Obligations

Obligations are the individual compliance tasks your organisation must fulfil. Each obligation belongs to a framework (e.g. GDPR), has a due date, a risk level, and an assignee.

Viewing your obligations

The Obligations page shows a full list of all obligations across your active frameworks. Use the search bar and filters to find specific items quickly.

Filters and search

• Search bar — type any word from an obligation title or description
• Status filter — All, Pending, In Progress, Completed, Overdue, Skipped
• Risk level filter — All, High, Medium, Low
• Framework filter — filter by a specific compliance framework
• Assignee filter — see only obligations assigned to a specific team member

Opening an obligation

Click any row to open the obligation detail view. Here you can:

• Read the full description — what the obligation requires and why it matters
• Change the status — Not started → In progress → Completed (or Skipped)
• Set or update the due date — override the auto-generated due date if needed
• Add notes — internal comments visible to all team members
• Upload evidence — attach documents, screenshots, or files that prove compliance
• Reassign — change which team member is responsible

Obligation statuses

Uploading evidence

Evidence files are securely uploaded and stored via Vercel Blob. To upload:

Uploaded evidence is automatically included in your Evidence Pack report when you generate it from the Reports page.

Conditional Obligations

Some obligations only appear when certain conditions are met based on your assessment answers:

• Consent Management — appears when your public-facing website answer is Yes
• Children's Data Safeguards — appears when your data categories include children
• Automated Decision-Making Rights — appears when automated decisions answer is Yes
• International Transfer Mechanism — appears when international transfers answer is Yes

Risk Level Overrides

Obligation risk levels may be adjusted based on your organisation's profile. When this happens, a tooltip next to the risk badge explains why the level was changed.

For example, a DPIA obligation is elevated to High risk for organisations in the healthcare sector or those processing high volumes of personal data. Some obligations — like Vendor DPAs for pure data processors — may be marked as Not applicable instead.

Evidence and Your Score

Uploading evidence for a completed obligation bumps your compliance score credit from 0.7x to 1.0x for that obligation. Evidence upload or deletion triggers an immediate score recalculation.

Each obligation's evidence section shows the current upload status and full file history so you can track what has been submitted.

Adding frameworks

Use the Add framework button on the Obligations page to add a new compliance framework. When added, ObligoBoard automatically generates all standard obligations for that framework with pre-set due dates and risk levels.

Available frameworks include: GDPR Basics, ESG Light Reporting, EU AI Act Essentials, and UK Business Compliance Essentials.

Generating an Evidence Pack

Click Generate Evidence Pack to open the reports page with your framework pre-selected. See Evidence Pack for full details.