It’s likely that General Data Protection Regulations (GDPR) have become an integral part of many of your business functions. When this came into effect back in May 2018, businesses had to get systems in place to ensure they were compliant with the new guidelines and that they were doing all they could to protect their data. And this hasn’t changed. Companies must continue to update their security systems and regularly assess their compliance if they wish to stay on top of their security efforts. But security shouldn’t just be down to IT teams, it needs to be deeply ingrained in every business function to ensure companies are sticking to the regulations.
One of the best ways to assess your security and feel confident that every area of your business is compliant is through running a GDPR gap analysis. This is a proactive approach to your data protection which allows you to assess and regularly update your systems. It also provides important evidence for the Information Commissioners Office (ICO) should your company ever become the victim of a breach. Below Evalian.co.uk look in more detail at what a gap analysis entails and how you can use these in your business.
What is a GDPR Gap analysis?
Instead of a simple checklist, a GDPR gap analysis allows you to create a company-wide system for managing the lifecycle of your data. And in fact, most GDPR compliance projects will begin with a gap analysis to get the ball rolling.
But what is a gap analysis? In a nutshell, this is an assessment which requires you to closely inspect every individual area of your business with the aim of highlighting any gaps in your systems that could affect your GDPR compliance.
There are a number of ways that you can run a gap analysis, but ultimately this needs to be done by someone who is an expert in the field and understand the different requirements under GDPR. Before you run your analysis, you’ll want to decide which approach is going to be best for your business.
Why run a gap analysis?
In case you’re still feeling unsure about whether your company could benefit from running this type of analysis or not, let us give you a little more insight. A gap analysis is the perfect way to assess your compliance. It forces you to slow down and put every aspect of your business under a microscope. It helps you to identify any areas where your business could improve and gives you the chance to patch these up and deal with any potential threats. Which in turn, leads to a fully compliant and much more secure company.
The different approaches to gap analysis
As we said before, there are several different approaches you can take when it comes to your gap analysis and these will depend on aspects such as your knowledge of GDPR, your team, your resources and your budget. Below we’ll look at the four different approaches you could take, so you can choose the technique that is right for you.
- The DIY approach
The do-it-yourself approach can be great if you’re on a tighter budget, although it does leave more room for error. That is, unless you’re an expert in GDPR or have someone on your team who is. This involves using questionnaires and your own knowledge to assess each aspect of the business. These will quickly highlight any larger gaps in your systems.
- The template toolkit approach
Another approach to your analysis could be purchasing a ready-made toolkit which includes checklists and templates for setting out your GDPR guidelines. These can help you to assess the different aspects of your business and also produce effective GDPR documentation and policies.
- The software approach
If you’re looking for something a little more reliable and that requires less work, then a software approach might be better for you. These programs can run a gap analysis for you and often include a range of helpful features that allow you to monitor and manage your compliance through the software.
- The consultant approach
If you’re really not confident in your own abilities and you’d prefer an expert to run your analysis, that’s OK too. There are plenty of consultants out there that will be happy to come to your business and conduct an assessment for you. They will then give you a detailed report highlighting any gaps and telling you which areas need to be improved.
What happens during a gap analysis?
No matter what approach you take, most gap analysis will take on a similar format. There are usually around nine steps that you (or your chosen consultant) will need to take to conduct your assessment. A typical analysis goes a little something like this:
- Assessment: You need to start by assessing your systems to determine if you’ve got the right policies, procedures and programs in place.
- Risk management: Now it’s time to decide if you have strong enough risk management practises in place and if you’re continuing to monitor these.
- DPO: An important part of your gap analysis is deciding whether or not you need to appoint a Data Protection Officer or not.
- Responsibility: The next step is to determine whether you’re employees are educated enough about GDPR and if all those involved in achieving compliance are aware of their roles and responsibilities when it comes to GDPR and the business.
- Scope: You need to understand the scope of your data and where everything is being stored. What this means is that you must identify and understand what data you’re collecting and processing, why you’re doing this and how it is being stored and used.
- Process: This one is very important. Next on your analysis, you need to determine whether you’ve got effective procedures and policies in place for those handling personal data. You must also make sure you have a Data Protection Impact Assessment (DPIA) in place.
- PIMS: Next you need to establish what is known as a Personal Information Management System (PIMS). This means ensuring you have a process in place for documenting your GDPR compliance activities.
- ISMS: You must also ensure you have an Information Security Management System (ISMS) in place which meets GDPR requirements
- Rights: Last but not least, you need to determine whether you have an effective process in place for dealing with access and deletion requests.
By following these nine steps, ensuring you’ve got all the correct policies and procedures in place will allow you to highlight the areas where you fall down. You can then rectify any problems or areas of weakness for a more effective security strategy.
