GDPR applies to more US companies than most realize. If you have EU customers, EU website visitors, EU employees, or run EU-targeted marketing — you're subject to GDPR under Article 3. EU Data Protection Authorities issued over €1.9 billion in GDPR fines in 2025, and US companies like Meta, LinkedIn, and Amazon have been among the largest targets. ComplianceStack's free GDPR assessment identifies your exposure before a regulator does.
How the Free GDPR Compliance Assessment Works
1
Select Your Profile
Tell us your organization type, data categories, and EU exposure scale — we tailor the questions to your specific GDPR obligations.
2
Answer 10 Questions
Questions cover lawful basis documentation, breach notification procedures, DPO requirements, and cross-border transfer safeguards — all specific to your profile.
3
Get Instant Results
Receive your GDPR risk score, Tier 1/Tier 2 penalty exposure, lawful basis gap analysis, and the top 3 actions to close your most critical gaps.
What the Free GDPR Assessment Covers
10-question risk evaluationQuestions cover Art. 6 lawful basis, Art. 9 special categories, Art. 30 ROPA, Art. 33-34 breach notification, Art. 37 DPO criteria, and Art. 44-49 cross-border transfer requirements.
Article 83 penalty exposureInstant Tier 1 (€10M / 2% global revenue) and Tier 2 (€20M / 4% global revenue) calculation based on your profile and data categories.
Risk score + tier0–100 score with Low / Moderate / Elevated / High classification, calibrated against real DPA enforcement data.
Lawful basis gap analysisSee which of the six Art. 6 lawful bases are documented for your processing activities and where the gaps are.
72-hour breach checklistUnderstand exactly what the Art. 33 breach notification requires — what to include, when to notify, and when to notify data subjects directly.
Top 3 prioritized actionsThe controls that will reduce your GDPR risk most — ranked by regulatory likelihood and enforcement impact.
Free GDPR Assessment vs. Alternatives Compared
| Tool | Free Tier | GDPR Risk Score | Art. 83 Penalty Calc | Lawful Basis Analysis | Breach Checklist | Starting Price |
|---|---|---|---|---|---|---|
| ComplianceStack | ✓ Full assessment | ✓ 10 questions, scored | ✓ Tier 1 + Tier 2 | ✓ Art. 6 gap analysis | ✓ 72-hour window | Free / $49+ |
| CNIL GDPR Compliance Tool | ✓ Free | General checklist | ✗ No | Basic overview | ✗ No | Free (French DPA) |
| OneTrust | ✗ No free tier | ✓ Full assessment | Limited | ✓ Yes | ✓ Yes | $2,000+/mo |
| Sypher.eu | ✓ Free | General scoring | ✗ No | Basic | Limited | Free / €299+ |
| Cyberday.ai | ✓ Free tier | ✓ Scored assessment | ✗ No | Basic | Limited | Free / €60+/mo |
| CookieYes (by Securys) | ✓ Free cookie audit | ✗ No | ✗ No | ✗ No | ✗ No | Free / £79+ |
| Enzuzo | ✓ Free cookie banner | ✗ No | ✗ No | ✗ No | ✗ No | Free / $29+ |
| TrustArc | ✗ No free tier | ✓ Full assessment | Limited | ✓ Yes | ✓ Yes | $10,000+/yr |
When Is the Free Assessment Enough — and When Do You Need More?
- You have EU customers or EU-facing web traffic: A free assessment identifies your gaps, but GDPR requires documented Records of Processing Activities (ROPA) under Art. 30, a privacy notice compliant with Arts. 13–14, and cross-border transfer safeguards. Upgrade to the ComplianceStack GDPR Audit Report ($49–$149).
- Your score came back high-risk: A high score without a formal remediation plan means you have a documented gap that a regulator could find first. Use the ComplianceStack 90-Day GDPR Roadmap ($299) to convert findings into an actionable plan.
- You process special category data (Art. 9): Health, biometric, political opinion, or genetic data requires explicit consent or another Article 9 exception — not just awareness. A full assessment is the minimum starting point; a formal audit is strongly recommended.
- You're preparing for a DPA investigation: A ComplianceStack Evidence Package ($199) gives you documented proof of compliance — the standard response when a supervisory authority begins an inquiry.
Frequently Asked Questions
Is there a free GDPR compliance assessment tool I can use online?
Yes. ComplianceStack offers a free online GDPR compliance self-assessment tool requiring no account, no email, and no credit card. The tool covers all six lawful bases under Article 6, cross-border transfer requirements post-Schrems II, data subject rights obligations (Arts. 15–22), DPO appointment criteria, and Article 83 penalty exposure (Tier 1: €10M or 2% global revenue; Tier 2: €20M or 4% global revenue). Results are computed in-browser in under 5 minutes. Available at compliancestack.ai/gdpr-assessment.
Does GDPR apply to US companies operating online?
Yes. GDPR has extraterritorial scope under Article 3 — it applies to any organization offering goods or services to EU individuals, or monitoring their behavior, regardless of location. US companies with EU customers, EU website visitors, EU employees, or EU-targeted marketing are subject to GDPR. EU Data Protection Authorities have issued record fines against US companies: Meta €1.2B (2023), LinkedIn €310M (2024), Amazon €746M (2021).
What are the GDPR penalty amounts for violations?
GDPR has two tiers under Article 83. Tier 1 (Art. 83(4)): up to €10M or 2% global turnover for controller/processor obligation violations. Tier 2 (Art. 83(5)): up to €20M or 4% global turnover for violations of processing principles, consent, data subject rights, and international transfer restrictions. The higher of the absolute and percentage values applies. Largest fines: Meta €1.2B, Amazon €746M, Instagram €405M.
What is the 72-hour GDPR breach notification requirement?
Under Article 33, controllers must notify their supervisory authority (DPA) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals. The notification must include: nature of breach, categories and approximate count of data subjects and records, DPO contact, likely consequences, and measures taken. Article 34 requires direct notification to affected data subjects when high risk is likely. Missing the 72-hour window is itself a separate violation.
What are the six lawful bases for processing under GDPR?
Article 6 establishes: (1) Consent — freely given, specific, informed, unambiguous; (2) Contract — necessary for a contract or pre-contractual steps; (3) Legal obligation — necessary to comply with EU/member state law; (4) Vital interests — necessary to protect someone's life; (5) Public task — necessary for public interest or official authority; (6) Legitimate interests — necessary for controller's or third party's legitimate interests. You must document your lawful basis before processing begins. For special category data (Art. 9), explicit consent or another exception is required.
When does a company need to appoint a Data Protection Officer (DPO)?
Article 37 requires a DPO when: (a) you are a public authority; (b) your core activities involve large-scale systematic monitoring of individuals; or (c) your core activities involve large-scale processing of special category data (Art. 9) or criminal convictions (Art. 10). Even when not strictly required, a DPO is strongly recommended for any organization processing EU data at scale.
Start Your Free GDPR Compliance Assessment
10 questions. Instant results. No signup. See your GDPR risk score, Article 83 penalty exposure, and top 3 actions — all in under 5 minutes.
Run Free GDPR Assessment Now →Or scroll up to start immediately. No email required.