Data protection audit or gap analysis: what is the difference?

Many of our clients have been hard at work complying with data protection law, and have asked us to help them check that they’re doing what the law (or regulatory requirement) is asking them to do. Some have asked us to do a data protection audit for them, while others have asked for a data protection gap analysis. The trouble is: language is tricky, particularly in law. Depending on the context, two different terms can mean the same thing, or the same term can mean two different things. This is especially true in data protection law, where there are a lot of moving parts, and only a handful of terms to describe them.

This article clarifies what we see as the main differences between a data protection audit and a data protection gap analysis.

Other professionals may have different ways of defining these terms. For example, the term “data protection audit” is often used in the context of a data protection audit by an authority, where a data protection authority (like the Information Commissioner’s Office (ICO)) audits a controller’s compliance with the law. This article isn’t about that kind of audit. It’s always a good idea to discuss what you want in advance, to make sure that everyone is on the same page.

Why is this an issue in data protection law?

To understand one of the keys differences between a data protection audit and a data protection gap analysis, you first need to understand how data protection law is different from most other laws.

Many laws are solely obligations-based (rules-based), setting out a list of things that you can and can’t do. If you break the obligations, you break the law, and only the courts can decide if there is any way to view the break as justifiable.

Data protection law is a new form of simple law that has some obligations, but is largely principle-based, setting out instead a list of principles that you must follow. The law isn’t telling you exactly what to do (or not do), but rather giving you guidelines as to how to do it. If you follow those guidelines properly, you will comply with the law.

That said, there are some obligations that appear in data protection law. For example, a controller has certain specific notification requirements in the event of a breach, and must enter into a written contract with a processor describing the processor’s data protection responsibilities. This means that complying with data protection law requires you to:

follow the obligations; and
apply the principles.

Data protection gap analysis

In our view, a data protection gap analysis is normally done at or near the beginning of your organisation’s compliance journey. It compares your organisation or its activities to specific identified compliance requirements, and finds gaps that you need to correct. A gap analysis is usually forward-looking, helping you to set out your actions before you implement controls. It is about planning and direction.

In a data protection context, a gap analysis can be used to see whether or not your organisation:

follows the obligations imposed by data protection law; or
applies the principles of data protection law to your processing activities.

A data protection gap analysis can be a fairly short exercise, like a high-level gap analysis, which looks at how your organisation applies the principles as a whole. It can also be a longer project, like a medium-level gap analysis, which focuses on how each department or business unit applies the principles to their specific activities.

You can find out more about doing a data protection, POPIA or GDPR gap analysis, or gap analyses in general.

Data protection audit

In contrast, a data protection audit is normally done closer to the end of your organisation’s compliance efforts. It verifies whether or not your organisation complies with a specific regulatory requirement by gathering evidence. An audit is usually backward-looking, helping you to determine if you have implemented the required controls appropriately, or if anything more needs to be done. It is about verification and assurance.

In a data protection context, an audit can be used to see whether or not your organisation has followed the obligations required by data protection law. In most cases, it cannot be used to see if you have applied the principles, because this is a much more detailed and subjective process.

A data protection audit often requires you (or your staff) to answer interviews or questionnaires. Many of the questions have simple yes or no answers. It is often easier to create checklists for data protection audits, because you don’t have to apply principles (which may change depending on your circumstances).

You can find out more about the other kinds of compliance audits we provide.

Data protection audit or gap analysis: what is the difference?

Why is this an issue in data protection law?

Data protection gap analysis

Data protection audit

Share This Story, Choose Your Platform!

Related Posts

Guidance note on cross-border transfers to and from South Africa

Information regulator annual performance plan for 2025 to 2026 APP

Gated Communities Code of Conduct

Information Regulator in South Africa

De Jager v Netcare | Surveillance Evidence and POPIA