by Sean Huggett, Director and lead Data Protection & Information Assurance Consultant at Evalian.co.uk
When the new General Data Protection Regulations (GDPR) came into effect back in May 2018, most businesses had to make some big changes to their systems to make sure they were GDPR compliant. So if you’ve just started your own business or your existing company has begun to grow, it’s likely that you too will be thinking about (or maybe have even started) a compliance project to make sure you’re in line with GDPR legislation.
One of the most important parts of your compliance project is going to be running a gap analysis, particularly in the early stages. This popular method helps your business to assess how GDPR complaint you currently are and to highlight any areas that need improving. In this guide, we’ll talk you through the importance of gap analysis and how to run one for your business.
What does gap analysis involve?
In order to conduct a gap analysis, the individuals involved must have an in-depth understanding of GDPR and what is required from the business. It can also be helpful to have a GDPR checklist when conducting an analysis to work through each area of the business and ensure you’re ticking all the right boxes. Those running the gap analysis must also understand the importance of getting suitable and practical processes in place to ensure compliance at every stage.
There are free gap analysis tools you can use to do this, though you might want to put some careful consideration into which tool will be best for you. While it’s great that there are free options available and these could be useful in the early stages, you might find they are less comprehensive and can cause you problems down the line. Before running your analysis it’s a good idea to do your research and ensure you choose the best and most cost-effective tools for your business.
What are my options for running a gap analysis?
You’ll be pleased to know there are number of approaches you can take towards your gap analysis. In fact, there are four options to choose from as outlined below:
- A DIY approach.
This is a questionnaire-driven approach to your gap analysis and can help to quickly identify any areas that need to be fixed. There are existing tools out there to help you run this type of assessment and to highlight any gaps in your GDPR compliance.
- A template approach.
You can get yourself a quick fix by purchasing a set of templates that help you to produce your GDPR compliance documentation. These template toolkits usually include a gap analysis toolkit as well which is similar to the checklist approach we discussed above.
- A consultant approach.
If you’re not feeling confident enough to run the gap analysis yourself, or you just want to be extra cautious, you can outsource it to a third party. This will result in a consultant coming to your business to run an on-site assessment and creating you a detailed report of your compliance status. This can be a great approach if you want to be extra thorough.
- A software approach.
Finally, there’s the software solution which often includes more than one feature. For example, you could get your gap analysis done as well as data-breach monitoring and third-party management tools. But this will depend on which software you choose.
These are the four different approaches you can take, all you need to do is decide which is going to be most efficient and effective for your business. This will largely depend on your budget and the size of your company.
How do I perform a gap analysis?
Every gap analysis tends to be conducted in a similar way, no matter which approach you take it will be broken down into stages. A typical analysis will be conducted as follows:
Data protection – First you’ll want to start by assessing whether you’ve got the right systems in place for data protection and accountability, policies and procedures, performance and measurement, and finally, reporting.
Risk management – Next up you need to decide whether you have adequate risk management practises. This includes how your business goes about upholding the freedom and privacy of all data subjects (usually your customers, clients or employees).
GDPR project resourcing and DPO – Now you must decide how you’re going to resource your compliance programme and whether you’re required to appoint a Data Protection Officer (DPO).
Roles and responsibilities – The next stage requires you to assess whether all staff have had the right GDPR awareness training and then to ensure that everyone involved in your compliance programme has been assigned suitable roles and responsibilities.
Scope of compliance – At this stage you need to define the scope of your compliance responsibilities. This means you need to take into consideration what data you are processing, where it is stored and how it is shared. This includes all data your business handles directly or indirectly.
Personal data process – Now you need to check whether you’ve effectively implemented the right policies and procedures for handling personal data. This is extremely important when staying GDPR compliant. You must determine whether you have a lawful basis for collecting and processing personal information, and ensure you have a Data Protection Impact Assessment (DPIA) in place.
Personal Information Management System – We’re nearing the end, but at this stage of your analysis you need to establish a process for documenting your GDPR compliance activities.
Information Security Management System – You need to make sure you have a system in place that meets the GDPR requirements when it comes to securing personal data through appropriate measures.
Rights of data subjects – Finally, you must ensure you have a strong process for facilitating the right of data subjects, these include the right to access their data and the right to be forgotten.
It’s time to get GDPR compliant.
The steps above outline how a gap analysis is conducted, though this can vary depending on approach you take. For example, DIY will differ from hiring in a dedicated consultant. But whatever you decide to do, you need to make sure that you take GDPR compliance very seriously and running a gap analysis for your business is a good place to start.
Sean Huggett specialises in data protection, information risk and information security consulting and is the Director and lead Data Protection & Information Assurance Consultant at Evalian.co.uk. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed in to commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security.