GDPR Review

Technical and documentation review of how your digital product handles personal data.

GDPR (General Data Protection Regulation, 2016/679/EU) governs how personal data is collected, stored, and processed. Criterio reviews the technical and documentation aspects of your digital product — without providing legal advice. You receive a fact-based report to bring to your legal advisor or Data Protection Officer.

What's included in the review

  • Cookie consent and consent mechanism review
  • Identification of tracking scripts and third-party services
  • Privacy policy review against GDPR requirements
  • Article 30 record review (register of processing activities)
  • Review of forms and personal data collection points
  • DPIA support (impact assessment) as needed
  • PDF report with classified findings and GDPR article references

Criterio provides technical and documentation review. The report does not constitute legal advice. Consult your legal advisor or Data Protection Officer for interpretation of legal obligations.

A brief history of GDPR

  • 1973 Sweden passes the world's first national data protection law — Datalagen. A quiet moment in Stockholm that would echo through the internet fifty years later.
  • 1995 The EU adopts Data Protection Directive 95/46/EC — written before Google, before Facebook, before smartphones.
  • 2012 The European Commission proposes a full replacement of the 1995 directive. The digital landscape had changed; the rules needed to catch up.
  • 2016 Regulation 2016/679/EU (GDPR) is adopted. Two years to prepare.
  • 2018 25 May — GDPR becomes enforceable. The same day, inboxes across the world fill with consent requests.

Did you know?

  • Sweden was actually first — Datalagen (1973) pre-dates the internet as we know it. Modern GDPR is in many ways a pan-European extension of what Sweden started
  • Maximum fines are €20,000,000 or 4% of global annual turnover — whichever is higher
  • GDPR has inspired data protection reforms in more than 140 countries
  • Article 25 (Privacy by Design) means privacy must be built in from the start — it cannot be added as an afterthought
  • The right to be forgotten (Art. 17) was a new legal concept — before GDPR, no general right to erasure existed in EU law
  • Cookie banners are commonly attributed to GDPR, but the legal basis actually comes from the ePrivacy Directive (2002/58/EC) — often called the "Cookie Law"

How does your site handle personal data?

Start with a free scope assessment. No commitment required.

Request a free assessment