GDPR Risk Grading — A–F Compliance Scores for UK Partners
Procurement teams don't need a 60-page legal audit. They need a single defensible letter grade with the evidence trail attached. We deliver both, A through F, in under one business day per partner.
GDPR Risk Grade
Eighteen named compliance checks, rolled into a single A–F letter. Designed for procurement and DPO teams who need a defensible vendor-risk position before signing a data-sharing agreement.
compliance_score = weighted_sum(privacy_policy_currency, cookie_banner_compliance, dpo_disclosure, sub_processor_clarity, audit_qualification, going_concern_flag, ...)
We crawl the partner's public domain and read their iXBRL filings, then score against the UK GDPR, IAB TCF v2.2 and the 2026 UK transparency standard. The grade re-runs continuously, the moment a privacy policy gets out-of-date or a cookie banner regresses, the grade drops.
Companies tripping this signal in the last 24h
Sample of records flagged by the GDPR Risk Grade signal. The full feed updates within minutes of each Companies House submission.
The eighteen checks behind the grade
We split the signal into three families, each contributing a third of the final grade:
Web posture (cookie banners, policies, disclosures)
- Privacy policy currency (last update, GDPR-correct vocabulary)
- Cookie banner compliance (IAB TCF v2.2, pre-consent trackers, “reject all” parity)
- DPO disclosure (named individual, contact route, escalation path)
- Sub-processor list (transparency, geographic scope, transfer mechanism)
- Data-subject rights statement (access, erasure, portability, objection)
- Public breach-notification history (last 24 months)
iXBRL filings (compliance-relevant disclosures)
- Audit qualification status (and the basis, if qualified)
- Going-concern statement (clean, mild flag, severe flag)
- Directors’ report data-protection language
- Beneficial-ownership clarity (PSC filings, transfer events)
- Audit-firm continuity (frequent rotations are amber)
- Late-filing history (an under-rated compliance smell)
2026 UK transparency standard alignment
- Sustainability-linked disclosure presence
- Modern Slavery Act statement (if turnover ≥ £36M)
- Section 172 (1) statement quality
- Stakeholder-engagement narrative
- Climate-related financial disclosure compliance
- Risk-management and internal-control statement
Each check returns one of five states (pass, mild fail, hard fail, not-applicable, evidence-missing). We weight the eighteen results into a single 0–100 score, then map to the A–F band. The full evidence pack, screenshots, filing references, web-archive timestamps, ships with every grade.
Want continuous A–F grading across your supplier list?
The Data Market exposes the GDPR Risk Grade for any UK partner. Upload your vendor CSV and we'll return graded reports within one business day, with full evidence pack and re-grading on every change.