What is a Data Protection Gap Analysis (DPGA)?
A DPGA is an assessment whereby an organisations compliance with the General Data Protection Regulation (GDPR) can be determined. This assessment identifies the shortcomings in relation to a data controller’s compliance by highlighting risks and potential areas of concern within the organisation. By conducting a DPGA, suggestions and solutions can then be offered to the organisation to help aid them in reducing the risks that their organisation is exposed to.
Why Is A DPGA Necessary?
A DPGA is an informative assessment for organisations who wish to be proactive in their pursuit of ensuring GDPR compliance. Many organisations do not possess the resources or financial capabilities to appoint a full-time data protection specialist to ensure an adequate level of adherence to data protection laws. Therefore, conducting a DPGA has many benefits to the organisation. One of the most predominant benefits is that this is an indication that the organisation cares about their GDPR requirements and wish to actively pursue the fulfilment of these obligations. This is most beneficial should the organisation be reprimanded for a data breach. If an organisation has conducted a DPGA, then the punishment could be less severe, as proactive measures were taken. Further benefits of conducting a DPGA is that this assessment will provide a clear understanding of the position of the organisation in relation to their GDPR obligations. Using this newfound information, the organisation can then implement realistic goals and methods of achieving an acceptable level of compliance.
What gap analysis options are available?
To perform a DPGA there are two main approaches that an organisation may take:
- The first approach is that the organisation could undertake and conduct a DPGA independently through the completion of questionnaires or through the use of software with built in tools to identify areas where GDPR compliance could be improved. The main issue with this approach is that should the organisation lack a data protection expert, they may struggle to interpret or implement this information effectively into their organisation.
- Alternatively, an organisation can seek a consultation-led approach whereby they engage with data protection specialists who assist them in the conducting of the DPGA, interpreting the results and providing solutions to aid in implementing these findings to their organisation.
How to Ensure Compliance with GDPR
The most effective way of adhering to the GDPR requirements is to cultivate a culture of data protection within the organisation. The organisation could appoint a Data Protection Officer (DPO) to assist with this. In addition to this, an organisation could further ensure that their employees have received training in the area of data protection, this will help reduce the number of data breaches the organisation is subjected to and as a result, reduce the costs of the organisations as they will be subjected to fewer fines.
How is GDPR Compliance Measured?
There is a multitude of methods that can be used to determine an organisations overall level of compliance with the GDPR. A popular method when conducting a DPGA is to evaluate how well the organisation adheres to the 7 principles of lawful processing outlined in Article 5 of the GDPR. As a data controller/processor must respect these principles at all times of processing, this is a reliable indication of the organisations position in relation to data protection.
1. Lawful, Transparent, and Fair Processing
This principle involves how the organisation collects the data that they process. To adhere to this principle, organisations must receive informed, freely given consent from the data subject. To assist in ensuring that the requirements of this principle are fulfilled, the organisation can provide privacy notices, communicate with the data subject so they know what they are consenting to and what rights they have. Lastly, they should provide a detailed explanation of who their data will be shared with and how it will be processed, and for what purposes.
2. Purpose Limitation
The organisation must only process the data for the purposes for which it was collected. To achieve this, if an organisation has a detailed privacy notice, they will have already outlined why they are processing this data. The privacy notice combined with an organisation-wide understanding of why the organisation is processing the data will ensure the data is only processed for this reason.
3. Data Minimisation
It is good practice for an organisation to only extract the minimum amount of data they require to perform their desired task. This prevents an unnecessary excess of data which can lead to the slower processing of data or data breaches. The organisation should take a proactive approach and refine their questions to ensure that the data they are receiving is integral in the grand scheme of the processing.
4. Data Accuracy & Quality
If the organisation is using the data subject's personal information, it is important that the data they have is relevant and up to date to ensure that the situation of the data subject hasn’t changed from the initial processing. An organisation could conduct an annual data audit where they cross reference their existing data with any changes that may have arisen in the time since collection. This prevents incorrect information from being processed which may slow down the processing if the information stored is required but is no longer accurate.
5. Storage and Retention
It is vital that an organisation only keeps the data for a period in which they have a useful purpose for the data. This, once again, prevents data clutter. This also decreases the likelihood of the organisation facing backlash for possessing data they no longer required in the event of a data breach. The organisation should have a retention schedule and should either adhere to the minimum period of time set out under law for certain categories of data, or the organisation could select a realistic timeframe for how long they need the data, and after such time, they should dispose of the data. This could be set out in the privacy notice and appropriate technical and organisational safeguards should be implemented to facilitate the disposal of the data.
6. Security & Confidentiality
If an organisation has decided to process personal data, it is their responsibility to provide the utmost protection to the data. Article 25 of the GDPR requires that data controllers adopt a privacy by design/default approach when processing data. The most popular methods of achieving this is through the use of encryption and having restricted access to certain types of data. This reduces the likelihood of the organisation being subjected to data breaches that could have been easily avoidable if these mechanisms were implemented at an earlier date.
7. Accountability & Liability
This principle places an emphasis on the controllers responsibility to demonstrate compliance with the GDPR and to ensure they know who is accountable in any given situation. To satisfy their accountability requirement, controllers should have contracts with data processors and implement appropriate policies and procedures to facilitate this. To further fulfil this requirement, the organisation should keep a record/log of the processing activities and conduct privacy impact assessments if necessary.
Should the organisation in question make efforts to satisfy each of the GDPR lawful processing principles, then this is a strong indication that the organisation has made genuine and proactive attempts to comply with its obligations under the GDPR and the results of the DPGA should reflect this.
PrivacyEngine offer Data Protection consultancy services including Data Protection Gap Analysis. To find out more click on the link below: