GDPR compliance is no small matter for any company, but the way you go about it makes all the difference. With the right tools at your disposal, it can be manageable. A GDPR gap analysis shows you where you are on the road to compliance compared to where you should be. It helps you patch up risks. It’s useful to do at any stage, whether you’re just waking up to GDPR or have been tackling it from the outset.
There are several ways to go about a GDPR gap analysis, so where do you start? This article looks at areas covered by an analysis and what services or tools you can use to perform one.
Changes in Data Protection
The GDPR sets out seven key principles. These are nominally similar to those that existed before under the EU 1995 Data Protection Directive (DPD). But there were notable changes.
Among the changes that GDPR brought are these:
- Data processing consent must be explicitly given. This outlaws the use of opt-out boxes or pre-ticked opt-in boxes on consent forms.
- Data controllers are more accountable and must be able to show compliance.
- Data processors are legally accountable for data breaches under GDPR.
- Wider definition of personal data to keep pace with technology.
- Enhanced rights for data subjects (e.g. data erasure).
- Wider territorial scope (i.e. applies to anyone handling data of EU citizens).
- Harsher sanctions possible against those in breach of GDPR.
Even if your company complied with previous DPD regulations, the GDPR creates more work. A gap analysis reveals the full extent of the work that needs doing.
The Scope of a GDPR Gap Analysis
The scope of a GDPR gap analysis may vary depending on who conducts it and for whom, but it is often comprehensive. If you’re a long way from compliance, a lighter gap analysis may be in order so you can quickly make the most pressing changes. Some of the key areas a GDPR gap analysis might examine are below.
- IT governance, data protection and security: checking that best practices are in place throughout the business for management of personal data. This includes policies and procedures, accountability, reporting mechanisms and performance assessments.
- Risk management: ensuring that companies conduct regular risk assessments and that the necessary regime is in place for effective risk management. Making sure assessment of risk to data subjects in processing their data takes place.
- Data protection officer readiness: deciding whether a DPO is necessary, helping appoint a DPO.
- Privacy By design and default: making sure staff know their roles and responsibilities and ensuring the company can readily prove compliance. Using GDPR for competitive advantage and putting infrastructure in place that allows that.
- Scope of compliance: evaluation of the breadth of a company’s necessary compliance. This takes into account all data processing, data mapping and identifies cross-border processing, which often carries extra risk.
- Personal information management system (PIMS): examining a company’s system of documentation and ensuring it’s in scale with the size and complexity of the business. Adjusting or streamlining it to align with GDPR needs.
- Information security management system (ISMS): making sure the company’s ISMS fulfills its role of minimizing risk while efficiently managing sensitive data.
- Rights of data subjects: facilitating the various rights of natural persons (e.g. access rights, data erasure, portability, rectification, right to know name of DPO). Underlining the burden of proof that lies with data controllers in demonstrating grounds to override these rights.
- Data breach readiness and response: installing policies and procedures that enable fast reaction to data breaches and prompt reporting of them.
GDPR Gap Analysis: Who & How
There are different ways to perform a GDPR gap analysis. You can use a consultancy firm, employ someone in-house, or use GDPR software to do most of the work for you. The latter is viable for small to mid-sized businesses (SMEs).
GDPR consultancy firms do a thorough job in assessing GDPR compliance. Yet, it can be a drawn-out process and is often expensive. A small business can pay upwards of £2,500 for such a service. The fee rises to £4,000 or more for medium-sized enterprises. The report issued by a consultant will help a company become compliant, but it can soon become outdated after changes within the business. GDPR compliance is a constant need.
Internal Gap Analysis
Companies can run their own internal gap analyses using teams of technical or legal professionals if they have the resources. Some companies use a GDPR compliance checklist, which asks a long series of questions about all aspects of data handling and protection (e.g. policies and procedure, roles and responsibility, record-keeping, legal and regulatory). Checking compliance is a time-consuming project.
GDPR software offers a neat solution to analysing compliance for SMEs. Because everything is in the cloud, collaborative efforts towards compliance are easier. Changes occur in real time. It’s affordable, too. This is what GDPR software can do:
- Data Mapping: locating and tracking the flow of data
- Data Protection Impact Assessment (DPIA): assesses the risk of data processing to subjects
- Generates GDPR compliant privacy policies and contracts
- Subject access management: creates a mechanism for handling SARs
- Data breach management: helps manage and report data breaches
- Subject consent management: assists in all aspects of gaining, recording and renewing consent
- Compliance assessment: generates a data protection programme tailored to your company
- DPO features: helps responsible parties implement and track compliance
Close the Gap
If you run a small to mid-sized business, GDPR software offers an easy way of achieving compliance. Bigger businesses with greater resources might not balk at the cost of consultancy or running an in-house team. Whatever you do, act now and close the GDPR gap!