Preparing for the GDPR: Step 2) Plugging the gaps

Now that your organisation has successfully completed the workshop to review current processes and data protection obligations (described in last week’s post) you now understand where and what the gaps are.

The workshop should result in an Executive Report which the workshop leaders present to the board, or at least the senior management team, to get buy-in, resources and budget to remediate any issues in processes, procedures and controls identified in the GDPR Audit Assessment. This report is essential to support the planning for a GDPR Compliance Project.

Common Gaps

Let’s take a practical look at a few recurring gaps raised in our assessments:

  1. No formalised process to train the workforce
  2. Missing policy and procedure documentation
  3. No tracking or documenting of evidence (relating to compliance)

Being realistic, organisations should analyse the risk to each of the gaps. There will be some high-risk areas that need remediating first and some lower priority risks that may take time to remediate, but this is all about improving the culture, and attitudes towards Data Privacy and compliance. It is a journey.

Plug the Gaps

The GDPR Audit Assessment report should highlight the missing processes, procedures and controls and analyse the risks. A plan of action can then be derived, and agreement should be sought with the business and supporting stakeholders on the necessary roles and responsibilities. This is your classic Responsibility Assignment Matrix (RACI).


A realistic project plan should be created with clear deliverables and achievable goals. Common sense would dictate that the highest risks identified should be focussed on first.

The project governance should be overseen by the appointed Data Protection Officer, with support from Data Privacy and Protection professionals and deliverables by individuals aware of the data protection impacts.

Expected outcomes of a GDPR Compliance Project

  1. Quick wins around education and training to support a healthy, privacy-conscious culture in the organisation helps with organisational buy-in to support future compliance activities.
  2. Focus on the high-risks gaps, a few examples from past compliance project revealed:
    • Non-existent or out of date Privacy Policies and Notices
    • No process to review how the privacy of data is upheld during system, solution or processing changes
    • Weak controls across the organisation on accessing data
    • No defined escalation of incidents or subject access requests
    • No legal or legitimate justification to retain historic personal data
    • DPO’s role is conflicted with the management reporting line or day-to-day job function
  3. Address medium and lower risk activities over time and demonstrate continuous improvement of processes, procedures and controls; investing in the risks that can potentially expose personal data.

About Winterhawk

Winterhawk offers a variety of Data Protection, Privacy and GDPR services. For more information, visit our GDPR Services page.

If you liked this blog and would like to be notified of new articles and updates follow us on LinkedIn or Twitter.