How To Run A GDPR Gap Analysis


You may remember pre-May 2018 when everyone was gearing up for the new General Data Protection Regulations (GDPR) to come into place. It meant that businesses of all size had to prepare for big changes in the way they collected, stored and shared data. Today, all existing and new businesses must ensure they are GDPR compliant otherwise they could face cybersecurity breaches, backlash and potentially a huge fine.

As a business owner you need to run regular checks to ensure you are meeting all the GDPR guidelines and keeping up with any updates. And that applies whether your business is well established or just getting off the ground. One of the best ways to assess your compliance and highlight any areas of your security that could be improved is to run a GDPR gap analysis.

But what exactly is a gap analysis and how do you run one? In this guide, we’ll take a look at how running a GDPR gap analysis can be beneficial to your business and how to do it. Read on to find out more.

What is a gap analysis and what does it involve?

In order to be able to run an effective gap analysis, you must first make sure you have a strong understanding of GDPR and what is expected of your business. The best way to do this is get clued up on General Data Protection Regulations and then take a look at a GDPR checklist to make sure you’ve got all the right processes in place, and that you’re doing everything right to ensure compliance.

A gap analysis does what it says on the tin, it highlights any areas of your business and GDPR efforts that need improving. In order to run a gap analysis, you need to find the right tool for your business. It’s a good idea to explore your options and take a look at some different tools before settling on one. There are a mixture of free and paid-for options and while the free options can be great in the early stages of your GDPR efforts, these are usually less comprehensive. As such, you may need to invest in better tools down the line as your business collects more and more data.

Before running your analysis it’s a good idea to do your research and ensure you choose the best and most cost-effective tools for your business.

What options are available to your business?

Below, we’ll look at the four options available to you, before looking at the steps you need to take to conduct a gap analysis.

The do-it-yourself approach

The DIY approach involves taking questionnaires in order to quickly identify any weaker areas in your security and highlight areas that need to be fixed. There are a number of tools you can use for this DIY approach.

The template approach

Alternatively, you can choose the template approach. This involves buying a ready-made toolkit which includes various checklists and templates that can help you to produce GDPR compliance documentation.

The software approach

There are also software solutions out there that can run the gap analysis for you. These often include more than one feature as well, so you can use other monitoring and management tools at the same time.

The consultant approach

Finally, if you don’t want to run the gap analysis yourself, you can outsource it to a third-party provider. This means a consultant will come to your business to run an assessment for you and they will then provide you with a detailed report. This is a better approach if you’re not confident about running the analysis yourself.

The 9 steps for performing a GDPR gap analysis

Once you’ve decided which approach is best for your business, most gap analysis are conducted in a similar way. Below we’ll take a look at the nine steps for performing a GDPR gap analysis.

  1. Data protection analysis

Data protection is the driving force behind GDPR, so the first step on your gap analysis is assessing whether you’ve got the right data protection systems in place. This includes systems and procedures for security, accountability, measurement and reporting.

  1. Risk management analysis

Second on the list is deciding whether your risk management practices are adequate enough. Part of this is ensuring that your business is upholding the right to freedom and privacy for all customers, clients and employees whose data you hold.

  1. Appointing a DPO

Next up, you need to decide whether your business is required to appoint a Data Protection Officer (DPO). There are a number of factors that will affect this and you can find out whether your business requires a DPO, here.

  1. Outlining roles and responsibilities

Now it’s time to assess whether your staff have had the appropriate GDPR training. Everyone on your workforce needs to be aware of the basic rules of GDPR and needs to be aware of their role within keeping your business compliant.

  1. Defining the scope of your compliance

The next stage is to define the scope of your compliance responsibilities. What this means is that you need to take into consideration all the data your are processing, understand where you are storing it and how it is shared. This means all data your business handles, whether that’s directly or indirectly.

  1. Checking data processing policies

It’s time to check whether you’ve got the right policies and procedures in place for handling sensitive data. This is hugely important for ensuring you are GDPR compliant as you must only collect and store personal information on a lawful basis. By making sure you have a Data Protection Impact Assessment (DPIA) in place, you can decide if you have the right governing producers in place.

  1. Personal Information Management System

At this next stage you need to make sure you have established a process for documenting all GDPR compliance activities.

  1. Information Security Management System

We’re nearing the end of the analysis and at this penultimate stage you must ensure you have an Information Security Management System (ISMS) in place for securing personal data through appropriate measures. This must meet GDPR requirements.

  1. Facilitating the rights of data subjects

At this final stage, you must check whether you’ve got a strong process in place for facilitating access to their information for all data subjects. This includes their right to access their data at any time, as well as their right to be forgotten.