Are you looking for someone to do a regulatory compliance gap analysis for you? The purpose of a gap analysis is to compare your organisation to an identified regulatory requirement and find the gaps in compliance that you should correct. You usually conduct a gap analysis before you implement controls. A gap analysis is forward-looking and sets a direction and involves planning. We have years of experience doing a compliance gap analysis on specific focus areas. We can also do a legal assessment or a compliance audit, but those are something different.
A gap analysis is a very important step in any compliance project or programme but it is only part of the journey towards compliance (and only part of the data protection life cycle). We believe that investment in planning will result in a far better prospect of identifying the gap accurately and identifying the most efficient and cost-effective measures for your organisation to close the gap. It will also help you budget accurately, which will enable you to take the important actions to close the gap quickly and effectively. Whatever you spend on planning, you should budget on spending more to implement the required remedial actions.
The benefits of a gap analysis
A gap analysis should enable you to know:
- where you currently stand regarding complying with a regulatory requirement,
- what the gaps are,
- what you need to do to close the gaps and get closer to fully complying with the identified regulatory requirements.
We don’t audit during a gap analysis, but rather we get key process or activity owners, champions or project stakeholders to provide the evidence they may have (or not have) for each of the regulatory requirements in the law.
A gap analysis is done at the beginning of the journey, whilst an audit is at the end.
The flavours of gap analysis we offer
We offer a gap analysis to analyse the degree to which your organisation complies with a regulatory requirement that applies to it and identify the gaps.
- Privacy, Data protection, POPIA or GDPR gap analysis
- PAIA gap analysis
- Information governance gap analysis
- Kind code gap analysis
- IT Legal Compliance gap analysis
- Consumer Protection gap analysis
Conduct a regulatory gap analysis
Ask Michalsons to conduct a gap analysis for you by asking us for a quote. This is sometimes referred to as the consultant-led approach and is best for comprehensive gap analysis and for larger organisations. Michalsons will work closely with the legal or compliance team in your organisation to effectively do the gap analysis. You need to appoint a champion (or project manager) in your organisation to help drive it from within. To accurately quote we will need an accurate scope and SOW.
The scope of a compliance gap analysis
It is very important to be clear on the scope of the gap analysis. The scope of a gap analysis is different for each organisation. An important point is that a one size fits all approach can’t work. There is no such thing as a standard gap analysis. All organisations process different information, using different technologies, with different goals and different internal policies or rules. Thus they need to be considered individually. These are some of the factors.
- What are you doing the analysis on? Your whole organisation? Your processes? Systems? Activities?
- What are you comparing your organisation to? What are you trying to comply with? Do you have a data protection compliance framework? For example, must you comply with multiple laws, only one, or only the extra compliance requirement in one over and above another? This is obviously critical.
- What level of gap analysis? High-level or comprehensive?
- What is the best process for your organisation?
- How are we going to do it? What method, process, software or tools are we going to use?
How to scope it?
Ask Michalsons to scope the gap analysis for your organisation by asking us to carry out a requirements assessment (scoping exercise) with you and produce a statement of work (SOW). Most organisations don’t know what they need, have no proper data governance structure to assess their needs and cannot accurately scope their requirements. An investigation and scoping exercise (requirement assessment) will allow a more accurate gap analysis (as well as an understanding of the priorities and dependencies) to determine what they should spend their money on and what money should be spent. Only after a gap analysis can you determine further actions and cost proposals.
How to conduct a gap analysis
Our gap analysis process normally includes us taking the following steps.
- Discover as much information ourselves as possible. If necessary, request you to send us various documents. Where necessary, send various people questionnaires to answer. We review your related contracts, policies and procedures.
- Workshop with or interview various people to discover more information and ask for further clarification. Analyse the extent to which an organisation is compliant with the relevant law and the associated legal risks. Workshops can be either awareness or planning workshops and can vary significantly in number depending on the scope and level of the gap analysis.
- Document our findings by drafting and delivering a report, including actions that need to be taken. It is often useful to identify the top actions (about 10) that you need to take first (to fill gaps) in order of priority following a risk-based approach. And ideally, in a complete gaps analysis, you want to identify all the implementation actions that your organisation needs to take to comply. Depending on the level of the analysis, assigning the actions can also be done at this stage. Sometimes it is treated as a separate exercise.
Where necessary, we recommend solutions which would ensure compliance with regulatory requirements and implement best practices where sound business practice, rather than a legal requirement, dictate that you manage the risk.
A gap analysis is always about where we want to be
We need to know what controls you currently have in place or the extent to which you already comply with the regulatory requirements. We can then determine the extent to which you don’t currently comply with the regulatory requirements and give you a list of actions you need to take to close the gap.
A gap analysis report, including a compliance action plan
We deliver a practical gap analysis report or dashboard in plain language detailing your current status, ideal status, and legal and compliance gaps. Our report also highlights risks and recommends action to be taken in the form of a compliance action plan, which includes a road map. Depending on the type of analysis, our report is made up of different components. We have developed a gap analysis report template over many years that we use.
Debrief
We arrange a follow-up call with you to discuss the gap analysis report and answer your questions.
Who will do it?
We have a team of skilled people who have an in-depth knowledge of the law. There will be a leader who will be supported by other specialists within the firm.