GDPR Gap Assessment

  1. Home
  2. Services
  3. GDPR Gap Assessment

GDPR Gap Assessment

Most GDPR (General Data Protection Regulation) compliance projects start with a gap analysis. A gap analysis is a popular method of assessing compliance against the requirements of the Regulation. It’ll help you identify and prioritise the areas that you should address.
A gap analysis consists of the following stages:

1. Data protection governance

Assessment whether the organization has the necessary mechanisms in place for:

  1. Data protection accountability and responsibility;
  2. Policies and procedures;
  3. Performance measurement; and
  4. Reporting.

2. Risk management

Ensure the organization employs adequate privacy risk management practices. This includes how they tackle upholding the rights and freedoms of data subjects.

3. GDPR project resourcing

Establish how the organization will resource the compliance programme.

4. DPO (data protection officer)

Determine whether the organization is required to appoint a DPO.

5. Roles and responsibilities

Assess whether staff awareness training has been established, and ensure that compliance programme has identified suitable roles and responsibilities.

6. Scope of compliance

Consider how the scope of the compliance obligations have been defined. Consider all data processing and data sharing that the organisation is directly or indirectly involved in.

7. Personal data processes

Check that all processes and procedures for each GDPR principle involving personal data have been implemented. Determine whether a lawful basis for processing personal has been identified and documented, and ensure the organization has a suitable DPIA (data protection impact assessment) process in place.

8. PIMS (personal information management system)

Establish a suitable programme to document the GDPR compliance activities.

9. ISMS (information security management system)

Implement an ISMS to meet the GDPR’s requirements for securing personal data with “appropriate technical and organisational measures”.

10. Rights of data subjects

Ensure there is a process in place for facilitating data subjects’ rights, including responding to DSARs.