Assessment Overview

A GDPR readiness or gap assessment evaluates your current privacy practices against GDPR requirements to identify compliance gaps. Unlike certification (GDPR has no certification scheme), assessments provide a structured review with actionable recommendations.

Why Conduct an Assessment?

  • Understand current compliance posture
  • Identify and prioritize remediation efforts
  • Demonstrate accountability to stakeholders
  • Prepare for regulatory scrutiny
  • Satisfy customer due diligence requests

Scoping the Assessment

Define Processing Activities

  • Customer data processing
  • Employee data processing
  • Marketing activities
  • Supplier/vendor data
  • Website and digital channels

Define Entities

  • Which legal entities are in scope?
  • Which geographies?
  • Which business units?

Assessment Domains

A comprehensive GDPR assessment covers these domains:

1. Governance and Accountability

  • Data protection governance structure
  • DPO appointment (if required)
  • Policies and procedures
  • Roles and responsibilities
  • Training and awareness

2. Lawfulness of Processing

  • Legal bases for processing (Article 6)
  • Special category data (Article 9)
  • Consent mechanisms and records
  • Legitimate interests assessments

3. Transparency

  • Privacy notices (completeness, clarity)
  • Fair processing information
  • Layered notice approach
  • Just-in-time notices

4. Data Subject Rights

  • DSAR process and timelines
  • Verification procedures
  • Portability capability
  • Erasure procedures

5. Data Minimization and Retention

  • Retention schedules
  • Deletion procedures
  • Data minimization practices

6. Security (Article 32)

  • Technical measures
  • Organizational measures
  • Regular testing
  • Pseudonymization/encryption

7. International Transfers

  • Transfer mechanisms (SCCs, adequacy)
  • Transfer Impact Assessments
  • Supplementary measures

8. Processor Management

  • Data Processing Agreements
  • Processor due diligence
  • Sub-processor management

9. Breach Management

  • Breach detection capabilities
  • Notification procedures
  • Breach register

10. Privacy by Design

  • DPIA process
  • Privacy in development lifecycle
  • Default settings

Assessment Methodology

Document Review

Review of policies, procedures, privacy notices, DPAs, RoPA, DPIAs, and other documentation.

Interviews

Discussions with key stakeholders: DPO, IT, HR, Marketing, Legal, Operations.

Technical Review

Review of systems, configurations, access controls, and security measures.

Process Walkthroughs

Step through key processes: DSAR handling, consent collection, breach response.

Assessment Deliverables

  • Gap Analysis Report: Detailed findings by domain
  • Maturity Assessment: Current state rating
  • Risk Rating: Prioritization of gaps by risk
  • Remediation Roadmap: Recommended actions with priorities
  • Executive Summary: High-level findings for leadership

How to Prepare

Documentation to Gather

  • Privacy policy and notices
  • Records of Processing Activities (RoPA)
  • Data Processing Agreements
  • Consent records and mechanisms
  • DSAR log and sample responses
  • DPIA records
  • Breach register
  • Training records
  • Security policies and procedures
GDPR Assessment Privacy