What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All risk registers

GDPR · 26 ROWS · 5×5 SCORING

GDPR Risk Register — 26 Risks Mapped to Articles 5–44

Article 32 requires controllers and processors to implement appropriate technical and organisational measures based on risk. Article 35 requires a DPIA when processing is likely to result in high risk to data subjects. This 26-row register feeds both: each risk is scored on likelihood + severity to data subjects (DPIA-style) and mapped to the GDPR articles that govern it.

Who this is for

EU/UK companies (and US companies w/ EU customers) preparing for supervisory-authority review
Privacy / DPO teams documenting Article 32 evidence
Product teams running DPIAs for new features touching personal data

Methodology

Likelihood × Severity-to-data-subject (1–5 each). Severity weighs both the data subject's harm (financial, discrimination, identity theft, distress) and the volume of data subjects affected. ≥15 triggers DPIA per Article 35.

Lawful Basis

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-01	Processing without valid lawful basis	Marketing emails sent without consent or LIA	4×4=16	Consent management platform; documented Legitimate Interests Assessment (LIA) per use case.	2×3=6	Mitigate	DPO	Art. 6
R-02	Special category data without Art. 9 condition	Health/biometric data processed under generic consent	3×5=15	Explicit Art. 9(2) condition documented per category; explicit consent forms for health data.	2×4=8	Mitigate	DPO	Art. 9

Principles

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-03	Excessive data collection (data minimisation)	Sign-up form collects DOB unnecessarily	4×3=12	Field-level review against use case; auto-prune fields not used in any active use case.	2×2=4	Mitigate	Product	Art. 5(1)(c)
R-04	Retention beyond necessity	Customer data retained indefinitely	4×4=16	Documented retention schedule per data category; automated deletion job.	2×3=6	Mitigate	DPO	Art. 5(1)(e)
R-05	Purpose-limitation breach	Marketing data used to train ML models	4×4=16	Purpose register; new-purpose review w/ DPO sign-off; consent re-collection if incompatible.	2×3=6	Mitigate	DPO	Art. 5(1)(b)

Data Subject Rights

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-06	Access request not fulfilled in 30 days	DSAR pipeline manual; missed deadlines	4×4=16	DSR intake portal; 30-day SLA tracker; centralised PII inventory enabling automated extract.	2×3=6	Mitigate	DPO	Art. 12 / Art. 15
R-07	Right-to-erasure failure	Data persists in analytics warehouse after deletion	4×4=16	Erasure pipeline reaches all stores incl. warehouse, backups (with documented exception period).	2×3=6	Mitigate	Engineering	Art. 17
R-08	Portability not provided in machine-readable form	Custom format only	3×2=6	Standard JSON/CSV export covering all Art. 20 in-scope data; documented schema.	1×1=1	Mitigate	Engineering	Art. 20
R-09	Objection to direct marketing not honoured	Unsubscribe takes effect after delay; multiple lists	3×3=9	Centralised suppression list; immediate unsubscribe; tested across all marketing systems.	2×2=4	Mitigate	Marketing	Art. 21
R-10	Solely automated decision without safeguards	Credit / hiring AI lacking human-review path	3×5=15	Art. 22 review per automated decision; human-review mechanism; explanation right.	2×4=8	Mitigate	Product	Art. 22

Privacy by Design

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-11	New product launched without DPIA	High-risk processing not assessed	4×5=20	DPIA gate in product-launch checklist; DPO sign-off required for high-risk launches.	2×4=8	Mitigate	DPO	Art. 25 / Art. 35
R-12	Default settings expose data	Public-by-default profiles	3×4=12	Privacy-by-default review; minimum-disclosure defaults; opt-in for additional sharing.	2×3=6	Mitigate	Product	Art. 25(2)

Records of Processing

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-13	Article 30 RoPA missing or stale	Authority requests RoPA; can't produce	4×3=12	Quarterly-reviewed RoPA covering all controller and processor activities; tooling-backed.	2×2=4	Mitigate	DPO	Art. 30

Processors

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-14	Sub-processor change without notice	Processor changes infra without informing controller	3×4=12	Art. 28 contract w/ change-notification clause; sub-processor list maintained on trust page.	2×3=6	Mitigate	Vendor Mgmt	Art. 28
R-15	Processor without Art. 28 contract	Vendor onboarded with click-through ToS only	4×4=16	Pre-onboarding contract review; standard DPA mandatory; refusal-to-sign vendors blocked.	2×3=6	Mitigate	Legal	Art. 28

Security

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-16	Unauthorised access to personal data	Excessive privileges in production	4×5=20	RBAC; least privilege; MFA; quarterly access reviews; SIEM monitoring.	2×4=8	Mitigate	IT	Art. 32(1)(b)
R-17	Data breach via SQL injection	Web app input not parameterised	3×5=15	WAF, SAST in CI, annual pen test, bug-bounty programme.	1×4=4	Mitigate	Engineering	Art. 32(1)
R-18	Encryption gap	Database backups in clear text	3×5=15	AES-256 at rest including backups; TLS 1.2+ in transit; KMS-managed keys.	1×4=4	Mitigate	SRE	Art. 32(1)(a)
R-19	Unable to restore service in incident	No tested DR	3×4=12	Quarterly test-restore w/ documented RPO/RTO; multi-region.	2×3=6	Mitigate	SRE	Art. 32(1)(c)

Breach

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-20	Notification deadline missed (72h)	Discovery-to-notification process undefined	3×5=15	Breach playbook w/ 72h SA notification + individual notification triggers; tabletop tested.	2×4=8	Mitigate	DPO	Art. 33 / Art. 34
R-21	Failure to document non-notifiable breach	Authority requests breach log; nothing recorded	3×3=9	Internal breach register capturing ALL incidents (notifiable or not) per Art. 33(5).	1×2=2	Mitigate	DPO	Art. 33(5)

Cross-Border

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-22	Transfer to third country without safeguards	Vendor in non-adequate country, no SCCs	4×5=20	TIA per transfer; 2021 SCCs in place; supplementary measures (encryption, access controls).	2×4=8	Mitigate	Legal / DPO	Art. 44 / Art. 46
R-23	Schrems II inadequacies	US sub-processor without supplementary measures post-DPF challenges	3×4=12	DPF reliance + SCC fallback; encryption-in-transit + at-rest; key control where possible.	2×3=6	Mitigate	Legal / DPO	Art. 46

Children

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-24	Child consent threshold not validated	Service used by under-16 in EU member states with no age gate	3×4=12	Age gate at sign-up; parental-consent flow for under-16 (state-specific thresholds).	2×3=6	Mitigate	Product	Art. 8

Governance

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-25	DPO role not designated where required	Public authority / large-scale special-category processor lacks DPO	2×4=8	DPO designation per Art. 37 trigger analysis; published contact details to SA + on website.	1×3=3	Mitigate	Privacy	Art. 37

Marketing

ID	Threat	Vulnerability	Inherent	Control	Residual	Treatment	Owner	Reference
R-26	Cookies set before consent	Analytics + marketing cookies fire on page load	4×3=12	TCF v2.2 / consent banner blocking non-essential cookies until opt-in; quarterly audit.	2×2=4	Mitigate	Marketing	ePrivacy + Art. 6/7

Common pitfalls auditors flag

Treating GDPR risk assessment as a one-time DPIA — Article 32 requires ongoing risk-based security measures.
Severity scored from your business's perspective instead of the data subject's — DPAs reject this.
Forgetting cross-border transfers post-Schrems II / DPF — every US sub-processor needs documented SCC + TIA + supplementary measures.
RoPA stops at controller activities — processors have separate Art. 30(2) obligations.
No retention schedule per category — 'we keep it forever' is the most-cited GDPR finding.

FAQ

Is this register sufficient as a DPIA?

It's a strong DPIA input — but a full DPIA also requires processing description, necessity & proportionality assessment, consultation w/ data subjects (where appropriate), and DPO opinion. Use this register's high-risk rows (≥15) as the DPIA seed.

Do US-only companies need this?

If you process EU/UK/EEA personal data — yes, GDPR applies extraterritorially under Art. 3(2). Check whether you offer goods/services to EU residents or monitor their behaviour.

How does this map to UK GDPR?

Substantially identical, with ICO as supervisory authority instead of EU SAs. UK DPA 2018 + UK GDPR are the operative texts post-Brexit.

How often should we review?

Article 24(1) requires 'regularly review' — most DPAs interpret as annually, plus after material changes (new product, new vendor, breach, regulatory development).

Now run a free GDPR audit on your existing policy

Drop your current policy or describe your environment — ComplianceIQ scores every clause against the framework and tells you which register rows are actually mitigated.

Start free GDPR audit