GDPR gap analysis 

A GDPR assessment is the first step companies need to take on their journey to compliance. The purpose of the gap analysis is to assess an organisations level of compliance to the GDPR requirements, identify areas of non-compliance and provide an action plan to address these. Companies that conduct a GDPR readiness assessment will have a clear plan of what they need to do and how to do it, thus making the journey to compliance easy to understand and straightforward.

Our GDPR assessment involves:

• Interviewing key staff who handle personal data e.g. IT, HR, Sales, Marketing, Customer Services, Senior Management, existing privacy staff

• A review of your GDPR related documentation e.g. policies, procedures, logs, registers etc

• Preparation of a comprehensive report that outlines:

  • Our findings of the current state of compliance against GDPR requirements using a Red, Amber, Green (RAG) status

  • A document review with comments and suggestions on improvements

  • An action plan identifying what needs to be done to address areas of non-compliance

Typically we need to speak to people that head up departments such as IT, HR, Marketing, Finance, Sales, compliance, legal and also anyone who currently has responsibility for privacy. It can also be good to speak to frontline staff that know the day to day job really well as they can often offer insights that managers can’t.

Once we have finished interviewing all your team, we will write up the report, which usually takes 1 day and then the report goes through our rigorous QA process to ensure it meets our quality standards. Typically this means you will have your report within 5 working days of the last interview.

The gap analysis is designed for organisations that may have done some bits and pieces around GDPR but don’t have an established compliance framework/programme in place. It’s really for those organisations who are starting on their journey to compliance. An audit is for those organisations who have put in place a framework/personal information management system and who want to carry out regular checks to make sure it is still operating as envisaged.

As part of your GDPR gap analysis, our team will cover the following main areas of compliance:

• Governance

• Risk management

• GDPR resourcing

• The need for a DPO (Data Protection Officer)

• Roles & responsibilities

• Scope of compliance

• Personal data processes

• PIMS (Personal Information Management System) & ISMS (Information Security Management System)

• Data subject rights

Typically interviews with individuals take in the region of 1-2 hours and we will work around your schedule to find a time that is convenient. We’re happy to book different slots of different days to make it work for you. Occasionally after meetings there may be one or two follow up questions, but we can usually address these via email.

If there are questions about the report, we can address these as part of the catch-up meeting which we normally have a few days after you have the report. If however, your question is urgent, please feel free to contact the consultant who conducted the gap analysis and they will be happy to answer any queries.