GDPR assessment/audit: discovery and gap analysis and planning/strategy – preparing the GDPR / actions to be taken

There is a stage of assessment/audit with discovery and gap analysis. In order to get somewhere you need to know where you stand today, it’s a universal given.

And to assess where you stand today – and thus also look at the gaps – this stage is one of discovery and mapping pretty much anything that is relevant in the scope of the GDPR. So, you need to gain insights in your current practices on various levels such as audit capabilities/methods, where data sits (data discovery), which processes are involved, how you process data, how your privacy and security practices function, who is responsible and accountable today, what kinds of systems, networks and databases come into the equation and so on.

When conducting a risk assessment, look at the risks for individuals’ rights and privacy. In practice, assessment/audit and awareness, as you can imagine overlap somewhat. Seeing what you do can lead to awareness regarding aspects you might have overlooked and vice versa.

In practice, an assessment and discovery stage also needs to lead to an analysis of the gaps. As said, this obviously also means that you already know the GDPR and its full impact as a sort of benchmark that guides you in assessing in a prioritized way with the gaps in mind.

An audit further includes a gathering and analysis of all current document policies in the organization as they exist now: from security and business continuity policies to acceptable use and privacy policies.

Some additional GDPR audit tips:

• Audit to map risk. It is adviced to take all elements of risk and classify them from a prioritization perspective. When conducting a risk assessment, don’t (just) think about your organization’s risks. The GDPR wants you to look at the risks for individuals’ rights and privacy.
• Assess all frameworks, organizational aspects, strategies and security/data/incident/reporting management practices.
• Focus on people: it’s not just about the risks in current practices, processes, systems and frameworks, it’s also about organizational culture towards personal data protection and skillsets.
• Get the documents. Make sure you have access to all other data and documents which contain information on your latest security assessments and incidents and so on.
• Listen. As we all know there is often a world of difference between documented policies and real-life practice. This inevitably means that you need to talk with people about how they work in practice, regardless of any documents and policies.

Planning/strategy – preparing the GDPR actions to be taken

Once you know where the gaps are it’s time to get really strategic and planning what needs to be done to close the gaps and taking all the other measures which you’ve identified.

The goal of a plan is to execute it and requires a full picture of the gaps, various involved areas and roles and responsibilities.

As the GDPR touches upon so many areas you will essentially need to plan in an integrated and holistic way too. Planning and, next, acting in a holistic way is one of those benefits you can achieve as you go to a GDPR compliance exercise. After all, digital transformation, security, information management, marketing, customer service and so forth need a holistic view to succeed as well. And we do still live in a reality with many silos.

In practice, you’ll plan across several functional and practical areas, however. These include:

• Information management and governance
• Security (and ICT as security needs to be guaranteed everywhere)
• Human resources
• Legal
• Marketing, management of online presences and advertising (note that the GDPR will be complemented by a new EU ePrivacy Regulation).
• Customer service and contact center
• Etc.

You will also have to look at the ecosystem of your business, with among others third-party data partners and business process outsources (BPOs) and thus at SLAs too (vendor management).

In the planning stage (and also in the audit stage) you’ll have to look at, among others:

• The practical aspects of moving to a ‘privacy by design’ organization.
• “New” information governance plans.
• Implementation plans regarding information management, security and privacy initiatives.
• Plans regarding access policies, role management and the security controls which need to be put in place.
• Plans to solve the potential vulnerabilities you detected in the assessment/audit stage.
• Policy plans for the mobile workforce and action plans to tackle shadow IT.
• Plans regarding audits and roles and responsibilities (e.g. the Data Protection Officer).
• Plans regarding the roll-out of technologies that help improve security and privacy.
• The plans regarding information audits, data retention, Master Data Management (MDM), device management (mobile phones of workers,…), etc…
• Very specific plans in the many very specific aspects of security and technology: GDPR and cloud, GDPR and IoT, the list goes on.

I will be posting more important subjects to assist companies in understanding the GDPR process.