GDPR gap analysis data shows compliance in the UK is “quite low”
When implementing a GDPR (General Data Protection Regulation) compliance programme, a key challenge is securing the required resources and support – particularly from top management.
Yet GDPR compliance brings business benefits beyond mitigating the risk of data breaches and fines:
You’ll stop duplicating work, improving productivity.
You can better tie down the requirements for RBAC (role-based access control).
You can clearly define roles and responsibilities in job descriptions and other documentation.
Your information will be more organised, so you can find what you need quicker, and with greater confidence in its accuracy.
You’ll get rid of data you don’t need, in line with your retention policy. That saves storage space and costs, and gives you more accurate insights into your data.
The value of a gap analysis
But how can you get management to understand these benefits, and more to the point, understand how far away the organisation is from compliance?
GDPR gap analysis offers a useful tool here – particularly if conducted by an independent third party.
A gap analysis (or ‘gap assessment’) compares an organisation’s current measures against an ideal ‘target state’ – in this case, GDPR compliance.
Gap analyses typically produce a report following the assessment, often with a prioritised action plan, that can function as a ‘reality check’ to management. It can help support your case to the board for needing extra resources.
Finding this blog useful? To get notified of future
resources like this, subscribe to our free weekly
newsletter: the Security Spotlight.
GDPR compliance in the UK: “quite low”
DQM GRC’s GDPR Benchmark Report 2024 – based on gap analysis data – shows that many UK organisations have significant room for improvement when it comes to GDPR compliance.
The average score was 5.3, which DQM GRC described as “quite low”.
That said, the report also found that, on average, organisations performed better in certain GDPR compliance areas over others.
Privacy by design
For instance, the report found that privacy by design is the weakest compliance area.
This may be because organisations are less likely to treat privacy risks as business risks – yet privacy by design improves business projects, because they make for simpler, more user-friendly software (or more customer-friendly products and services).
When you think about what data should be available to each process, you both improve your level of data security and force designers to take the time to consider what the process needs to do and why.
(This is also key to effective control selection in information security.)
Privacy by design also brings less conspicuous benefits:
It requires better documentation, which makes your projects easier to manage and, when you need it, will make disaster recovery easier.
Because you’ll need to look further ahead as you plan your project, it helps create more efficient processes and systems.
It also ensures you keep your data in appropriate formats ready for future use, and prevents you from using personal data in ways you shouldn’t.
In short, privacy by design is something you should be doing, irrespective of any legal requirements.
Information security
Meanwhile, the GDPR Benchmark Report 2024 found that organisations perform better on information security (compliance area ‘ISMS’ – information security management system).
DQM GRC suggested this is due to information and cyber security issues being more prone to receiving negative press than data protection issues, so organisations are more likely to treat cyber security risks as business risks.
Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, added:
Another possibility for this finding is that prior to 2018 [when the GDPR was enforced], organisations – particularly smaller businesses – may have struggled to justify expenditure on security.
In part, this was due to their attitude, often along the lines of: “Who would want to steal our data? It isn’t worth anything.”
In other words, business owners struggled to attribute a value to their data.
But when the GDPR was introduced, organisations could more easily place a value on the personal data they were holding: the greater of €20 million [now £17.5 million under the UK GDPR] or 4% of annual global turnover.
This may have helped convince management for the need to invest in security controls, and perhaps even implement an ISO 27001-compliant ISMS.
Book a GDPR gap analysis
Identify and prioritise the areas that most expose your organisation to risk with our GDPR Gap Analysis.
A GDPR specialist will interview key managers and perform an analysis of your existing data protection and privacy arrangements and documentation.
Following this, you’ll receive a report of our findings, which will:
Outline the areas of compliance and improvement; and
Provide further recommendations for the proposed GDPR compliance project.
Don’t take our word for it
Here’s what our customers say:
Walid:
As always, I’m delighted from the level of professionalism provided by ITGovernance.co.uk across all their services offerings – the GAP Analysis covered everything with great level of clarity both on technical and legal aspects of the exercise.
Katie:
My Company wanted support in reviewing our GDPR Compliance and identifying starting points for any changes needed.
I was supported by Kevin Downs from the Sales Team in selecting IT Governance/DQM GRC GDPR Gap Analysis service for the Group and this service turned out to be absolutely the right solution for us.
Ably delivered by Martin Fletcher whose knowledge of the subject and his willingness to adapt to fit into a schedule that suited our business needs was very welcome indeed.
The service completely met with expectations and the whole process from start to finish was very helpful indeed. This is a worthwhile solution that is wholeheartedly recommended.
The post How a GDPR Gap Analysis Helps Secure Support From Senior Management appeared first on IT Governance UK Blog.
