Is this legal advice?

No. It is a triage screen. DPIAs, lawful-basis decisions and automated-decision analysis need qualified review in context.

What is the difference between a DPIA and automated-decision review?

A DPIA assesses high-risk personal-data processing. Automated-decision review asks whether a decision is solely or significantly automated and what human review or rights apply.

Should we run this before procurement?

Yes. The answers shape vendor questions, data terms, human-review design and whether the system should pass a go-live gate.

Free data protection tool

Screen whether your AI use needs a DPIA or automated-decision review

Where AI touches people, UK GDPR questions arrive quickly. This screener flags whether a DPIA, automated-decision review, human review route or stronger evidence pack is likely to be needed.

Your sector

Governance maturity

Organisation size (optional)

Describe the AI use briefly

Which data protection triggers are present? (choose at least one)

Personal data is processedSpecial-category or children's data is involvedProfiling, scoring or prioritisationDecisions may significantly affect peopleAI output could be acted on without reviewVulnerable people or protected characteristicsA supplier processes or hosts the dataMonitoring staff, customers or service users

What data is involved? (optional)

Personal data of staff or customersSpecial-category data (health, beliefs, biometrics)Data about childrenFinancial or payment data

Choose at least one area to continue.

What the board needs to decide

Is AI making, informing or materially shaping a decision about a person?
Where is human review real, evidenced and available to the affected person?
What lawful basis, transparency and contestability evidence will be kept?

Frequently asked questions

Is this legal advice?: No. It is a triage screen. DPIAs, lawful-basis decisions and automated-decision analysis need qualified review in context.
What is the difference between a DPIA and automated-decision review?: A DPIA assesses high-risk personal-data processing. Automated-decision review asks whether a decision is solely or significantly automated and what human review or rights apply.
Should we run this before procurement?: Yes. The answers shape vendor questions, data terms, human-review design and whether the system should pass a go-live gate.

Find out where your AI exposure sits.

We'll tell you plainly what's worth doing, what isn't, and what a board or regulator will expect to see. No pitch deck.

Book a 15-minute call See what we've built

No obligation · no pitch.