Gap Analysis

Find your GDPR risks today. Non-compliance can be costly…

Every company thinks they are compliant with GDPR, or thinks they have done enough to prepare – but have you, and is it really “enough”? Could you provide sufficient evidence of a GDPR staff training programme, or Breach Management Policy upon demand as part of a new tender document?

In our experience, most companies have not done enough, which leaves you open to undiscovered data breaches and ICO investigations leading to potential enforcement action. With the GDPR being enforceable since May 2018, there really is no excuse to have little in place to demonstrate your compliance.

If this sounds like you, the PRIVACY HELPER team can be working with you in a matter of hours – identifying your core processing risks through simple conversations.

For many organisations, lack of compliance begins with the website which should be considered as your shop window:

Website is insecure – prone to compromise by hackers, an easy way in and to cause problems.

• No details of ICO registration as data controllers (if ICO registration is appropriate) – this is a legal requirement, with fines of up to £4,000 being imposed by the data protection regulator.
• Lack of Privacy Notice or the one in place references the Data Protection Act 1998, or other inaccuracies – you are legally required to be transparent in your processing activity.
• Lack of cookie consent mechanism – and one that truly reflects the conditions of consent.

If your website lacks any of these three basic elements it suggests to potential clients your business has done little to prepare for GDPR – which puts them at risk by engaging with you.

Many businesses have come to us with this problem – we call it the “Ripple Effect” – an organisation is asked by a potential client to supply specific policies demonstrating their GDPR compliance, but they don’t have these – potentially losing that new client and a contract worth thousands.

Our extensive GAP Analysis is designed to address this hurdle before it becomes an issue, by independently gauging how compliant you are with the GDPR – and what is required to improve your business practices to address this.

Every organisation requires some form of remediation – GDPR is an ongoing effort and nobody is perfect.

The key benefits of this process are

• To provide you, the data controller, with an accurate snapshot of how ready the organisation is to comply with the requirements of the UK GDPR / Data Protection Act 2018.
• Highlight your current risks and necessary steps – in a high-level executive summary
• Provide a clear, high-level plan to achieve full compliance for the business
• Identify areas that require immediate attention – those of critical status.
• Collect intelligence to deliver a strategy for achieving sustainable GDPR compliance

How we undertake GAP Analysis

Basic Audit

For organisations with up to 5 departments, a single consultant requires 1 working day to complete the audit and a further 1 working day to draft the report.

2 working days: £1,900 (plus reasonable subsistence expenses).

Intermediate Audit

For organisations with a single office and more than 5 departments, a single consultant requires 2 working days on-site to complete the visit and a further 2 days off-site to draft the report.

4 working days: £3,800 (plus reasonable subsistence expenses).

Advanced Audit

This is ideal for larger businesses with multiple sites and more than 5 departments.

Depending on your requirements, our Privacy Team will visit all sites to conduct the audit, then work off-site to complete the report. The number of consulting days will depend on the scale and complexity of the business – therefore, our fees will be confirmed after we have spoken in more detail.

We aim to come away from your business with a good idea of how personal data flows into, around, and out of your business – the mechanisms for this transfer and legal basis in all cases.

Stage 1 (off-site)

• Initial research on your organisation
• Website scan, structure of the organisation/number of employees, nature of the industry, status of registration with the ICO.
• Creation and delivery of an agenda for our time with you.

Stage 2 (on-site)

• GAP Analysis on site.
• Initial GDPR introductory session to all staff. The session provides staff across all levels of the business with an understanding of the current data protection legislation, compared to the previous Data Protection Act, 1998, the obligations of the business and the rights of individuals. This session also helps staff understand the nature of the work we will be doing during our time on site. It is vital staff receive training on how GDPR affects their job, as a high proportion of breaches are due to a lack of staff awareness. The introduction we deliver will complement any training they receive or have previously received.
• In-depth discussion with each department as to how data is processed in their specific area. This helps us to understand what types of personal data enter the business and from whom – your supply chain, business partners, or clients. How this personal data is received – is it via a secure mechanism? What additional security measures are provided as part of the data transfer process? Has it been sent within the UK, or overseas? For what purpose will you be using this personal data? Is this in accordance, or in line with the expectations of the data subject? There are six legal bases of processing – and at least one of these must be specified for you to legally process the data. Have you considered your legal basis for each processing activity? How long do you store this personal data? Do you have specific retention schedules based on the types of data processed? How is the data stored on your server – what security measures have you implemented to protect it? Do you use role-based access? What backups does your server run? Do all staff use company-owned devices (laptops/mobiles), or their own devices? What outsourced third party have you engaged with – have you conducted due diligence on these? Do you have data-sharing agreements in place with all business partners/suppliers? If they suffer a data breach in which personal data from your company is affected, then you are liable – unless you can prove contracts are in place and due diligence is complete. If you have US-based contacts, are they registered with Privacy Shield?
• Based on these criteria, we expect to spend around an hour with each department.
• We complete our time on site with a round-up meeting with the key stakeholders to summarise what we have found and (if applicable) our greatest concerns. There may be some immediate improvements you can implement ahead of our report being delivered.

Stage 3 (off-site)

Writing of our report, which will comprise of:

• A summary of all departmental conversations – split by individual processing, or data transfer activity.
• Our comments in relation to this activity – does it put the data subject at undue risk, does it constitute a breach of data protection legislation, or is it a perfectly legitimate processing activity?
• Our recommendations as to this processing activity. If there are risks, how can these be addressed/mitigated?
• The report will be delivered in traffic light-format, enabling you to identify: the critical areas (Red), areas to be addressed within the remediation plan (Amber) and areas we are not currently concerned about (Green).

We will also deliver an Executive Summary which is presented to key stakeholders and summarises our main findings and includes a section on our recommendations – what you need to do, how to achieve these and the impact the tasks will have on your compliance journey. We aim to deliver all reports within a week of our time on site – very often within a matter of days.

If you engage with us for remediation or ongoing guidance, will devise a complete compliance plan with tasks and milestones for each project – this will be created in line with the required tasks and your budget.

Remember – the PRIVACY HELPER team are experts in performing GAP analysis audits. Our work in each department is detailed and meticulous, so you can be sure we will identify any risks involving personal data within the business. The ongoing guidance we can provide as part of the remediation stage will help to address these issues, giving the business the confidence of a sustainable GDPR programme.

Get in touch today to book a visit from our specialists and we can be with you in as little as 24 hours – don’t leave it until you have a proposal or tender deadline to meet – as this could cost the business dearly.