Ten Steps to Conducting a GDPR Gap Analysis

Most GDPR (General Data Protection Regulation) compliance projects start with a gap analysis.

A gap analysis is a popular method of assessing compliance against the requirements of the Regulation. It’ll help you identify and prioritise the areas that you should address.

What does a gap analysis involve?

GDPR gap analysis

A gap analysis is performed by an individual with in-depth expertise of the GDPR’s requirements, and a deep understanding of the practical realities of implementing suitable processes, controls and other measures to help the organisation achieve compliance.

Can I use a free GDPR gap analysis tool?

While it can be tempting to cut costs, freely available gap analysis tools are rarely as comprehensive as paid-for ones.

More concerningly, these free tools can prove troublesome for users who have limited knowledge of their compliance obligations under the GDPR.

With penalties for non-compliance as high as €20 million (about £17 million), it’s always worth opting for a gap assessment tool that has been developed by qualified experts.

Fortunately, there are many professionally developed and inexpensive gap analysis tools available.

What gap analysis options are available?

There are four different options to consider for conducting a gap analysis:

1. The DIY approach

Questionnaire-driven gap analysis tools help you assess your organisation’s GDPR compliance posture by quickly identifying any gaps for remediation.

DIY tools like our EU GDPR Compliance Gap Assessment Tool typically require detailed knowledge of the Regulation and its compliance requirements.

2. The template approach

You can purchase a complete set of templates to help you develop the necessary documentation needed to demonstrate GPPR compliance.

Some documentation toolkits even include a gap analysis tool, such as our EU GDPR Documentation Toolkit.

3. The consultant-led approach

You can outsource the gap analysis to a data protection consultant, who’ll conduct an on-site assessment of your privacy management and data processing practices.

After the assessment, you’ll receive a detailed report of your compliance status. This report will outline the level of effort required to achieve full compliance.

Make sure you appoint a consultant with an in-depth understanding of the GDPR’s requirements and how they should be met.

4. The software approach

Software solutions offer more benefits than questionnaire-driven tools. Our GDPR Manager tool provides four features in one:

1. Gap analysis tool
2. DSAR (data subject access request) management
3. Data breach monitoring
4. Third-party management tool

What gap analysis solution is right for me?

The consultant-led approach is ideal for organisations seeking a comprehensive gap analysis. Data protection consultants can offer objective insight into the potential costs and risks involved in implementing a compliance programme.

Not every organisation needs to hire a consultant, though. Smaller organisations can benefit from more affordable tools and solutions that help track and maintain GDPR compliance.

Ten steps to performing a gap analysis

A gap analysis consists of the following stages:

1. Data protection governance

Assess whether you have the necessary mechanisms in place for:

• Data protection accountability and responsibility;
• Policies and procedures;
• Performance measurement; and
• Reporting.

2. Risk management

Ensure you employ adequate privacy risk management practices. This includes how you tackle upholding the rights and freedoms of data subjects.

3. GDPR project resourcing

Establish how you will resource your compliance programme.

4. DPO (data protection officer)

Determine whether you are required to appoint a DPO.

5. Roles and responsibilities

Assess whether staff awareness training has been established, and ensure your compliance programme has identified suitable roles and responsibilities.

6. Scope of compliance

Consider how you have defined the scope of your compliance obligations. Make sure you’ve considered all data processing and data sharing that your organisation is directly or indirectly involved in.

7. Personal data processes

Check you’ve implemented processes and procedures for each GDPR principle involving personal data. Determine whether a lawful basis for processing personal has been identified and documented, and ensure you have a suitable DPIA (data protection impact assessment) process in place.

8. PIMS (personal information management system)

Establish a suitable programme to document your GDPR compliance activities.

9. ISMS (information security management system)

Implement an ISMS to meet the GDPR’s requirements for securing personal data with “appropriate technical and organisational measures”.

10. Rights of data subjects

Ensure you have a process in place for facilitating data subjects’ rights, including responding to DSARs.

Get serious about GDPR compliance

Choose the best gap analysis solution for your resource availability, budget and compliance needs.

IT Governance is a leader in the fields of GDPR compliance, data protection and cyber security. Contact us now for expert advice.