GDPRLedger is a structured compliance programme for SMEs. Work through 54 guided tasks, upload your evidence, and generate a SHA-256 tamper-evident audit pack — the documented proof that your organisation took GDPR seriously.
GDPRLedger doesn't do the work for you — it governs the proof that you did it.
Answer 42 questions about your organisation. GDPRLedger identifies your priority areas and sequences your compliance programme accordingly.
Each task shows you the statutory requirement in plain English, a checklist of what your evidence must include, and an illustrative example — not a template, but a model to work from.
Upload your document. The Document Structure Scan cross-references it against the statutory checklist and flags which elements are present, partial, or not yet addressed.
A SHA-256 tamper-evident export captures your entire governance record — tasks completed, evidence uploaded, timestamps — in a format you can share with auditors, clients, or regulators.
Not legal advice · Governance activity record only · Practitioner review recommended for complex situations
Standard helps you complete and record a structured GDPR governance programme for your own organisation. Pro extends that programme for regulated professional-services firms operating across GDPR, AML, and processor obligations.
Professional services firms don't just hold their own data — they hold their clients' data, their clients' clients' data, and sensitive AML records with statutory retention obligations that actively conflict with GDPR. That's a categorically different compliance posture.
You determine the purposes and means of processing your own operational data — customer records, staff data, marketing, suppliers. GDPR's full framework applies in its general form.
You control your own data, process your clients' data as their processor, and operate under MLR 2017 / POCA 2002 which impose AML obligations that directly conflict with GDPR's erasure and storage limitation principles.
The 33 additional tasks are the foundation. These are the structural features that make Pro a categorically different product — not just more tasks.
Standard produces one evidence pack: a governed record of your firm's GDPR governance programme. Pro produces two. The second is a sanitised client-shareable processor governance pack — a structured, time-stamped record of how your firm governs client data, built from the sector-specific programme you've completed. It can support onboarding discussions, tender responses, and client due-diligence requests, though controllers must still conduct their own Article 28 assessments. Standard can't produce this because it has no sector context. Pro produces it as a natural output of completing the programme.
Pro onlyStandard's AI document scan cross-references your documents against the GDPR structural checklist. Pro runs a second pass against the MLR 2017 framework simultaneously. A CDD policy gets scanned against both: are the GDPR lawful basis elements identified and the MLR 2017 Reg. 40 retention elements identified? Two statutory checklists. One submission. Two independent checklist outputs showing which elements were identified, partially identified, or not identified. Standard physically cannot do this — it has no MLR context.
Pro onlyPro produces a regulatory disclosure matrix: every mandatory report and disclosure your firm must make, to whom, triggered by what, within what timeframe, with named responsible persons. HMRC, NCA, ICO, ICAEW, FCA. Not a static document filed as evidence — an operational tool your compliance team actually uses. Standard produces no equivalent because a general SME doesn't face multi-regulator mandatory reporting obligations.
Pro onlyWhen a DSAR lands from someone who is the subject of a SAR filed with the NCA, responding fully risks the criminal offence of tipping off under POCA 2002 s.333A. Pro includes a documented workflow for handling this higher-risk scenario: SAR log check on receipt of every DSAR, MLRO escalation, selective withholding basis (DPA 2018 Sch. 2 Para 2), and a structured response record. Because these situations are highly fact-sensitive, qualified legal or MLRO review may still be required — but Pro ensures the firm has a documented procedure rather than no procedure at all. Standard's DSAR procedure has no awareness of this conflict.
Pro onlyStandard re-validation is a lightweight annual refresh: confirm nothing material changed, re-sign. Pro re-attestation triggers a structured annual review: AML records approaching the 5-year destruction point are identified and destruction is authorised and logged; closed client matters trigger retention schedule review; DPO annual review is conducted; the regulatory matrix is checked against any regulatory changes; role-specific training completion is verified. This is an annual governance cycle, not a checkbox. It justifies a separate re-attestation price.
Pro onlyAn accountancy firm that completes GDPRLedger Pro holds a governed, attested record of its own data governance programme. When it advises SME clients on GDPR, it has a natural referral path: GDPRLedger Standard for the client. The Pro firm's governance record demonstrates that it runs a serious, documented programme — the Standard referral is the commercial event. Pro firms can join the partner programme and earn 20–25% recurring commission on every client they refer — turning their own governance spend into a revenue stream.
Pro + PartnerThe second pack is a client-shareable governance summary for onboarding, due diligence, and tender support. Pro produces it as a natural output of completing the programme — a structured governance record your firm can share.
"We don't do the work. We govern the proof the work was done."GovProtocol · GDPRLedger
When you submit a document, Pro cross-references it against both the GDPR structural checklist and the MLR 2017 checklist. One submission. Two independent outputs showing which elements were identified, partially identified, or not identified. Neither is legal advice — both are governed evidence of what your document contains.
No subscription. No monthly fee. Pay once, complete the programme, own your evidence pack forever. Annual re-validation available when your obligations cycle.
Designed primarily for SMEs and professional services organisations with customers, a website, or staff
For accountancy and similar AML-regulated professional-services firms
Join the partner programme. Complete GDPRLedger Pro for your own firm — then refer your SME clients to Standard and earn 20–25% recurring commission on every re-validation. You're already in the room when the compliance conversation happens.
For questions about your programme, account access, billing, or technical issues, contact us by email. We aim to respond within two business days.
Email: [email protected]
Company: PERTHEO LIMITED, Cyprus (HE 385082)
GDPRLedger is a digital access product. Because access to the programme is granted immediately on payment, we do not offer refunds once your account has been activated and you have accessed the programme.
If you experience a technical issue that prevents you accessing the programme, contact us within 14 days of purchase and we will investigate and remedy the issue or, where a remedy is not possible, issue a full refund.
To raise a dispute, email [email protected] with your order reference. We will respond within five business days. EU consumers also have access to the EU Online Dispute Resolution platform.
GDPRLedger is a one-off payment product — there is no subscription to cancel. You are not enrolled in any recurring billing arrangement.
Access to the programme runs for 12 months from the date of purchase. When that period ends, your account moves to read-only mode: you can view and download your evidence pack and governance record indefinitely, but you cannot complete new tasks or upload new evidence.
Annual re-validation is available as a separate, optional purchase — it is never automatic and you will never be charged without your explicit action.
GDPRLedger is a digital compliance governance tool. It does not involve the export of physical goods.
The programme is available to organisations and individuals in the United Kingdom, Ireland, and EU member states. Access from other jurisdictions is not restricted by us technically, but the programme content is derived from UK GDPR (DPA 2018 / DUAA 2025) and EU GDPR (2016/679). It may not be appropriate for organisations operating solely under other data protection regimes.
GDPRLedger does not provide legal advice and does not determine compliance. Completing the programme does not constitute a legal certification of adequacy. Complex or unusual compliance situations should be assessed by a qualified solicitor or data protection practitioner.
The prices shown on this page are Launchpad prices — introductory pricing available during the initial launch period. These prices are subject to change. Purchases made at the Launchpad price lock in that price for the initial access period only; annual re-validation is priced separately when available.
Any promotional discount codes, if issued, are single-use, non-transferable, and apply to new purchases only. Promotions cannot be combined unless explicitly stated. Promotions have no cash value and cannot be applied retrospectively to completed purchases.
Partner programme commission rates (20–25%) apply to referred purchases completed during the partner's active agreement period. Rates are subject to change for future referrals with reasonable notice. Commission is paid on the net purchase amount after payment processor fees.