GDPR
Legal bases, register, DPIA, rights, DPO, processors, transfers, CNIL.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Legal bases, register, DPIA, rights, DPO, processors, transfers, CNIL.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Prove you actually know GDPR — legal bases, DPIAs, international transfers, data subject rights — in a 15-minute AI-led oral exam that separates real expertise from box-ticking.
The Plume GDPR badge tests your hands-on command of the General Data Protection Regulation through a 15-minute oral exam conducted by an AI examiner (OpenAI Realtime). The exam spans the full operational scope: choosing the right legal basis (legitimate interest vs. consent vs. contract performance), building and maintaining an Article 30 Record of Processing Activities, conducting a Data Protection Impact Assessment (DPIA), handling data subject rights requests within legal deadlines, managing processor relationships under Article 28, and navigating international data transfers from the invalidation of the Privacy Shield through to the EU-US Data Privacy Framework. A second AI model (Claude Opus) then reads the full transcript and produces a score from 0 to 100 with a level: Novice, Proficient, Advanced, or Expert.
Unlike a multiple-choice certification, the Plume oral forces you to reason out loud through real situations: arbitrating between operational constraints and a one-month erasure deadline, embedding privacy by design into a product sprint, or deciding whether a DPIA is actually required for a new profiling feature. The AI picks up the difference between someone who can quote Article 35 and someone who has actually run a DPIA end-to-end using the CNIL PIA tool or ISO 29134. Your detailed report — delivered within minutes — highlights exactly where you excel and where your reasoning has gaps, backed by quotes from your own answers.
This badge is built for DPOs, data protection lawyers, compliance officers, CISOs working on GDPR-adjacent projects, data protection consultants, and product managers overseeing high-risk processing activities. Whether you're preparing for a job interview, validating expertise you've built over years, or getting an honest benchmark before a promotion, the Plume GDPR badge gives you a concrete, shareable, AI-verified proof of your skills.
Here are the concrete dimensions the AI examines during the 15-minute oral.
Ability to select and justify the correct legal basis under Article 6 — consent, contract, legal obligation, vital interests, public task, or legitimate interest — and to walk through the balancing test required for legitimate interest, including documenting a Legitimate Interest Assessment (LIA).
Knowing which processing activities trigger a DPIA obligation under Article 35 and the supervisory authority's blacklists, running the assessment using the CNIL PIA methodology or ISO 29134, identifying residual risks and proposing concrete mitigating measures before go-live.
Designing, populating and governing a meaningful RoPA: mandatory fields (purposes, data categories, recipients, retention periods, security measures), common pitfalls such as vague purpose descriptions or missing processor entries, and strategies for keeping the record alive across organisational change.
Operational handling of access (Article 15), rectification, erasure (right to be forgotten), restriction, portability and objection requests within the one-month deadline (extendable to three), applying the correct exceptions under Articles 17(3) and 21(1), and triaging complex or manifestly unfounded requests.
Mastery of transfer mechanisms: 2021 Standard Contractual Clauses, adequacy decisions including the EU-US Data Privacy Framework (2023), BCRs, Article 49 derogations, Transfer Impact Assessments post-Schrems II, and the practical implications of the EDPB's Recommendations 01/2020 on supplementary measures.
Qualifying controller, processor and joint-controller relationships, drafting and auditing Article 28 clauses, mapping sub-processors and managing the flow-down of obligations, and handling security incidents that originate within the processor chain.
Conditions for mandatory or voluntary DPO appointment under Article 37, statutory duties, organisational independence from management direction, interface with the supervisory authority, and the limits of the DPO's role — in particular the absence of decision-making power over processing operations.
Embedding data protection by design and by default (Article 25) into software delivery: participating in sprint reviews, writing privacy stories, assessing high-risk features before launch, and building a pragmatic checklist that product and engineering teams can actually use without a law degree.
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Correctness of references to GDPR articles and recitals, EDPB guidelines and supervisory authority guidance. The AI examiner checks whether you cite the right provisions — Article 35 vs. Article 32, Article 28 vs. Article 26 — not just approximate concepts.
Quality of your judgements on concrete scenarios: selecting a non-obvious legal basis, handling an erasure request that conflicts with a legal retention obligation, deciding whether a DPIA is required for a borderline processing activity, or advising on a transfer mechanism post-Schrems II.
Answers grounded in detailed real situations — scope, stakeholders, decisions made, outcome — rather than textbook definitions. The AI distinguishes lived experience from rehearsed theory by probing the specifics of each example you bring up.
Ability to explain how you work with Security, Legal and Product teams without hierarchical authority, how you prioritise genuine risks over box-ticking compliance, and how you translate GDPR obligations into language that engineers and product managers will act on.
Familiarity with recent developments: the EU-US Data Privacy Framework (July 2023), the Data Act, EDPB guidelines on consent and cookie banners, and recent enforcement decisions. Shows that your GDPR practice is current, not frozen at the 2018 implementation rush.
A Plume session takes about 20 minutes, from tech check to badge delivery.
Before the exam starts, Plume verifies your microphone and connection quality. The entire exam is voice-only — no forms, no multiple-choice. Find a quiet room with a decent headset or microphone before you begin.
The AI examiner asks you to introduce yourself and describe your GDPR context: the type of organisation you work in, the scope of your responsibilities, and roughly how many processing activities you oversee. This calibrates the depth of the follow-up questions to your actual profile.
The core of the exam: the AI works through 4 to 6 questions covering legal bases, DPIAs, the RoPA, data subject rights, international transfers and processor management. It follows your answers with targeted follow-ups — if you mention the 2021 SCCs, it drills into Transfer Impact Assessments; if you bring up a DPIA, it asks about your methodology and remediation output. Everything is transcribed in real time.
The AI asks one higher-order question: situations where GDPR compliance conflicts with user experience, cases where a DPIA adds little real value, or when a DPO designation creates more friction than protection. This assesses your critical maturity — not just whether you know the rules but whether you can think around them.
Claude Opus analyses the full transcript and generates your score (0-100), your level (Novice to Expert), a theme-by-theme report with excerpts from your own answers, and a shareable public link to your badge. Everything arrives by email within a few minutes of finishing.
Your score out of 100 translates into a level a recruiter can grasp at a glance.
You know the GDPR exists and can name its core principles — lawfulness, purpose limitation, data minimisation — but you struggle to apply them without guidance. You tend to conflate consent and legitimate interest, and you haven't yet led a DPIA or built an Article 30 RoPA from scratch.
You handle routine data subject rights requests, contribute to RoPA updates and know when a DPIA is required. You work under the supervision of a senior DPO or data protection lawyer and need help on edge cases: sub-processor mapping, complex transfers, or breach notifications with a cross-border element.
You run GDPR compliance independently: you conduct end-to-end DPIAs, negotiate Article 28 clauses with processors, train internal teams, and coordinate breach response. You're fluent in the 2021 SCCs and the Data Privacy Framework and act as the primary contact for your supervisory authority.
You anticipate regulatory shifts — Data Act, ePrivacy Regulation, EDPB guidelines — and integrate them into organisational strategy before they become obligations. You design multi-entity or multi-jurisdiction compliance programmes, advise senior leadership on legal and reputational risk, and develop training curricula for other data protection professionals.
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
The badge validates expertise that the DPO title doesn't automatically imply. It distinguishes you from DPOs appointed by default, without structured training, and strengthens your credibility with senior leadership and the supervisory authority.
You advise clients or an in-house legal team on GDPR compliance. The badge proves your command goes beyond reading the regulation and covers the operational scenarios that matter: DPIAs, Article 28 negotiations, cross-border transfer mechanisms.
Security and data protection are inseparable. The badge lets you demonstrate mastery of Article 32 obligations, breach notification timelines under Article 33-34, and effective coordination with the DPO on security incidents with a personal data dimension.
You work across multiple clients and need to prove your level at every new engagement. The badge gives you a standardised, AI-evaluated proof of expertise to include in your proposal deck or LinkedIn profile, without waiting months for a formal certification.
You ship features that involve personal data and collaborate with the DPO on privacy by design. The badge gives you enough GDPR grounding to lead those conversations confidently, rather than escalating every processing question to the legal team.
Where and how your GDPR badge will help you day to day.
You're applying for an in-house DPO role at a 600-person company. Your Plume GDPR badge with a score of 81/100 and an Advanced level stands out against candidates who only list GDPR on their CV. The hiring manager can review the thematic report to see exactly where your expertise is deepest.
You're pitching a GDPR compliance programme to a mid-market company. You drop the badge link into your credentials deck: the prospect sees your score, your level, and can verify in seconds that you can speak concretely about DPIAs, RoPAs, and post-Schrems II transfer mechanisms.
You work in the legal team and are being considered for a newly created DPO role. The badge gives you a credible, objective data point to show HR and the General Counsel — evidence of operational GDPR expertise rather than self-assessment.
An investor wants evidence of GDPR maturity before closing a Series B. As the startup's Head of Compliance, you take the Plume badge to document your personal expertise level and give the due diligence committee a concrete data point alongside your compliance programme documentation.
You've just completed a GDPR training course and want to know what you've actually retained. The Plume oral confronts you with real scenarios — not multiple-choice questions — and the detailed report shows you precisely which topics (transfers? DPIAs? data subject rights?) need more practice.
You're a General Counsel hiring a compliance officer and receive CVs from lawyers, IT professionals, and consultants with very different backgrounds. Asking shortlisted candidates to take the Plume badge before the HR interview gives you a consistent, objective basis for comparison before the first call.
A few minutes to check you have everything you need.
At the end of your session you don't just get a score — here's everything that awaits you.
You receive a score from 0 to 100 and an official proficiency level (Novice, Proficient, Advanced, or Expert) assessed by Claude Opus on the full transcript of your GDPR oral. Consistent criteria for every candidate, no interviewer bias.
The report breaks down your performance across every topic covered: legal bases, DPIAs, RoPA, data subject rights, international transfers. Specific quotes from your own answers back up each observation — no generic feedback.
Your full exam recording is stored privately in your Plume account. Re-listen to your answers to prepare for a hiring interview, spot filler phrases or hesitations on technical GDPR topics, and track your progress across attempts.
A unique public URL lets you share your GDPR badge on LinkedIn, in a CV or in a client proposal. Anyone who clicks sees your score, your level and the exam date — a concrete, verifiable credential, not just a self-declared skill.
Discover related skills you can validate with Plume.
A 15-min oral exam with an AI, a shareable badge for your recruiters.
Choose this badge · €19.99