The GDPR gap analysis assesses your organizations current level of compliance with the Regulation, and helps identify and priorities the key work areas that your organization must address to be compliant.
Under GDPR Gap Analysisdata privacy & security experts cover ups the following areas :
1. Data protection governance – the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout the organization.
2. Risk management – the corporate arrangements in place for privacy risk management across the organization, the extent to which the corporate risk regime incorporates information-specific risks, and which risks to the rights and freedoms of natural subjects are addressed.
3. GDPR project – the extent to which an appropriately staffed, funded and supported GDPR project is in place, and capable of delivering realistic objectives to ensure compliance by 25 May 2018.
4. Data protection officer – whether a DPO is mandatory, a DPO been appointed, the role is positioned appropriately and the DPO is capable of delivering against the GDPR requirements.
5. Roles and responsibilities – the extent to which roles and responsibilities are defined and established through the organization, including necessary training and awareness.
6. Scope of compliance – it is essential that the scope of compliance is clearly defined, and takes account of all data processing in which the organization has a role, whether as a data controller or as a data processor, as well as any data sharing activity. In order to determine the scope of compliance, we also have to identify all the important databases that hold personal data, as well all extra-territorial/trans- border processing.
7. Process analysis – for each process that involves personal data, it is essential to identify the extent to which each of the data processing principles is established. The lawful basis for processing is a key area of consideration. Are there any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and data protection by default?
8. Personal information management system (PIMS) – demonstrating GDPR compliance requires a wide range of documentation. The scale of the documentation should be appropriate to the size and complexity of the organization. The PIMS should also address staff training and awareness.
9. Information security management system (ISMS) – the technical and organizational measures that ensure adequate security of personal data, whether it is held in hard copy or electronic form, or processed by the organizations systems. This includes a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
10. Rights of data subjects – the organization needs processes that will enable it to both facilitate and respond to data subjects exercising any or all their rights.
The GDPR Gap Assessment report will identify in detail the extent to which your organization meets the GDPR requirements in each of these areas, and will provide an action plan that identifies and priorities the key issues that your organization must address to be compliant. The report will be delivered within ten days of completing the data-gathering phase of the project.
For more information please