7-day free trial included with every plan. No commitment required.
A
Anna AI
Data Protection Partner
“Your 3 open SARs, one breach under assessment, and two DPIAs due this week…”
UK GDPR Art 15 · Art 30 · Art 35
Compliance Health
94%
✓
DPO Annual Report
14 sections · Ready
72-hour breach notification
JM
✓
25+ Years FCA Expertise
Bank-Grade Encryption
SOC 2 Infrastructure
ISO 27001 Infrastructure
UK Based & Hosted
ICO Registered
Who this is for
Every UK firm that holds personal data. Not just the DPO-mandated ones.
UK GDPR, DPA 2018 and PECR apply to every firm that processes personal data. For FCA-authorised firms, SYSC 3.2.20 adds a regulatory duty on top. Most compliance platforms treat data protection as a bolt-on template pack. We treat it as a live operating system.
10
Compliance Pillars
30
Baseline Controls
13
Live Registers
15
Policy Templates
5
Anna Report Formats
UK GDPR, DPA 2018, PECR and SYSC 3.2.20. 14 DPO Annual Report sections. Anna drafts all of it from your live ROPA, DSR, breach and DPIA registers in approximately 3 minutes, not the 3–5 days a DPO usually spends writing from scratch. Your firm's actual data, not templated placeholders.
The Problem
Data Protection shouldn't feel like this
If your ROPA lives in one spreadsheet, your SARs in an email folder, your breach log in SharePoint and your DPIAs with a consultant, you're one ICO audit letter away from a very bad month. This is where most UK firms are stuck.
ROPA in a spreadsheet. SARs in your inbox.
Records of Processing, DSR log, breach register, DPIA folder, vendor DPAs, retention schedule, consent evidence. Every UK GDPR Art 30 / Art 15 / Art 33 obligation scattered across workbooks nobody version-controls. When the ICO asks for your accountability trail, you're flicking between ROPA_FINAL_v9 and an email thread.
ROPA_2026_v9_FINAL.xlsx
SAR_Tracker_Q3.xlsx
Breach_Register_LIVE.xlsx
Outsourced DPO. Still your accountability.
You can outsource the DPO role. You can't outsource UK GDPR Art 5(2). The firm stays controller. You still sign the DPO Annual, you still face the ICO in an audit, and the consultant still hands you back a Word doc every December that's half template and half last year's version.
Outsourced DPO retainerAnnual
Data Protection auditOne-off
Policy pack refreshAd hoc
ICO breach clock: 72 hours.
UK GDPR Art 33 gives you 72 hours from awareness to notify the ICO of a personal data breach. Art 34 requires notification to affected data subjects without undue delay for high-risk breaches. If your response still starts with “who do we tell, and when?”, you're already behind.
72hrs
ICO breach notification deadline.
DPO Annual Report: 5 days of the DPO's year.
The 14-section DPO Annual Report (UK GDPR Art 39) takes a DPO 3–5 days to write from scratch. Board quarterly. ICO accountability pack. DPIA sign-offs. Training matrices. Retention reviews. The evidence the ICO expects never stops arriving, and it's all due at once.
DPO Annual (Art 39)
ICO Accountability Pack
Board DP Quarterly
If your data protection workflow currently lives in spreadsheets, a consultant's inbox and the fortnight before the ICO comes asking, the Data Protection module is for you.
The Data Protection Edge
Three ideas that separate RegTechPRO from yet another GDPR template pack.
Most data protection tools ship a folder of Word templates and a generic cookie scanner. The Data Protection module stands on three principles that let Anna draft regulator-grade reports: live-data grounding, a structured ICO accountability instrument, and coverage across every UK data protection obligation.
One pipeline. Not three separate products. The compliance cycle runs on its own.
Anna reads your registers. Not a template.
Every DPO report is drafted from the firm's own live data. 13 structured registers — ROPA, DSRs, breaches, DPIAs, transfers, consent, vendors, training — are passed to Anna, who drafts a report grounded in what's actually recorded. SARs appear by reference, breaches by incident ID, vendors by name. Output is a 14-section DPO Annual Report (Art 39), Board Quarterly, ICO Accountability Pack, Executive Summary or Comprehensive Hybrid. Generic GPTs cannot do this.
Art 39-aligned · 5 report formats · Live-grounded
The ICO accountability test. Running live.
30 baseline controls mapped to the ICO Accountability Framework, each cross-referenced to UK GDPR article, DPA 2018 provision, PECR regulation or SYSC requirement. Toggle Met / Partial / Not Met and the Gap Analysis tab produces a prioritised Critical/High/Medium/Low remediation plan. Same instrument the ICO uses when asking for evidence, always on, tracked, with evidence notes attached per control.
UK GDPR · 30 controls · ICO Accountability Framework
Every obligation. One workflow.
ROPA, Lawful Basis & Consent, DSRs, Breaches, DPIAs, International Transfers, PECR & Marketing, Governance & DPO, Retention, Vendors, Training, Security. Every UK data protection obligation in one module. The pillar-weighted Health score uses customisable weights and consistent, transparent scoring so the Board sees real strength and weakness. Click any pillar tile to see the exact sections driving that score. The Dashboard isn't a status view. It's a routing system.
UK GDPR Art 5–49 · DPA 2018 · PECR · SYSC 3.2.20
The Solution
Your DPO function, as structured software.
One living record across 11 tabs. 30 baseline controls mapped to the ICO Accountability Framework, 13 live registers, 15-policy governance library, and a 10-pillar Health score with customisable weightings. Every register, every obligation, every piece of evidence feeding Anna's five regulator-grade report formats.
A 30-second DPO view of the firm: Data Protection Health score (60% pillar composite + 40% baseline control checklist), all 10 weighted pillars with RAG bars, the 30-control ICO Accountability checklist, and the upcoming review dates for DPIAs, DSR SLAs and retention reviews. All on one screen.
The 14-section DPO Annual Report under UK GDPR Art 39. Anna drafts every section from your live registers. ROPA activities from your register, DSR stats from your request log, breaches by incident ID, DPIAs by project, transfers by recipient, training from your matrix. Export to PDF, sign, file. Plus four more formats: Board Quarterly, ICO Accountability Pack, Executive Summary, Comprehensive.
The DSR and Breach registers, live. Every Art 15–22 request logged with 1-month SLA, ID status, scope, exemptions and outcome. Every personal data breach logged with 72-hour ICO notification, Art 34 subject communication, risk assessment and remediation. Auto-escalation, MI for the Board, full audit trail.
The 14-Section DPO Annual Report
Drafted by Anna. Attested by your DPO.
The UK GDPR Art 39-aligned annual report the ICO expects in an accountability audit. Drawn from your live ROPA, DSR register, breach log, DPIA archive and transfer register, with every claim mapped to UK GDPR, DPA 2018, PECR and SYSC 3.2.20. Three days of DPO drafting compressed into one review cycle.
Every section. Every UK data protection anchor.
Anna drafts all 14 sections of the UK GDPR Art 39-aligned DPO Annual Report from your own 13 live registers: ROPA activities, DSR requests, breach incidents, DPIAs, transfers, consent evidence, vendors, training. Each section cites UK GDPR, DPA 2018, PECR, ICO guidance or FCA SYSC so the ICO can trace every claim to its regulatory source.
14
Sections drafted
30
Baseline controls tested
13
Live registers feeding Anna
~30s
To full draft
1
Executive Summary & DPO Confirmation
Art 39
2
The DPO Function & Independence
Art 37–38
3
Accountability & Governance
Art 5(2) / 24
4
Records of Processing (ROPA)
Art 30
5
Lawful Basis & Consent
Art 6 / 7 / 9
6
Data Subject Rights
Art 12–22
7
Personal Data Breaches
Art 33–34
8
DPIAs & Privacy by Design
Art 25 / 35
9
International Transfers
Art 44–49
10
PECR & Direct Marketing
PECR 6 / 21 / 22
11
Training & Awareness
Art 39(1)(b)
12
Security & Processor Oversight
Art 28 / 32
13
Regulatory Engagement
ICO Accountability
14
Conclusions & Forward Plan
SYSC 3.2.20
ICO Accountability · live DSR & breach register
Every data subject request. Every breach. Timestamped.
The ICO asks the same two questions in every accountability audit: show us your DSR log and your breach register. Here they are. Art 15 requests tracked against the 1-month SLA, personal data breaches decisioned against the 72-hour notification window, cross-referenced to the data subject record and preserved across the ICO retention horizon.
Raised by
Request / incident
Date raised
Status
Amina Okonkwo
DPO Admin · DSR desk
Art 15 SAR: former customer requesting full data export, call recordings and complaint correspondence. ID verified; scope confirmed; 28 days remaining.
Mar 24, 2026
In progress
Rajesh Iyer
Head of IT · 2LoD
Personal data breach: misdirected email with 42 customer records to wrong distribution list. Recalled in 14 min; risk assessed low; ICO not notifiable but logged under Art 33(5).
Mar 12, 2026
Documented
Helena Brandt
Vendor Manager · 2LoD
Processor breach notification (Art 33(2)): marketing vendor confirmed unauthorised access to a mailing list. ICO notified within 72 hrs; data subjects contacted under Art 34.
Feb 27, 2026
ICO notified
Daniel Acheampong
Deputy DPO · DPO cover
Art 17 erasure request: employee-of-applicant seeking removal of CV and interview notes. Legitimate interest balance assessed; partial erasure actioned; log retained.
Feb 14, 2026
Resolved
Priya Narayanan
DPO · SMF3 accountability
DPIA approved: new customer-onboarding ML model (credit risk scoring). Residual risk low, Art 22 safeguards in place, annual review scheduled, ICO consultation not required.
Jan 30, 2026
DPO signed
Three named attestors. One ICO audit trail.
UK GDPR Art 5(2) makes the controller personally accountable, not a committee. The DPO (Art 37–39) confirms adequacy, the senior manager responsible for data protection counter-signs, and the CEO attests. Once locked, the report is immutable and reproducible across the ICO’s accountability retention horizon.
DPO · Art 37–39
Priya Narayanan
Data Protection Officer
Signed Mar 27, 2026
SMF3 · Chief Compliance
Jennifer Okafor
Chief Compliance Officer
Signed Mar 28, 2026
SMF1 · Chief Executive
Shivani Patel
Chief Executive Officer
Signed Mar 29, 2026
Report locked · Mar 29, 2026 · 17:08 GMTRead-only. Source-matched to 13 live registers. Reproducible across the full ICO accountability retention horizon.
What's Included
Every data protection obligation, in one module.
ROPA, Lawful Basis & Consent, Data Subject Rights, Breaches, DPIAs, International Transfers, PECR & Marketing, Governance, Retention, Vendors, Training and Security. 13 live registers, the 30-control ICO Accountability checklist, 15-policy governance library, and Anna's five regulator-grade report formats.
Flagship
The 14-section DPO Annual Report. Anna-drafted from your live data.
A senior DPO would spend 3–5 days writing this from scratch. Anna drafts every section from your registers: ROPA activities from your Art 30 record, DSR stats from your request log, breaches by incident ID, DPIAs by project. Per-section regenerate, export to PDF.
DPO Annual Report · Draft
14 sections
✓ 1. Executive Summary
✓ 2. DPO Function & Independence
✓ 3. Accountability & Governance
✓ 4. Records of Processing (ROPA)
✓ 5. Lawful Basis & Consent
✓ 6. Data Subject Rights
✓ 7. Personal Data Breaches
✓ 8. DPIAs & Privacy by Design
+ 6 more sections · UK GDPR Art 39 mapped · 5 report formats
A
“Drafted Section 7 from your breach register: 3 logged this year, 1 ICO-notified within 72 hrs, 0 data-subject notifications required. Cited UK GDPR Art 33–34.”
✓ Every claim traceable to article. ICO-ready by construction
PDF ready
Data Protection Health
10 weighted pillars. 30-control ICO checklist. One score.
60% pillar composite plus 40% ICO Accountability baseline checklist, designed not to be gamed. A firm can complete every section and still score red if the DPO isn’t appointed or the breach register isn’t live. The 40% catches ICO-minimum floors that qualitative completion can miss. RAG-banded at Green ≥80, Amber 50–79, Red <50. Customise the pillar weights; the score recomputes live.
Composite score
Green ≥ 80
94%
DP Health
Complete56
Partial10
Not started0
Sections tracked36
Live recompute
Weights updated
10 Weighted Pillars
ICO-priority defaults. Re-weight to your risk.
A high-DSR-volume firm can weight DSR to 22; a high-vendor firm can push Vendors to 18; a low-transfer firm can drop Transfers to 4. The defaults reflect ICO enforcement priorities, but the sliders are yours. Every weight change recomputes the Health score live. Click any pillar tile to see the sections driving its score, then jump straight to the work. The Dashboard isn’t just a status view, it’s a navigation system.
Pillar weights
Live
Governance & DPO
18%
Data Subject Rights
14%
Breach Management
14%
Lawful Basis & Consent
12%
ROPA
10%
DPIAs
8%
Transfers · PECR · Retention · Training
24%
Sum = 100%
30-Control Checklist
Every ICO-accountability control. Mapped to statute.
The 30-row ICO Accountability Framework grid: DPO appointed under Art 37, ROPA maintained under Art 30, DSR SLA tracked against Art 12, breach notification within 72 hrs under Art 33, DPIA screening for high-risk processing under Art 35. Every row cites the exact UK source: UK GDPR, DPA 2018, PECR, ICO guidance, SYSC.
ICO Accountability grid
29 / 30 Met
Control
Regulatory source
Status
DPO appointed & independent
UK GDPR Art 37–38
Met
ROPA maintained
UK GDPR Art 30
Met
DSR 1-month SLA
UK GDPR Art 12(3)
Met
72-hr breach notification
UK GDPR Art 33
Met
DPIA screening for high risk
UK GDPR Art 35
Met
Processor DPAs in place
UK GDPR Art 28
Partial
PECR cookie consent (CMP)
PECR reg 6
Met
Article-cited
Breach Register
72-hour ICO clock. Art 33 / 34 workflow.
Every personal data breach logged against the 72-hour notification window. Triage matrix, risk assessment, ICO notification, Art 34 subject communication, processor-breach tracking (Art 33(2)), remediation, near-miss register.
Incident log
UK GDPR Art 33
3
YTD
1
ICO-notified
0
Art 34 issued
72-hour notification SLA · last incident logged 22 Mar 2026 · UK GDPR Art 33(1)
Art 33 / 34
DSR Register
Access · Rectification · Erasure · Portability.
Every UK GDPR Art 15–22 request logged with 1-month SLA (extendable to 3), ID verification, scope assessment, DPA 2018 exemption review, DPO review, response and audit log. Auto-escalation at Day 21 and Day 28.
SLA register
Art 12–22
7
Open SARs
2
Erasures
100%
1-mo SLA
✓ 1. Request received · logged < 24 hrs
✓ 2. Identity verified · Art 12(6)
✓ 3. Scope assessed · DPA 2018 Sch 2 exemptions
◐ 4. DPO review · Day 21
○ 5. Response issued · within 1 month
Statutory anchor: UK GDPR Art 15 (access) · Art 17 (erasure) · Art 20 (portability) · Art 21 (objection) · DPA 2018 Sch 2 exemptions.
Recent activityQ1 2026
DSR-2026-07 · Art 15 SARIssued
DSR-2026-06 · Art 17 erasureDPO review
1 month + 2
DPIA Register
Screen every project. Assess high-risk. Evidence Art 25.
DPIA screening against the ICO list (profiling, special-category, tracking in public spaces, AI/ML, biometrics, children’s data), full DPIA workflow, residual-risk assessment, DPO + SMF sign-off, Art 36 ICO consultation when needed, Privacy by Design evidence bank.
DPIA pipeline
UK GDPR Art 35
11
Approved
2
In review
9
Triggers
Screening mandatory for high-risk processing – next review 30 Jun 2026 · Art 25 / 35
Privacy by Design
International Transfers · TRA · IDTA / SCCs
Transfer Risk Assessment. Every restricted transfer logged.
UK GDPR Ch 5 coverage: adequacy mapping, IDTA and SCCs + UK Addendum, BCRs for intra-group, Art 49 derogations used narrowly. ICO TRA methodology with post-Schrems II US surveillance assessment (EO 14086, FISA 702), supplementary measures library (encryption, pseudonymisation, audit rights), per-vendor documentation.
30 baseline controls across 10 pillars mapped to the ICO Accountability Framework: Governance, DPO, ROPA, Lawful Basis, DSR, Breach, DPIA, Transfers, PECR, Training. Met / Partial / Not Met / N/A with evidence notes, plus “+ Generate remediation plan (Anna AI)”. Re-runnable every time your situation changes, not a one-off Word doc you file away.
10-pillar audit
Evidence-backed
29
Met
1
Partial
97%
Gap Score
Remediation by Anna
ROPA · Lawful Basis · Consent · Vendors
Four live registers. ICO-audit-ready.
ROPA (Art 30), Lawful Basis / LIA register, Consent register with evidence, and Vendor / Art 28 DPA register. DPO sign-off, annual review cadence, sub-processor tracking.
Registers
DPO + SMF3
ROPA24 activities
Lawful Basis6 LIAs signed
Vendors (Art 28)18 DPAs
Annual review
15-Policy Library
Every DP policy. One tile each.
Data Protection Policy · DPO Responsibilities · Breach Procedures · Consent & Withdrawal · Cookie Policy · PECR · Data Retention · Data Erasure · International Transfers · SAR Manual · SAR Form · Confidentiality · CCTV · Cyber Security Risk · GDPR Staff Communication. Each anchored to UK GDPR, DPA 2018, PECR or ICO guidance.
Policy shelf
Board-dated
15
Policies
100%
Board Approved
Article-anchored
Retention & Erasure
Storage limitation. Article 5(1)(e) evidenced.
Retention schedule per data category with the higher of FCA / MLR 2017 / HMRC / civil limitation periods, disposal controls (tamper-evident), right-to-erasure workflow (Art 17) with legitimate grounds for refusal. Processor retention-cascade tracking.
Retention periods
Art 5(1)(e)
Customer records5 yrs (MLR reg 40)
Marketing dataConsent-based
CCTV footage31 days
Art 17 workflow
PECR & Marketing
Cookies · Email · SMS · Phone. All covered.
Cookie inventory & CMP (PECR reg 6, pre-consent blocking of non-essential), direct marketing opt-in evidence, soft opt-in policy, TPS/CTPS suppression (28-day check), CLI requirements (PECR reg 21(4A)), Special Category Data safeguards (Art 9) and ICO Direct Marketing Code alignment.
Every staff member. 30-day onboard. Annual refresh.
UK GDPR Art 39(1)(b) data protection awareness training for all staff within 30 days of joining, annual refresher, role-specific modules for DSR handlers and marketing teams. Staff-by-staff completion, score and next-due, auto-flagged in the DPO Annual Report.
Training log
Art 39(1)(b)
100%
Completion
Avg 94%
Score
5 yr
Retention
Auto-flagged in DPO report
Key Review Dates
Six anchor dates. Always front-and-centre.
Policy annual review · ROPA quarterly review · DSR SLA dashboard (weekly) · DPIA review (per project) · DPO Annual Report (year-end) · ICO registration renewal. Computed from your data and pinned to the dashboard strip.
Accountability calendar
ICO Accountability
DPO Annual ReportYear-end
ICO RegistrationRenews 31 Mar 2027
ROPA Quarterly30 Jun 2026
Pinned to dashboard
5 Anna Report Formats
One dataset. Five regulator-grade outputs.
This is what no other UK RegTech platform for small and mid-size firms can replicate. Every generation uses your firm’s actual registers (ROPA activities, DSR requests, breach incidents, DPIAs, transfers, consent evidence), not templated placeholders. Per-section regenerate means refining just the DSR section if a new request lands; the rest of the report stays intact.
Output formats
Per-section regen
Format 1
DPO Annual
Art 39 · 14 sections
The annual report the ICO expects in an accountability audit
Format 2
ICO Accountability Pack
8 sections · Audit response
Evidence aligned to the ICO Accountability Framework
Format 3
Board Quarterly
SYSC 3.2.20 · Quarterly
Risk committee / board-pack deliverable
Format 4
Executive Summary
1-page · DPO
One-page brief for CEO / CRO
Format 5
Comprehensive
Hybrid · Audit-grade
Full hybrid pack combining all three formal reports
Why it works: generic AI tools can’t replicate this without access to your live compliance data. 13 registers + 10 pillar weights + 30 baseline controls + Art 5–49 guidance feed every generation.
No placeholders
Anna AI · Live-Data-Grounded
Anna’s prose names your actual data. Not placeholder examples.
Every Anna generation draws from your live module data — all 13 registers, 11 tab statuses, 10 pillar weights, 30 baseline control answers — so the output is grounded in what’s actually recorded, not generic AI guesswork. Tables are built from your ROPA, DSR and breach logs. When your data changes, the next generated section changes with it.
Ask her UK GDPR questions. Let her write your 14-section DPO Annual Report.
Anna is trained on UK GDPR, DPA 2018, PECR, ICO Accountability Framework, ICO CCTV Code, ICO Direct Marketing Guidance and FCA SYSC 3.2.20. She answers DSR, breach, DPIA, consent and transfer questions in seconds, cited to article, and writes every section of your DPO Annual Report (plus Board Quarterly, ICO Accountability Pack, Executive Summary and Comprehensive) from your own live registers.
Hi, I'm Anna!
DPO-GRADE · UK GDPR · DPA 2018 · PECR TRAINED
Your DPO’s data protection research desk and 14-section report author, in one.
Anna does two things for Data Protection. First, she answers any DSR, breach, DPIA, consent, transfer or PECR question your team throws at her, cited to UK GDPR, DPA 2018, PECR, ICO guidance or FCA SYSC. Second, she drafts the 14-section DPO Annual Report (plus four more regulator-grade formats) from your firm’s own live registers, naming your actual DSR references, your actual breach incidents, your actual DPIAs.
Answers UK GDPR, DPA 2018, PECR and ICO Accountability queries with article citations
Drafts the 14-section DPO Annual Report (Art 39) in minutes, not days
Grounded in your 13 registers: ROPA, DSRs, breaches, DPIAs, transfers, consent, vendors, training
Never reports for you. DPO keeps Art 39 accountability at input and sign-off
Your DPO research desk
Ask Anna any data-protection question. Get an article-cited answer.
“Can we rely on legitimate interests for this new processing?” “Is this breach Art 34-notifiable to the data subjects?” “Do we need a DPIA for this marketing campaign?” Anna answers from UK GDPR, DPA 2018, PECR, ICO guidance and your live data-protection data, in seconds, with citations.
UK GDPR, DPA 2018, PECR, ICO Accountability Framework grounded
Cites article, regulation & your own registers
Reads your 13 live registers (ROPA, DSR, breach, DPIA, transfer…)
Available across every DP tab
A
Anna AI
Online · AI Compliance Advisor
We’ve just discovered a misdirected email with 230 customer records went to an external distribution list. What do we do in the next 72 hours?
Treat as a live personal data breach. UK GDPR Art 33 gives you 72 hours from awareness. Four immediate steps:
Contain. Recall the email, ask external recipients to delete and confirm in writing. Log the awareness-time on the incident record (Art 33(1)).
Assess risk. Apply the ICO severity methodology: data categories, volume, identifiability, consequences for affected individuals.
Notify the ICO within 72 hrs. If likely to result in risk, notify under Art 33(3). If not, document the reasoning under Art 33(5).
Notify data subjects. If risk is high, issue Art 34 communication without undue delay using the pre-drafted template.
Your Breach Register has no similar incident in the last 12 months. I’ve drafted the ICO notification and the Art 34 data-subject letter for your DPO review.
Drawn from: UK GDPR Art 33 / 34 · ICO Breach Guidance · Your Breach Register
Ask Anna anything about UK GDPR, DSRs or breaches…
→
ICO-audit-ready the moment they call.
Anna writes the 14-section DPO Annual from your live registers, produces the ICO Accountability Pack and the Board Quarterly on demand, and answers any DSR, breach or DPIA question your team asks, cited to article. See her draft your DPO Annual in a live demo.
From DPOs to Heads of Compliance: how firms are replacing outsourced DPO retainers and spreadsheet ROPAs with a single live data-protection operating system.
5.0
I used to spend the first week of every year writing the DPO Annual from scratch, flicking between the ROPA workbook, the DSR tracker, the breach log and half a dozen emails. Now Anna drafts all 14 sections from our live registers and I sign it. The ROPA, the 30-control ICO checklist and the Gap Analysis sit in one place, and I can answer an ICO auditor’s question in 30 seconds instead of 30 minutes.
James HartleyData Protection Officer, Payments & E-Money Firm
4.7
We used to rely on an outsourced DPO function that produced a Word doc every December. I trialled the Data Protection module against our existing data, did the 30-control Gap Analysis in an afternoon, and Anna drafted a better DPO Annual than the consultant had ever delivered. The DSR and breach registers alone are worth the subscription.
Li ZhangHead of Compliance, Wealth Manager
FAQs
Data Protection module, questions answered
Everything you need to know about the DPO workflow, Anna’s 14-section report, the Gap Analysis, and how the module sits inside UK GDPR, DPA 2018 and PECR.
Does Anna really draft the whole 14-section DPO Annual Report?
Yes. Anna drafts all 14 sections of the UK GDPR Art 39 DPO Annual from your firm’s live data: DPO function, accountability, ROPA activities, lawful basis and consent, DSR register, breach log, DPIA archive, international transfers, PECR & marketing, training, security and regulatory engagement. She names your actual DSR references, your actual breach incidents, your actual DPIA projects. Never placeholder examples. You review, edit, sign and export. A DPO would usually spend 3–5 days on this. Anna does it in minutes.
Which other regulator-grade reports can Anna produce?
Five formats in total from the same dataset: (1) DPO Annual Report (Art 39), (2) Board Quarterly Pack (5-section exception report), (3) ICO Accountability / Audit Response Pack (8 sections, aligned to the ICO Accountability Framework), (4) Executive Summary (1–2 pages), (5) Comprehensive Hybrid. Per-section regenerate means you can refine just the DSR section when a new request lands, without rewriting the whole report. Every generation is constrained to the data provided — Anna does not invent examples or fill gaps with generic content.
Is it mapped to UK GDPR, DPA 2018, PECR and ICO guidance?
Every section, explicitly. DPO function maps to Art 37–39; ROPA to Art 30; Lawful Basis to Art 6, 7, 9; DSRs to Art 12–22 and DPA 2018 Sch 2 exemptions; Breaches to Art 33–34 and ICO breach guidance; DPIAs to Art 25 & 35 and the ICO DPIA list; Transfers to Art 44–49, the UK IDTA and ICO TRA methodology; PECR to reg 6 (cookies), 21 (calls), 22 (email/SMS); Security to Art 28 & 32 and SYSC 3.2.20. Each accordion field carries its own article-reference tag.
Can we edit the draft before the DPO signs it off?
Yes. Every section is editable, and Anna can regenerate any individual section if your underlying data changes. The 14-section structure stays; your content is yours to refine. The module keeps an auto-save trail (sub-second debounced), and the DPO attests at export. Art 39 accountability never leaves the human.
What does the Data Protection module actually cover?
Every UK data-protection obligation across 11 tabs: Dashboard, ROPA (Art 30), Lawful Basis & Consent (Art 6/7/9), Data Subject Rights (Art 12–22), Breach Register (Art 33–34), DPIAs (Art 25 & 35), International Transfers (Art 44–49, UK IDTA), PECR & Marketing (reg 6/21/22), Governance & DPO (Art 37–39, 15-policy library, privacy notices, retention schedule, vendor DPAs, training, security), Gap Analysis (30 controls) and Anna AI Report. For FCA-authorised firms, SYSC 3.2.20 governance obligations are baked in.
How does the ICO-accountability Gap Analysis work?
30 baseline controls mapped to the ICO Accountability Framework across 10 pillars: Governance & DPO, ROPA, Lawful Basis & Consent, DSR, Breach, DPIA, Transfers, PECR & Marketing, Training, Retention. Each control has a Met / Partial / Not Met / N/A answer, a regulatory-reference tag (UK GDPR article, DPA 2018 section, PECR regulation, or ICO guidance) and an evidence/notes field. Anna’s “+ Generate remediation plan” produces a prioritised Critical/High/Medium/Low table with owner, specific action and target date.
Are the 15 policy templates included?
Yes. Fifteen Board-ready policy templates: Data Protection Policy, DPO Responsibilities, Breach Procedures, Consent & Withdrawal, Cookie Policy, Privacy & Electronic Communications, Data Retention, Data Erasure, International Transfers, SAR Manual, SAR Form, Confidentiality, CCTV, Cyber Security Risk, and GDPR Communication for Employees. Each anchored to UK GDPR, DPA 2018, PECR, ICO CCTV Code or SYSC 13. Download as .docx, edit in Word, approve on the Board-dated tracker.
Can I customise the DP Health score weights?
Yes. This is a genuine differentiator. The dashboard “+ Customise weights” opens 10 sliders (Governance 18 / DSR 14 / Breach 14 / Lawful Basis 12 / ROPA 10 / DPIA 8 / Transfers 8 / PECR 6 / Retention 6 / Training 4 by default, reflecting ICO enforcement priority). A high-DSR firm can weight DSR to 22; a vendor-heavy firm can push Vendors to 18; a UK-only firm can drop Transfers to 4. The Health score recomputes live. The 60% pillar + 40% checklist composite means a firm can’t self-serve-tick its way to green without meeting the hard ICO minimums.
How does it integrate with the rest of RegTechPRO?
Live cross-module flows: evidence tagged Data Protection surfaces in the Document Library and in the relevant DP register; horizon items from the Horizon Scanning module pre-populate the DP horizon feed (ICO enforcement notices, Dear DPO letters); training completions feed the Training Matrix; the 15 DP policies live in the Policy Library and are pulled into the Governance & DPO tab; DP breach events flow into the platform-wide breach register. One platform, one set of data, one source of truth.
How much does the Data Protection module cost?
£200/month add-on to any RegTechPRO subscription. Every UK firm that processes personal data has obligations under UK GDPR, DPA 2018 and PECR. For FCA-authorised firms, SYSC 3.2.20 adds a regulatory data-protection duty on top. The module replaces outsourced DPO retainers (typically £12k–£30k/year), one-off ICO-readiness consulting engagements and the 15+ DPO days a year spent on the DPO Annual alone. Cancel any time. See regtechpro.co.uk/pricing for the full modular calculator.
Who is this module for?
Any UK firm processing personal data at scale: FCA-regulated firms (where SYSC 3.2.20 applies), firms with a DPO mandate under Art 37, firms relying on an outsourced DPO that want a live platform behind it, and any firm facing ICO audit risk (high DSR volume, past breach, vendor chain exposure, international transfers). DPOs, Heads of Compliance, MLROs with DP responsibility, and compliance consultants running DPO retainers across a client book all use it.
How long does setup take?
Under a day for a small firm. The module ships pre-seeded with all 30 baseline controls, the 10 weighted pillars, the 15-policy library, the ICO DPIA trigger list, the ICO-priority weight defaults, and templates for ROPA, DSR intake, breach triage, DPIA screening and transfer risk assessment. Add your DPO, your firm details, your processors, turn off demo data and begin. No migration project, no consultant needed to “design the framework”.
I’m a compliance consultant. Can I run this across my DPO clients?
Yes. It’s one of the module’s strongest use cases. Each client has its own workspace with its own ROPA, its own DSR log, its own breach register and its own DPO Annual. You run the production line; the firm’s controller retains Art 5(2) accountability. The “All Workflows” aggregated view is read-only by design (cross-client data is never overwritten), and historical data locks so a 2026 DPO Annual stays reproducible when someone asks for it in 2028.
Does Anna ever file reports on my behalf?
No. Anna synthesises and drafts; she never files. The design principle is deliberate: human accountability at the input (your 30-control answers, your register entries, your DPIA narrative), AI efficiency in the middle (the 14-section DPO Annual draft, the ICO Accountability Pack, the Board Quarterly), human sign-off and submission at the output. The DPO keeps Art 39 accountability throughout, and the controller keeps Art 5(2) accountability. Exactly the division of labour the ICO Accountability Framework expects.
What does Anna actually cite when she writes?
UK GDPR (Articles 5 through 49), DPA 2018 (Schedule 1 conditions, Schedule 2 exemptions, Section 10 criminal-offence data), PECR (regs 6, 21, 21A, 22), ICO Accountability Framework, ICO CCTV Code of Practice, ICO Direct Marketing Guidance, ICO DPIA list, FCA SYSC 3.2.20 & 13, MLR 2017 reg 40 (retention), and the UK IDTA + Addendum to the EU SCCs. She also cites your own data: the specific DSR reference, the specific breach ID, the specific DPIA project that underpins each paragraph.
How is Anna’s output grounded in our actual data (not hallucinated)?
Every Anna generation draws from your live Data Protection data — all 13 registers, 11 module-tab statuses, 10 pillar weights, 30-control checklist and every form field — so the output is grounded in what’s actually recorded, not generic AI guesswork. Tables embedded in the report are auto-built from your register entries. When your data changes, the next generated section reflects that change. Generic AI tools (ChatGPT, Gemini, Copilot) can’t replicate this without access to your live compliance data.
What audit trail do ICO inspectors see?
Every register row, section-status change, control answer and form field is timestamped with user and date. The 13 live registers (ROPA, consent, LIA, DSR, breach, DPIA, transfer, vendor DPA, retention schedule, cookie inventory, training, privacy notices, CCTV) each carry their own evidence trail. DPIA archives are tamper-evident and retained minimum 5 years (aligned to FCA 7-year standards). A 2026 DPO Annual stays reproducible in 2028, with source data still matching the sentence.
Your DPO function. As structured software.
The complete UK data-protection operating system: UK GDPR · DPA 2018 · PECR, 13 live registers, 30 ICO-accountability controls, 15-policy library and five Anna-drafted regulator-grade reports including the 14-section DPO Annual. £200/month · One module. Every obligation.
