GDPR Gap Analysis - 9 steps towards compliance
The first step is to understand where you are now. We will help assess your company's current level of readiness for the Regulation, and help identify and prioritise the key work areas that your organisation must address to be compliant.
- Data Privacy Culture – the extent to which data protection accountability, responsibility, policies and procedures control to monitor data privacy compliance are in place and operating throughout the organisation.
- GDPR – where is the company to date specifically related to the GDPR. What resources have been allocated and what activities and actions have taken place?
- Risk management - the corporate arrangements in place for privacy risk management across the organisation, the extent to which the corporate risk regime incorporates information-specific risks, and which risks to the rights and freedoms of natural subjects are addressed.
- Data protection officer - assess whether a DPO is mandatory and if so, is the DPO capable of delivering against the GDPR requirements.
- Roles and responsibilities - the extent to which roles and responsibilities are defined and established through the organisation. This will highlight the need for training and/or greater awareness.
- The scope of compliance - is the company a controller, processor, subprocessor? Is there any data sharing? In order to determine the scope of compliance, we also have to identify all the important databases that hold personal data, as well as all cross-border data transfers.
- Process analysis - What is the lawful basis for processing personal data? Are there any processes for which a data protection impact assessment (DPIA) is required?
- Personal information management system (PIMS) - demonstrating GDPR compliance requires a wide range of documentation. The scale of the documentation should be appropriate to the size and complexity of the organisation. The PIMS should also address staff training and awareness.
- Information security management system (ISMS) - the technical and organisational measures that ensure adequate security of personal data, whether it is held in hard copy or electronic form, or processed by the organisation systems. This includes a review of methodologies for testing security and established cyber security certifications, standards, and codes of practice.
This can be done remotely and takes around 2 days to complete and compile a report. To be able to get the most out of it, it is essential that there is buy-in from all key personnel in a company - right up to CEO level.
Get in touch with us below if you are looking for a GDPR Gap Analysis.