Data Protection Hub — RegTechPRO - Modular Compliance Software

The Problem

When the ICO calls, this won't hold up.

ROPA in a spreadsheet, SARs in an inbox, breach log in SharePoint, DPIAs with a consultant. That's most UK firms — and one ICO letter away from a bad month.

ROPA in a spreadsheet. SARs in your inbox.

ROPA, DSR log, breach register, DPIAs, vendor DPAs, retention, consent — every UK GDPR Art 30 / 15 / 33 obligation scattered across uncontrolled workbooks. When the ICO asks for your accountability trail, you're hunting through file versions and email threads.

ROPA_2026_v9_FINAL.xlsx

SAR_Tracker_Q3.xlsx

Breach_Register_LIVE.xlsx

Outsourced DPO. Still your accountability.

You can outsource the DPO role. You can't outsource UK GDPR Art 5(2). The firm stays controller. You still sign the DPO Annual, you still face the ICO in an audit, and the consultant still hands you back a Word doc every December that's half template and half last year's version.

Outsourced DPO retainer Annual

Data Protection audit One-off

Policy pack refresh Ad hoc

ICO breach clock: 72 hours.

UK GDPR Art 33 gives you 72 hours from awareness to notify the ICO of a personal data breach. Art 34 requires notification to affected data subjects without undue delay for high-risk breaches. If your response still starts with “who do we tell, and when?”, you're already behind.

72 hrs

ICO breach notification deadline.

The Annual Data Protection Report: 5 days you don't have.

A regulator-grade 14-section annual report (UK GDPR Art 39) takes 3–5 days to write from scratch. Board quarterly. ICO accountability pack. DPIA sign-offs. Training matrices. Retention reviews. The evidence the ICO expects never stops arriving — and it's all due at once.

DPO Annual (Art 39)

ICO Accountability Pack

Board DP Quarterly

If your data protection workflow currently lives in spreadsheets, an inbox and the fortnight before the ICO comes asking — the operating system below is for you.

Features

Every answer ready. When the ICO calls.

Three differentiators, nine capabilities, one module — UK GDPR, DPA 2018 and PECR, live and provable to the ICO in seconds.

Three ideas no privacy-policy template can match.

Most data protection tools are a Word-doc privacy policy and a vague DSAR inbox. This is the operating system that holds up to ICO scrutiny — built around live data, evidenced not assumed.

The 72-hour breach clock that auto-runs.

Declare a breach and the live Art 33 ICO countdown starts — timestamped, attributed log; debrief and lessons captured on close; near-miss entry auto-created. Same shape as the 4-hour FCA window, built for the moment that matters.

✗ Word doc: nobody opens it in hour 0
✓ This module: live timer, attributed log, signable PDF

UK GDPR Art 33 · DPA 2018

6 Anna report formats, including a mock ICO audit dry-run.

One data set, six audiences — DPO Annual, Board Quarterly, ICO Accountability Pack, Executive Summary, Comprehensive Hybrid, and an ICO Audit Dry-Run where Anna role-plays the regulator. All from your live registers. No re-keying, no drift.

✗ Other tools: one generic privacy report
✓ This module: 6 formats, ICO-defensible

6 formats · ICO-cited · Board-ready

Central Evidence Register. Single source of truth.

Every uploaded artefact links into the surfaces that depend on it — fields, register rows, controls, breaches, DSRs, DPIAs, dry-run questions. Locked years are read-only. Article 5(2) accountability stops being a claim and becomes a click-through trail. "Show me the evidence" gets a link, not a hunt.

✗ Today: evidence in 4 different SharePoint folders
✓ This module: one register, every link, year-locked

Article 5(2) · Year-locked

Nine capabilities turn this into the system you run data protection from.

Built for the ICO investigation that hasn't happened yet, the breach you haven't had yet, and the board paper due Friday. Every capability ships in the module. No tier gate, no add-ons.

1 Capture Every register live, every entry attested, every artefact linked.

13 live registers

ROPA, DSR, breach, near-miss, DPIA, transfer, consent, LIA, retention, vendor DPA, cookie, marketing list, CCTV. Each row CRUD, each entry dated, each evidenced. CSV export per register. The "one register, every obligation" the ICO expects.

Article 30 · Article 5(2)

Central Evidence Register

Every artefact uploaded once and linked into every surface that depends on it — register rows, controls, breaches, DSRs, DPIAs. Locked years read-only. "Show me the evidence" is a click, not a four-folder hunt.

Single source of truth

Multi-year persistence + lock

Auto-locks on 1 January with an audit-trail entry. Unlock requires a captured email and a free-text reason; both written to the audit log and surfaced in the Unlock History popup. Reproducible 3 years later when the ICO revisits.

Audit-trailed · Year-locked

2 Run When the breach hits, the DSR lands, the auditor knocks.

72-hour breach clock

Declare a breach, the Article 33 ICO-notification countdown starts. Live timer per active incident, attributed log entries, debrief + lessons + ICO-notified flag captured on close. Auto-rolls a near-miss register entry. The 03:00 surface, ready.

UK GDPR Art 33 · Live timer

30-day DSR SLA tracker

Every Data Subject Right request — access, erasure, rectification, portability, objection, restriction — tracked against the 1-month Article 12 deadline. Owners named, evidence attached, tipping-points flagged before they become a complaint to the ICO.

UK GDPR Art 12 · SLA-tracked

30-control ICO Accountability checklist

Every control cited to the specific UK GDPR / DPA 2018 / PECR article it satisfies. None / Partial / Met scoring. Linked evidence. Pass or fail — no grey zone, no opinion. The list the ICO would build if they had the time.

Article 5(2) · 30 controls

3 Report From live data to signable PDF in 60 seconds.

6 Anna report formats

DPO Annual Report · Board Quarterly · ICO Accountability Pack · Executive Summary · ICO Audit Dry-Run · Comprehensive Hybrid. Same data, six audiences. Pre-calculated score injected as a non-negotiable constraint — no LLM arithmetic drift.

6 formats · One data set

Anna Gap Analysis by article

UK GDPR audit on demand. Anna walks every relevant article — lawful basis, transparency, rights, security, breach, DPIA, transfers — and grades your live record against each. Identifies the gap, names the remediation, and dates the action.

Article-by-article

10-pillar Health Score

60% weighted pillars + 40% checklist. Editable weights so a high-marketing firm can prioritise PECR & consent, a vendor-heavy firm can prioritise transfers + DPAs. The score the board reads at a glance, defensible to a line-by-line audit trail.

Editable pillars · 60/40

Every UK GDPR obligation. One module.

10 weighted pillars feeding the 60/40 Health Score, 30 ICO Accountability controls cited to specific articles, 13 live registers, 6 Anna report formats including a mock ICO audit dry-run.

Live registers

ICO Accountability controls

Weighted pillars

Anna report formats

Policy library

Accountability & Governance Art 5(2) · 24

ROPA Art 30

Lawful Basis & Consent Art 6 · 7 · 9

Data Subject Rights Art 12–22

Breach Management Art 33 · 34

DPIAs Art 35 · 36

International Transfers Ch V · IDTA · SCCs

PECR & Marketing PECR · DPA 2018

Vendor / Processor Oversight Art 28

Plus: Central Evidence Register linking every artefact to its dependent surface · Anna Gap Analysis walking every UK GDPR article · multi-year persistence with audit-trailed year-lock · 15-policy library · SYSC 3.2.20 SM&CR data-protection accountability captured in Governance & DPO.

Enterprise quality. SME pricing.

From £250/month · No tier gate. No add-ons. No setup fee.

See it in your firm

The Solution

Every UK GDPR obligation. In one screen.

One living record across every UK GDPR area — 13 registers, a 30-control ICO checklist, a 15-policy library and a 10-pillar Health score — all feeding Anna's six regulator-grade reports.

The 30-second DPO view: composite Health score, 10 weighted pillars with RAG bars, your ICO checklist position, and every DPIA, DSR and review due. Click any tile to drill in; lock the year for sign-off with a full attestor trail.

The ICO Accountability Framework, broken into discrete controls. Each one has a status, an owner, an evidence link and a review date. Tick the boxes the regulator actually expects to see — not a blank policy promise.

Your Art 30 ROPA, structured as the ICO inspects it — purposes, data categories, lawful basis, recipients, retention and transfers, every activity in one exportable register. Each row links to its Art 6/7/9 lawful basis and LIA.

A dedicated view for every UK GDPR Art 15–22 request, with ID verification, scope assessment and DPO sign-off tracked against the 1-month clock (auto-escalation at Day 21 and 28). Cross-linked to the data subject, the ROPA activity and the evidence library.

The 72-hour breach workflow, end to end. Log the incident, assess risk to subjects, notify the ICO within 72 hours under Article 33, communicate to subjects under Article 34 where required, capture remediation. Every breach with a full evidence trail.

DPIAs the way Article 35 asks for them. Necessity and proportionality, risk to subjects with likelihood and severity scoring, mitigations, residual risk, DPO advice and sign-off. Triggered automatically when a new processing activity meets the threshold.

Every cross-border transfer, with the right Chapter V mechanism attached. Adequacy decisions, the UK IDTA, the Addendum to the EU SCCs, BCRs — plus the Transfer Risk Assessment that the ICO expects alongside them. Recipient, country, mechanism, status.

The full PECR & direct-marketing surface, tied into your data protection programme: cookie inventory (reg 6), email/SMS opt-in (reg 22), soft opt-in, phone marketing (reg 21) with TPS/CTPS suppression, and ICO Direct Marketing Code alignment.

The governance layer the ICO and the Board both want to see. DPO appointment and reporting line, accountability ownership across the firm, training matrix completion, policy review cycle — the evidence that data protection is run, not just written down.

Anna reads your registers, checklists and policies, benchmarks them against UK GDPR and the ICO Accountability Framework, and writes a Gap Analysis with a prioritised Remediation Plan — owner, action, deadline, regulatory cite. Not a generic template; your firm.

The DPO Annual Report under UK GDPR Article 39, drafted by Anna from your live data. ROPA from the register, DSRs from the request log, breaches by incident ID, DPIAs by project, transfers by recipient, training from the matrix. Export to PDF, sign, file.

Dark mode on every screen. Same data, same controls, easier on the eyes for long DPO sessions. One toggle, applied platform-wide.

The Annual Data Protection Report

Drafted by Anna. Attested by your named accountable owner.

The UK GDPR Art 39-aligned annual report the ICO expects in an accountability audit. Drawn from your live ROPA, DSR register, breach log, DPIA archive and transfer register, with every claim mapped to UK GDPR, DPA 2018, PECR and SYSC 3.2.20. Three days of drafting collapsed to a 60-second click.

Every section. Every UK data protection anchor.

Anna drafts all 14 sections of the Art 39 DPO Annual from your 13 live registers — each section cited to UK GDPR, DPA 2018, PECR, ICO guidance or FCA SYSC, so the ICO can trace every claim to source.

Sections drafted

Baseline controls tested

Live registers feeding Anna

~30s

To full draft

Executive Summary & DPO Confirmation

Art 39

The DPO Function & Independence

Art 37–38

Accountability & Governance

Art 5(2) / 24

Records of Processing (ROPA)

Art 30

Lawful Basis & Consent

Art 6 / 7 / 9

Data Subject Rights

Art 12–22

Personal Data Breaches

Art 33–34

DPIAs & Privacy by Design

Art 25 / 35

International Transfers

Art 44–49

PECR & Direct Marketing

PECR 6 / 21 / 22

Training & Awareness

Art 39(1)(b)

Security & Processor Oversight

Art 28 / 32

Regulatory Engagement

ICO Accountability

Conclusions & Forward Plan

SYSC 3.2.20

ICO Accountability · live DSR & breach register

Every data subject request. Every breach. Timestamped.

Every ICO audit asks for two things: your DSR log and your breach register. Here they are — Art 15 requests on the 1-month SLA, breaches against the 72-hour clock, all cross-referenced to the data subject and retained.

Raised by	Request / incident	Date raised	Status
Amina Okonkwo DPO Admin · DSR desk	Art 15 SAR: former customer requesting full data export, call recordings and complaint correspondence. ID verified; scope confirmed; 28 days remaining.	Mar 24, 2026	In progress
Rajesh Iyer Head of IT · 2LoD	Personal data breach: misdirected email with 42 customer records to wrong distribution list. Recalled in 14 min; risk assessed low; ICO not notifiable but logged under Art 33(5).	Mar 12, 2026	Documented
Helena Brandt Vendor Manager · 2LoD	Processor breach notification (Art 33(2)): marketing vendor confirmed unauthorised access to a mailing list. ICO notified within 72 hrs; data subjects contacted under Art 34.	Feb 27, 2026	ICO notified
Daniel Acheampong Deputy DPO · DPO cover	Art 17 erasure request: employee-of-applicant seeking removal of CV and interview notes. Legitimate interest balance assessed; partial erasure actioned; log retained.	Feb 14, 2026	Resolved
Priya Narayanan DPO · SMF3 accountability	DPIA approved: new customer-onboarding ML model (credit risk scoring). Residual risk low, Art 22 safeguards in place, annual review scheduled, ICO consultation not required.	Jan 30, 2026	DPO signed

Three named attestors. Year-locked. One ICO audit trail.

Art 5(2) makes the controller accountable, not a committee. The DPO (Art 37–39), the senior manager for data protection and the CEO each attest; locking makes the year read-only. Unlocking is logged with attestor email, timestamp and reason — so the ICO sees who signed, who reopened, and why.

DPO · Art 37–39

Priya Narayanan

Data Protection Officer

Signed Mar 27, 2026

SMF3 · Chief Compliance

Jennifer Okafor

Chief Compliance Officer

Signed Mar 28, 2026

SMF1 · Chief Executive

Shivani Patel

Chief Executive Officer

Signed Mar 29, 2026

Year locked · 2026 · Mar 29, 17:08 GMT · Audit history live Read-only. Source-matched to 13 live registers. Every lock and unlock event captured with attestor email, timestamp and reason. Reproducible across the full ICO accountability retention horizon.

Anna AI for Data Protection

Your Annual Data Protection Report and ICO Accountability Pack in 60 seconds.

Trained on UK GDPR, DPA 2018, PECR, the ICO frameworks and FCA SYSC 3.2.20, Anna answers DSR, breach, DPIA, consent and transfer questions in seconds — cited to article — and drafts all six DPO report formats from your live registers.

DPO-GRADE · UK GDPR · DPA 2018 · PECR TRAINED

Your DPO’s data protection research desk and 14-section report author, in one.

Anna does two things. First, she answers any DSR, breach, DPIA, consent, transfer or PECR question — cited to article. Second, she drafts the 14-section DPO Annual Report (and five more regulator-grade formats) from your live registers, naming your actual DSRs, breaches and DPIAs.

Answers UK GDPR, DPA 2018, PECR and ICO Accountability queries with article citations
Drafts the 14-section DPO Annual Report (Art 39) in minutes, not days
Grounded in your 13 registers: ROPA, DSRs, breaches, DPIAs, transfers, consent, vendors, training
Never reports for you. DPO keeps Art 39 accountability at input and sign-off

Your DPO research desk

Ask Anna any data-protection question. Get an article-cited answer.

“Can we rely on legitimate interests for this new processing?” “Is this breach Art 34-notifiable to the data subjects?” “Do we need a DPIA for this marketing campaign?” Anna answers from UK GDPR, DPA 2018, PECR, ICO guidance and your live data-protection data, in seconds, with citations.

UK GDPR, DPA 2018, PECR, ICO Accountability Framework grounded
Cites article, regulation & your own registers
Reads your 13 live registers (ROPA, DSR, breach, DPIA, transfer…)
Available across every DP tab

Anna AI

Online · AI Compliance Advisor

We’ve just discovered a misdirected email with 230 customer records went to an external distribution list. What do we do in the next 72 hours?

Treat as a live personal data breach. UK GDPR Art 33 gives you 72 hours from awareness. Four immediate steps:

Contain. Recall the email, ask external recipients to delete and confirm in writing. Log the awareness-time on the incident record (Art 33(1)).
Assess risk. Apply the ICO severity methodology: data categories, volume, identifiability, consequences for affected individuals.
Notify the ICO within 72 hrs. If likely to result in risk, notify under Art 33(3). If not, document the reasoning under Art 33(5).
Notify data subjects. If risk is high, issue Art 34 communication without undue delay using the pre-drafted template.

Your Breach Register has no similar incident in the last 12 months. I’ve drafted the ICO notification and the Art 34 data-subject letter for your DPO review.

Drawn from: UK GDPR Art 33 / 34 · ICO Breach Guidance · Your Breach Register

Ask Anna anything about UK GDPR, DSRs or breaches…

→

ICO-audit-ready the moment they call.

Anna writes the 14-section DPO Annual from your live registers, produces the ICO Accountability Pack and the Board Quarterly on demand, and answers any DSR, breach or DPIA question your team asks, cited to article. See her draft your DPO Annual in a live demo.

Book a live demo See everything Anna produces

FAQs

Data Protection module, questions answered

Everything you need to know about the DPO workflow, Anna’s 14-section report, the Gap Analysis, and how the module sits inside UK GDPR, DPA 2018 and PECR.

Does Anna really draft the whole 14-section DPO Annual Report?

Yes — all 14 sections of the Art 39 DPO Annual, drafted from your live data and naming your actual DSRs, breaches and DPIA projects (never placeholders). You review, edit, sign and export. The 3–5 days a DPO would spend, done in minutes.

Which other regulator-grade reports can Anna produce?

Six formats in total from the same dataset: (1) DPO Annual Report (Art 39), (2) Board Quarterly Pack (5-section exception report), (3) ICO Accountability / Audit Response Pack (8 sections, aligned to the ICO Accountability Framework), (4) Executive Summary (1–2 pages), (5) ICO Accountability Audit Dry-Run (Anna role-plays the ICO auditor and interviews you), and (6) Comprehensive Hybrid. Per-section regenerate means you can refine just the DSR section when a new request lands, without rewriting the whole report. Every generation is constrained to the data provided — Anna does not invent examples or fill gaps with generic content.

Is it mapped to UK GDPR, DPA 2018, PECR and ICO guidance?

Every section, explicitly. DPO function maps to Art 37–39; ROPA to Art 30; Lawful Basis to Art 6, 7, 9; DSRs to Art 12–22 and DPA 2018 Sch 2 exemptions; Breaches to Art 33–34 and ICO breach guidance; DPIAs to Art 25 & 35 and the ICO DPIA list; Transfers to Art 44–49, the UK IDTA and ICO TRA methodology; PECR to reg 6 (cookies), 21 (calls), 22 (email/SMS); Security to Art 28 & 32 and SYSC 3.2.20. Each accordion field carries its own article-reference tag.

Can we edit the draft before the DPO signs it off?

Yes. Every section is editable, and Anna can regenerate any individual section if your underlying data changes. The 14-section structure stays; your content is yours to refine. Every change is auto-saved, and the DPO attests at export. Art 39 accountability never leaves the human.

What does the Data Protection module actually cover?

Every UK data-protection obligation in one module — the 30-control ICO checklist, ROPA (Art 30), lawful basis & consent (Art 6/7/9), DSR (Art 12–22, 1-month SLA), breach (Art 33–34, 72-hour clock), DPIAs, international transfers, PECR & marketing, and Governance & DPO (15-policy library, retention, vendor DPAs, training). Evidence cross-links every register; each year locks for sign-off. SYSC 3.2.20 is baked in for FCA firms.

How does the ICO-accountability Gap Analysis work?

30 baseline controls mapped to the ICO Accountability Framework across 10 pillars: Governance & DPO, ROPA, Lawful Basis & Consent, DSR, Breach, DPIA, Transfers, PECR & Marketing, Training, Retention. Each control has a Met / Partial / Not Met / N/A answer, a regulatory-reference tag (UK GDPR article, DPA 2018 section, PECR regulation, or ICO guidance) and an evidence/notes field. Anna’s “+ Generate remediation plan” produces a prioritised Critical/High/Medium/Low table with owner, specific action and target date.

Are the 15 policy templates included?

Yes. Fifteen Board-ready policy templates: Data Protection Policy, DPO Responsibilities, Breach Procedures, Consent & Withdrawal, Cookie Policy, Privacy & Electronic Communications, Data Retention, Data Erasure, International Transfers, SAR Manual, SAR Form, Confidentiality, CCTV, Cyber Security Risk, and GDPR Communication for Employees. Each anchored to UK GDPR, DPA 2018, PECR, ICO CCTV Code or SYSC 13. Download as .docx, edit in Word, approve on the Board-dated tracker.

Can I customise the DP Health score weights?

Yes — a genuine differentiator. “+ Customise weights” opens 10 sliders (ICO-priority defaults) so a high-DSR firm can weight DSR up, a vendor-heavy firm can weight vendors up, and a UK-only firm can drop transfers. The Health score recomputes live, and the 60/40 pillar-plus-checklist composite means a firm can’t tick its way to green without meeting the hard ICO minimums.

How does it integrate with the rest of RegTechPRO?

Live cross-module flows: evidence tagged Data Protection surfaces in the Document Library and in the relevant DP register; horizon items from the Horizon Scanning module pre-populate the DP horizon feed (ICO enforcement notices, Dear DPO letters); training completions feed the Training Matrix; the 15 DP policies live in the Policy Library and are pulled into the Governance & DPO tab; DP breach events flow into the platform-wide breach register. One platform, one set of data, one source of truth.

How much does the Data Protection module cost?

From £250/month. Every UK firm that processes personal data has obligations under UK GDPR, DPA 2018 and PECR. For FCA-authorised firms, SYSC 3.2.20 adds a regulatory data-protection duty on top. See regtechpro.co.uk/pricing for the full modular calculator.

Who is this module for?

Any UK firm processing personal data at scale: FCA-regulated firms (where SYSC 3.2.20 applies), firms with a DPO mandate under Art 37, firms relying on an outsourced DPO that want a live platform behind it, and any firm facing ICO audit risk (high DSR volume, past breach, vendor chain exposure, international transfers). DPOs, Heads of Compliance, MLROs with DP responsibility, and compliance consultants running DPO retainers across a client book all use it.

How long does setup take?

Under a day for a small firm. The module ships pre-seeded with all 30 baseline controls, the 10 weighted pillars, the 15-policy library, the ICO DPIA trigger list, the ICO-priority weight defaults, and templates for ROPA, DSR intake, breach triage, DPIA screening and transfer risk assessment. Add your DPO, your firm details, your processors, turn off demo data and begin. No migration project, no framework to design from scratch.

I’m a compliance consultant. Can I run this across my DPO clients?

Yes. It’s one of the module’s strongest use cases. Each client has its own workspace with its own ROPA, its own DSR log, its own breach register and its own DPO Annual. You run the production line; the firm’s controller retains Art 5(2) accountability. The “All Workflows” aggregated view is read-only by design (cross-client data is never overwritten), and historical data locks so a 2026 DPO Annual stays reproducible when someone asks for it in 2028.

Does Anna ever file reports on my behalf?

No. Anna synthesises and drafts; she never files. The design principle is deliberate: human accountability at the input (your 30-control answers, your register entries, your DPIA narrative), AI efficiency in the middle (the 14-section DPO Annual draft, the ICO Accountability Pack, the Board Quarterly), human sign-off and submission at the output. The DPO keeps Art 39 accountability throughout, and the controller keeps Art 5(2) accountability. Exactly the division of labour the ICO Accountability Framework expects.

What does Anna actually cite when she writes?

UK GDPR (Articles 5 through 49), DPA 2018 (Schedule 1 conditions, Schedule 2 exemptions, Section 10 criminal-offence data), PECR (regs 6, 21, 21A, 22), ICO Accountability Framework, ICO CCTV Code of Practice, ICO Direct Marketing Guidance, ICO DPIA list, FCA SYSC 3.2.20 & 13, MLR 2017 reg 40 (retention), and the UK IDTA + Addendum to the EU SCCs. She also cites your own data: the specific DSR reference, the specific breach ID, the specific DPIA project that underpins each paragraph.

How is Anna’s output grounded in our actual data (not hallucinated)?

Every Anna generation draws from your live data — your registers, pillar scores, the 30-control checklist and everything you’ve recorded — so the output reflects what’s actually on file, not generic AI guesswork. Tables in the report are auto-built from your register entries, and when your data changes, the next generated section reflects it. Generic AI tools (ChatGPT, Gemini, Copilot) can’t do this without access to your live compliance data.

What audit trail do ICO inspectors see?

Every register entry, status change and control answer is timestamped with user and date, and each of the 13 live registers carries its own evidence trail in a central Evidence library. Each year locks once sign-off is complete, with a year-lock history recording every lock and unlock — attestor email, timestamp and reason — so an ICO inspector sees exactly who signed and who reopened the year. DPIA archives are tamper-evident and retained for a minimum 5 years; a 2026 DPO Annual stays reproducible in 2028, source data still matching the sentence.

When the ICO calls,you have every answer ready.