Are you looking for someone to do a regulatory compliance gap analysis for you? The purpose of a gap analysis is to compare you to a specific law, rule, code or standard, and find specific gaps that you should correct. A gap analysis is usually conducted before implementation has been done and includes our advice with us acting as experts on a particular law. A gap analysis is forward-looking and sets a direction and involves planning. We have years of experience doing a compliance gap analysis on specific focus areas. We can also do a legal assessment or a compliance audit, but those are something different.
A gap analysis is a very important step in any compliance project or programme but it is only part of the journey towards compliance (or the data protection life cycle). The gap analysis is part of the planning step and whatever you plan on spending on planning, you should budget on spending much more than that to implement the required remedial actions. Actually taking action to protect personal data is the most important step. You can read more about the different outcomes of each step in the data protection compliance process.
The benefits of a gap analysis
A gap analysis should enable you to know:
- where you currently stand in regards to complying with a law,
- where the gaps are,
- what you need to do to close the gaps and get closer to fully complying with the regulatory requirements.
We don’t audit during a gap analysis, but rather we get key process or activity owners, champions or project stakeholders to provide the evidence they may have (or not have) for each of the regulatory requirements in the law.
A gap analysis is done at the beginning of the journey, whilst an audit is at the end.
What we offer a gap analysis on
- Privacy or Data Protection Gap Analysis (to analyse the degree to which your organisation complies with all data protection laws that apply to it and identify the gaps)
- GDPR Gap Analysis (to analyse the degree to which your organisation complies with the GDPR and identify the gaps)
- POPIA Gap Analysis (to analyse the degree to which your organisation complies with POPIA and identify the gaps)
- POPIA Extra Gap Analysis (to analyse the degree to which your organisation complies with the extra compliance requirement in POPIA over and above the GDPR and identify the gaps)
- Governance Gap Analysis (to analyse the degree to which your organisation complies with governance codes that apply to it and identify the gaps)
- IT Legal Compliance Gap Analysis (to analyse the degree to which your organisation complies with IT laws)
You can also do a data protection related gap analysis yourself with our guidance by joining a Data Protection Programme.
The scope of a gap analysis
It is very important to be clear on the scope of the gap analysis. What are we going to analyse the degree to which your organisation complies? Is it to determine whether your organisation:
- Complies with all its clear and actionable regulatory obligations under law?
- Complies with the vague regulatory obligations under law (which are open to interpretation)?
- Has taken action (like put controls in place, and created a culture and a governance structure) to enable your organisation to apply the principles going forward?
- Does what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its current activities?
Do we do a gap analysis on one department or business area or all of them?
Our gap analysis process
Our gap analysis process normally includes us taking the following steps.
- Discover as much information ourselves as possible. If necessary, request you to send us various documents. Where necessary, send various people questionnaires to answer.
- Workshop with or interview various people to discover more information and ask for further clarification. Assess the extent to which an organisation is compliant with the relevant law and the associated legal risks.
- Document our findings by drafting and delivering a report, including actions that need to be taken.
Where necessary, we recommend solutions which would ensure compliance with South African regulatory requirements and implement best practice where sound business practice, rather than a legal requirement, dictate that the risk be managed.
A gap analysis is always about where we want to be
When we do a data protection gap analysis there are essentially two things we need.
- To understand how you process personal data as part of your activities.
- To know what controls you currently have in place or the extent to which you already comply with the regulatory requirements or obligations.
We can then determine the extent to which you don’t currently comply with the regulatory requirements and give you a list of actions you need to take to close the gap.
When should I do a gap analysis?
You also need to understand which of your current activities involve personal information (PI) and which laws apply to those activities. We do this by conducting a gap analysis (which sometimes includes mapping your activities).
Different levels of analysis
You can do a gap analysis at various different levels. You can do a high-level one or a very in-depth analysis, or anything in between. In a data protection context:
- A high-level gap analysis:
- one awareness and planning workshop of up to four hours;
- we map the top one or two key activities that are unique to your organisation at a high-level; and
- we identify the top 5 to 10 actions that you need to take first in order of priority.
- A medium-level gap analysis:
- up to two four-hour awareness workshops and up to ten two-hour planning workshops;
- we map about 10 to 20 activities that are unique to your organisation in some detail;
- we identify the top 10 to 20 actions that you need to take first in order of priority; and
- we provide you with a list of all the other actions you need to take to comply.
- An in-depth level gap analysis can involve hundreds of workshops over more than a year, mapping all activities in detail and identifying all actions that you need to take to comply.
They obviously get more time consuming and expensive the more in-depth you want to go. Only the largest of large organisations whose business models involve data and who have significant resources should attempt an in-depth gap analysis.
A gap analysis report, including a compliance action plan
We deliver a practical gap analysis report in plain language detailing your current status, ideal status, and legal and compliance gaps. Our report also highlights risks and recommends action to be taken in the form of a compliance action plan, which includes a roadmap. Depending on the type of analysis, our report is made up of different components.