The companies and SMEs we work with in London and elsewhere know that the General Data Protection Regulation (GDPR) comes into force next year. They are now seriously getting to grips with what they need to do to ensure their organisations don’t fall foul of the new rules governing data processing. For many this means undergoing a rigorous GDPR gap analysis or privacy audit to ensure their data collection processes and procedures comply with the GDPR and other legislation.
WHAT ARE THE RISKS TO BUSINESS OF DATA SECURITY BREACHES?
Sanctions under GDPR are much heavier than under the current penalty regime. So from a purely financial perspective it makes sense to take all necessary steps to comply with the law. But as the Boomerang Video case shows it’s not just about strict legal compliance. The risk to your brand and reputation of a data breach are perhaps even greater than any penalty imposed by a regulator. In today’s security-focused commercial environment if your customers and other stakeholders don’t trust you to manage their personal information, you won’t be in business for long.
A GDPR gap analysis from Big Data Law does two things:
- It demonstrates to external regulators that your company has addressed its legal obligations.
- It gives you and your stakeholders the peace of mind of knowing that security is being held and processed in the correct manner.
WHAT IS INVOLVED IN A GDPR GAP ANALYSIS?
Our gap analysis focuses on the risks to your organisation posed by your current methods of gathering and processing personal information. We examine the data security practices across your organisation, assess them in relation to GDPR and other relevant legislation and identify any shortcomings. The procedure can be broken down into four phases:
- Planning – We review relevant internal documentation and frame a bespoke questionnaire for your business to be used in the gap analysis exercise
- Information gathering – Questionnaires are completed and we liaise closely with key staff in your organisation to find out about how information is collected, used and stored
- Report stage – We deliver a comprehensive audit report identifying risks and providing recommendations to mitigate these
- Implementation – Following through on the report we help you put a new compliance framework in place
The questionnaire is key to the effectiveness of any gap analysis. So we will spend some time with relevant figures in your organisation to ensure all necessary information will be captured. The type of questions we usually ask include the following:
- For what purpose is the company gathering the information?
- What type of individual does the information belong to?
- What precise type of information is being gathered?
- How does your organisation collect the data?
- Do you get the individual’s permission to collect the data?
- Could you anonymise the data and still use it for the purpose intended?
- Do you keep the data under review during the time you hold it?
- How do you store the personal information?
- How do you protect it from unauthorized access or disclosure?
- Do you pass the data on to anyone?
- Can individuals control how their information is used?
- How do you delete data you no longer need?
Whatever the size your organisation, if you handle personal data you must comply with the relevant legislation, including GDPR. A gap analysis is the starting point – a risk assessment that indicates your organisation takes data security seriously.
While there is a degree of investment involved in the information gathering and implementation stages, a well-developed data security framework will increasingly be seen as a business asset. One that sends a signal to both regulators and your stakeholders that you are on top of data security issues. Reviews like this can also expose outdated practices that unnecessarily burden your business. For example retaining information for longer than needed.
To find out more about our GDPR compliance audits, call us on +44 (0) 7545 813 894 or contact us online. We would be happy to give you a no-obligation quote for our work before you make any commitments.