Data Protection Review & Gap Analysis

A data protection review is a process to assess and ensure an organisation’s compliance with the requirements of the UK’s data privacy legislation, namely the Data Protection Act (2018) and UK GDPR.

Best practice recommends conducting an annual review of your information governance framework. This annual review helps ensure that key data protection and information security policies remain up-to-date and compliant, training gaps are identified, key procedures such as client, employee, and supplier onboarding are tested with any gaps highlighted, with recommendations provided to add future value to the compliance, operational performance, and profitability of the organisation.

In addition to regular scheduled reviews, organisations must conduct a review whenever there are significant changes to data processing activities. These changes may include: 

  • Changes to the ways data is processed, especially if this processing is different from its original collected purpose;
  • New sources and/or volumes of data being processed throughout the organisation;
  • Changes to processing instructions given to data processors (e.g. suppliers);
  • Any other significant alterations to how personal data is handled, from the moment the data is captured, to the moment that data exits the organisation.

The frequency of reviews may also depend on the level of risk associated with the data processing activities. Higher-risk activities may require more frequent reviews and assessment. For organisations working with external service providers or processors, regular reviews of contracts and data protection clauses should be conducted to ensure continued compliance, and best practice in line with the organisation’s supplier onboarding procedure.

Data Protection Review

A GDPR data protection review is a systematic and independent assessment of an organisation’s adherence to the General Data Protection Regulation (GDPR). The GDPR is a comprehensive set of data protection regulations, implemented throughout the European Union and the UK, that aims to give individuals more control over their personal data and how it is used.

The purpose of a GDPR data protection review is to:

  • Assess compliance: Determine whether the organisation’s data processing activities align with the GDPR and other country specific data privacy legislation requirements.

     

  • Demonstrate accountability: Show that the organisation is taking data protection seriously and proactively working to meet its obligations. A thorough data protection review will provide an internal auditing tick, an enhancement in organisational culture tick, and offers reassurance to all stakeholders that protecting of people’s personal data is non-negotiable for the organisation.
  • Develop corrective actions: Recommend steps to mitigate identified risks, achieve GDPR compliance, and help the organisation communicate these positive actions to stakeholders (e.g. customers).

     

  • Identify gaps and risks: Pinpoint areas where the organisation may be non-compliant or at risk of non-compliance, and the reasons why this is the case.

Data Protection Review - Checklist

The Information Commissioner’s Office (ICO) provides several checklists to help organisations comply with data protection regulations. The checklists cover a wide range of data protection and information security areas:

  • Information governance: Has your organisation got a framework of data privacy policies and procedures, do you have access to annual training, is there appointed or nominated data privacy expertise available to you, and do you know your data controller and/or data processing responsibilities in line with UK GDPR?
  • Information security: Assess your compliance in key areas such as information and cybersecurity, mobile and home working, media consent, access controls, and malware protection.
  • Direct marketing: Assess your practices in line with the Privacy and Electronic Communications Regulation 2003 (PECR) and other relevant UK data protection legislation.
  • Records management: Evaluate your data retention and deletion procedures, including the associated risks, and any controls to safeguard personal information.
  • Data sharing and subject access: Ensure you are handling data sharing and subject access requests correctly, and in a time-sensitive manner.
  • CCTV: Assess your use of CCTV and other forms of monitoring and ensure your data processing procedures comply with the UK data privacy legislation requirements.

Gap Analysis

A gap analysis is a process that helps organisations identify and understand the gaps between their current data protection practices and the requirements of relevant data protection regulations, primarily the UK General Data Protection Regulation (UK GDPR). 

Gap analyses are typically conducted at or near the beginning of an organisation’s compliance journey, or at the pre-implementation stage of a new data processing journey, helping to plan and direct future actions from a compliance standpoint.

By performing a GDPR gap analysis, organisations can establish a baseline understanding of their data protection practices, highlight any areas of future improvement, detail any potential data privacy and online security risks, and develop a targeted approach to achieving and maintaining compliance with UK data privacy regulations.

data protection review and gap analysis

Benefits of a data protection review & gap analysis

  • Increased compliance: By identifying and addressing any data protection non-compliance issues, an organisation can reduce the risk of regulatory action and fines. Compliance also demonstrates to customers and partners that the business takes data protection seriously, which can enhance trust and reputation.

  • Data controller responsibility: A data controller determines the purposes and means of processing personal data and is obliged to carry out regular reviews of data processing activities to maintain compliance.

  • Identifies gaps and potential risks: Data protection reviews can help prevent costly data breaches, which can have significant financial and reputational consequences.
  • Potentially reduced insurance premiums: With compliance within the business managed effectively, insurance companies will see an organisation as a lower claim risk.

     

  • Onboarding simplified: Clients, employees and suppliers can all be made more clearly aware of the organisation’s data protection and privacy policies if these are regularly reviewed.

     

  • Enhanced profitability:  By identifying and eliminating unnecessary data processing activities, businesses can reduce costs associated with data storage, processing, and security.
  •  
Photo representing Data Protection Review & Gap Analysis

Got a question?

Our MD, Chris, is here to help. 

Contact Chris