-party provider. Further details are available on the Privacy page.
Use of Results
Results should be treated as an informational input, not a definitive conclusion. They are most effective when used to prompt discussion and identify where further clarity may be needed.
Scope Limitations
The snapshot focuses on general patterns commonly seen in day-to-day data handling. It does not account for highly specialised processing activities, sector-specific requirements, or complex contractual arrangements. For those situations, specialist advice is appropriate.
In Summary
The GDPR Risk Snapshot provides a structured, considered way to examine how personal data is handled in practice and where uncertainty may exist.