Key Takeaways
  • A GDPR gap assessment identifies where your current data protection practices fall short of GDPR requirements.
  • Assessment typically covers data mapping, lawful bases, rights processes, security measures, breach procedures, and international transfers.
  • An independent assessment provides stronger assurance than self-assessment, especially for due diligence and regulatory interactions.
  • Gap assessment deliverables include a findings report, risk-rated gap register, and prioritized remediation roadmap.
  • Organizations should conduct a gap assessment before investing in major compliance program changes.

Assessment Overview

A GDPR readiness or gap assessment evaluates your current privacy practices against GDPR requirements to identify compliance gaps. Unlike certification (GDPR has no certification scheme), assessments provide a structured review with actionable recommendations.

Why Conduct an Assessment?

  • Understand current compliance posture
  • Identify and prioritize remediation efforts
  • Demonstrate accountability to stakeholders
  • Prepare for regulatory scrutiny
  • Satisfy customer due diligence requests

Scoping the Assessment

Define Processing Activities

  • Customer data processing
  • Employee data processing
  • Marketing activities
  • Supplier/vendor data
  • Website and digital channels

Define Entities

  • Which legal entities are in scope?
  • Which geographies?
  • Which business units?

Assessment Domains

A comprehensive GDPR assessment covers these domains:

1. Governance and Accountability

  • Data protection governance structure
  • DPO appointment (if required)
  • Policies and procedures
  • Roles and responsibilities
  • Training and awareness

2. Lawfulness of Processing

  • Legal bases for processing (Article 6)
  • Special category data (Article 9)
  • Consent mechanisms and records
  • Legitimate interests assessments

3. Transparency

  • Privacy notices (completeness, clarity)
  • Fair processing information
  • Layered notice approach
  • Just-in-time notices

4. Data Subject Rights

  • DSAR process and timelines
  • Verification procedures
  • Portability capability
  • Erasure procedures

5. Data Minimization and Retention

  • Retention schedules
  • Deletion procedures
  • Data minimization practices

6. Security (Article 32)

  • Technical measures
  • Organizational measures
  • Regular testing
  • Pseudonymization/encryption

7. International Transfers

  • Transfer mechanisms (SCCs, adequacy)
  • Transfer Impact Assessments
  • Supplementary measures

8. Processor Management

  • Data Processing Agreements
  • Processor due diligence
  • Sub-processor management

9. Breach Management

  • Breach detection capabilities
  • Notification procedures
  • Breach register

10. Privacy by Design

  • DPIA process
  • Privacy in development lifecycle
  • Default settings

Assessment Methodology

Document Review

Review of policies, procedures, privacy notices, DPAs, RoPA, DPIAs, and other documentation.

Interviews

Discussions with key stakeholders: DPO, IT, HR, Marketing, Legal, Operations.

Technical Review

Review of systems, configurations, access controls, and security measures.

Process Walkthroughs

Step through key processes: DSAR handling, consent collection, breach response.

Assessment Deliverables

  • Gap Analysis Report: Detailed findings by domain
  • Maturity Assessment: Current state rating
  • Risk Rating: Prioritization of gaps by risk
  • Remediation Roadmap: Recommended actions with priorities
  • Executive Summary: High-level findings for leadership

How to Prepare

Documentation to Gather

  • Privacy policy and notices
  • Records of Processing Activities (RoPA)
  • Data Processing Agreements
  • Consent records and mechanisms
  • DSAR log and sample responses
  • DPIA records
  • Breach register
  • Training records
  • Security policies and procedures

Frequently Asked Questions

What is a GDPR gap assessment?

A GDPR gap assessment is a systematic evaluation that compares your current data protection practices against GDPR requirements to identify shortcomings. It covers data mapping, lawful bases, privacy notices, DSAR processes, security measures, breach procedures, DPIAs, international transfers, and vendor management.

Who should conduct a GDPR assessment?

Independent assessors provide objective findings that carry more weight with regulators, customers, and partners. Internal assessments lack credibility for external stakeholders and may miss blind spots. An independent assessment demonstrates accountability under GDPR's governance requirements.

How long does a GDPR assessment take?

A GDPR gap assessment typically takes 2-6 weeks depending on organisation size, complexity of processing activities, number of entities in scope, and the maturity of existing documentation.

What does a GDPR assessment cover?

A comprehensive GDPR assessment covers data mapping, lawful bases for processing, privacy notices, DSAR processes, security measures (Article 32), breach notification procedures, DPIAs, international data transfers, vendor and processor management, and governance and accountability structures.

How often should we repeat the assessment?

At minimum annually, or after significant changes to processing activities, systems, or regulatory requirements. Regular assessments help maintain compliance posture and identify new gaps as the organisation and regulatory landscape evolve.

GDPR Assessment Privacy