Why run a GDPR Gap Analysis now?
- Your compliance may no longer reflect how your organisation operates
Business evolves — but compliance doesn’t always keep up. If you’ve entered new markets, launched new services or adopted new tools, your data protection documentation may now be out of step with how you work. A GDPR Gap Analysis helps you identify those discrepancies and update your processes accordingly.
- Managing GDPR alongside other responsibilities is a challenge
In many organisations, the person responsible for data protection is also juggling other priorities. Without dedicated expertise or legal support, staying on top of GDPR requirements can be difficult. This service gives you access to specialist knowledge and clear, practical advice — without the need to hire in-house.
- Stakeholders expect evidence of compliance
Clients, regulators and partners increasingly expect organisations to demonstrate accountability, not just promise it. Internal reviews have their place, but an independent assessment offers objective proof that you're taking GDPR seriously. The resulting report can be used to support audits, build trust, and show progress over time.
What a GDPR Gap Analysis involves
Our data protection consultants will assess your organisation’s privacy management and data protection practices through an on-site review of the following areas:
- Governance – the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout your organisation.
-
Risk management – your organisation’s arrangements for privacy risk management, the extent to which information-specific risks are incorporated into corporate risk management, and the extent to which risks to the rights and freedoms of data subjects are addressed.
-
Privacy by design – the extent to which data protection by design has been incorporated into the development of your systems, services, products and/or processes.
-
DPO (data protection officer) – whether your organisation is required to appoint a DPO, whether one has been appointed and, if so, whether they meet the Regulation’s requirements.
-
Roles and responsibilities – the extent to which your organisation has defined and established appropriate roles and responsibilities, and delivered appropriate training and awareness.
-
Scope of compliance – whether your organisation has clearly defined the scope of its GDPR compliance, taking account of all data processing in which it has a part, whether as data controller or processor, as well as any data sharing.
-
PIMS (personal information management system) – whether your organisation has implemented a PIMS that documents its GDPR/DPA 2018 compliance, and addresses staff training and awareness.
-
ISMS (information security management system) – whether your organisation has implemented an ISMS to meet the GDPR’s requirements for “appropriate technical and organisational measures” in order to ensure the security of the personal data it processes.
-
Rights of data subjects – the processes your organisation has implemented to facilitate and respond to data subjects exercising their rights under the GDPR/DPA 2018.
What to expect
A GDPR specialist will interview key managers and perform an analysis of your existing data protection and privacy arrangements and documentation.
Following this, you will receive a gap analysis report of the findings. The report outlines the areas of compliance and improvement, providing further recommendations for the proposed GDPR compliance project. You’ll also have the opportunity to discuss the findings with your consultant once you receive the report, to make sure you understand the score and allow you to discuss the remediation strategy.
Please click on each image for a closer look:
GDPR Benchmark Report 2024
Find out how you compare with organisations of your size and industry with our GDPR Benchmark Report, based on the findings of four years of GDPR gap analyses.