A good way to start any compliance project is with a gap analysis to determine both where your current practices fall short of your obligations and where you should focus to bring them up to standard.
When it comes to the UK GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, it’s also important to carry out gap analyses on a regular basis to ensure you continue to fulfil your legal obligations, especially when your data processing activities – and the personal data you process – change.
Our GDPR Gap Analysis service uses our proprietary GDPR RADAR
assessment tool to gauge your level of compliance across a range of areas and to appropriately weight the results against your organisation’s needs.
GDPR RADAR is based on the same criteria used in an ICO (Information Commissioner’s Office) audit, so it provides a clear measure of your ability to demonstrate compliance to regulators.
What does a GDPR gap analysis involve?
A GDPR gap analysis is an assessment of your organisation’s alignment with the requirements of the UK GDPR and DPA 2018. It evaluates the extent to which your governance, documentation, systems, processes and staff awareness support lawful and secure personal data processing.
Unlike basic checklists or self-assessments, a thorough gap analysis considers your operational context, risk exposure and accountability obligations. It’s typically led by experienced data protection consultants, who can identify weaknesses that internal teams may overlook.
Our GDPR Gap Analysis Service uses the GDPR RADAR framework to assess nine core areas and provide a scored report with targeted remediation actions.
Why free tools fall short
Freely available GDPR gap analysis tools may seem appealing, but most are surface-level checklists that lack depth, nuance and context. They often:
- Omit important requirements or controls.
- Fail to account for organisational risk and sector-specific obligations.
- Rely on internal interpretation by non-specialists.
- Create false confidence rather than reliable evidence.
Our consultancy-led GDPR Gap Analysis service gives you evidence-backed insight, scored results across nine key areas, and practical remediation advice from qualified consultants. It’s designed to support defensible, risk-based compliance.
How to approach your gap analysis
There are four different options to consider for conducting a gap analysis, depending on your resources, risk level and internal expertise:
The DIY approach
This low-cost option is suited to small organisations with minimal data processing and good internal GDPR knowledge. It typically involves working through questionnaires or using tools like our EU GDPR Compliance Gap Assessment Tool to identify compliance gaps.
However, without expert interpretation, the results can be ambiguous or incomplete.
The template approach
Templates can help you create the necessary documentation to support GDPR compliance. Some include basic checklists to identify missing policies or records.
This option works best for organisations that already understand the Regulation and simply need help formalising their approach. Our EU GDPR Documentation Toolkit includes documentation templates and guidance materials but does not replace an expert-led gap analysis.
The consultant-led approach
This is the fastest way to get a clear, objective view of your current compliance posture. Our GDPR Gap Analysis Service uses the GDPR RADAR methodology to assess nine areas of compliance:
- Governance
- Risk management
- Privacy by design
- DPO requirements
- Roles and responsibilities
- Scope of compliance
- Personal information management
- Information security
- Data subject rights
You’ll receive a scored report, practical remediation guidance and expert insight, tailored to your business. This approach is ideal if you:
- Operate in a regulated sector.
- Have limited in-house expertise.
- Need to provide evidence of compliance to stakeholders or clients.
The software approach
GDPR software platforms such as our GDPR Manager tool, hosted on the CyberComply platform, help automate specific processes, such as DSAR handling, breach tracking and record keeping. They are useful for maintaining compliance but are not a substitute for an expert-led gap analysis.
What gap analysis solution is right for me?
This very much depends on your organisation and the type of personal data it processes. In short:
- Small organisations with low risk profiles may get by with templates or internal assessments.
- Medium to large organisations, or those that handle sensitive personal data, are best served by a consultant-led approach.
Our GDPR Gap Analysis service is the most comprehensive way to identify risks, prioritise remediation and demonstrate accountability.
Benefits of a GDPR gap analysis
A structured, expert-led gap analysis helps you:
- Identify compliance issues before they’re exposed by clients or regulators
- Prioritise budget and resources based on actual risk
- Demonstrate accountability through an independent assessment
- Strengthen stakeholder trust with defensible documentation
- Get clear direction using our GDPR RADAR scoring methodology
Ten steps to performing a gap analysis
A gap analysis consists of the following stages, which correspond to the areas assessed under our GDPR RADAR methodology.
- Governance
The extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout your organisation. - Risk management
Your organisation’s arrangements for privacy risk management, the extent to which information-specific risks are incorporated into corporate risk management, and the extent to which risks to the rights and freedoms of data subjects are addressed. - Privacy by design
The extent to which data protection by design has been incorporated into the development of your systems, services, products and/or processes. - DPO (data protection officer)
Whether your organisation is required to appoint a DPO, whether one has been appointed and, if so, whether they meet the Regulation’s requirements. - Roles and responsibilities
The extent to which your organisation has defined and established appropriate roles and responsibilities, and delivered appropriate training and awareness. - Scope of compliance
Whether your organisation has clearly defined the scope of its GDPR compliance, taking account of all data processing in which it has a part, whether as data controller or processor, as well as any data sharing. - PIMS (personal information management system)
Whether your organisation has implemented a PIMS that documents its GDPR/DPA 2018 compliance, and addresses staff training and awareness. - ISMS (information security management system)
Whether your organisation has implemented an ISMS to meet the GDPR’s requirements for “appropriate technical and organisational measures” in order to ensure the security of the personal data it processes. - Rights of data subjects
The processes your organisation has implemented to facilitate and respond to data subjects exercising their rights under the GDPR/DPA 2018.
Get an expert-led assessment you can trust
Our GDPR Gap Analysis Service assesses your organisation’s compliance with the UK GDPR and DPA 2018 using our exclusive GDPR RADAR methodology.
You’ll receive expert insight, a practical action plan and a detailed report you can share with stakeholders or regulators.
A version of this blog post was originally published in May 2019.
The post Nine Steps to Conducting a GDPR Gap Analysis appeared first on IT Governance Blog.
