Are you looking for someone to do a regulatory compliance gap analysis for you? The purpose of a gap analysis is to compare you to a specific law, rule, code or standard, and find specific gaps that you should correct. A gap analysis is usually conducted before implementation has been done and includes our advice with us acting as experts on a particular law. A gap analysis is forward-looking and sets a direction and involves planning. We have years of experience doing a compliance gap analysis on specific focus areas. We can also do an assessment or a compliance audit, but those are something different.
A gap analysis is a very important step in any compliance project or programme but it is only part of the journey towards compliance (or the data protection life cycle). The gap analysis is part of the planning step and whatever you plan on spending on planning, you should budget on spending much more than that to implement the required remedial actions. Actually taking action to protect personal data is the most important step. You can read more about the different outcomes of each step in the data protection compliance process.
The benefits of a gap analysis
A gap analysis should enable you to know:
- where you currently stand in regards to complying with a law,
- where the gaps are,
- what you need to do to close the gaps and get closer to fully complying with the regulatory requirements.
We don’t audit during a gap analysis, but rather we get key process or activity owners, champions or project stakeholders to provide the evidence they may have (or not have) for each of the regulatory requirements in the law.
A gap analysis is done at the beginning of the journey whilst an audit is at the end
What we offer a gap analysis on
- Privacy or Data Protection Gap Analysis (to analyse the degree to which your organisation complies with all data protection laws that apply to it and identify the gaps)
- GDPR Gap Analysis (to analyse the degree to which your organisation complies with the GDPR and identify the gaps)
- POPIA Gap Analysis (to analyse the degree to which your organisation complies with POPIA and identify the gaps)
- Governance Gap Analysis (to analyse the degree to which your organisation complies with governance codes that apply to it and identify the gaps)
Our gap analysis process
Our gap analysis process normally includes us taking the following steps.
- Discover as much information ourselves as possible. If necessary, request you to send us various documents. Where necessary, send various people questionnaires to answer.
- Workshop with or interview various people to discover more information and ask for further clarification. Assess the extent to which an organisation is compliant with the relevant law and the associated legal risks.
- Document our findings by drafting and delivering a report, including actions that need to be taken.
Where necessary, we recommend solutions which would ensure compliance with South African regulatory requirements and implement best practice where sound business practice, rather than a legal requirement, dictate that the risk be managed.
A gap analysis is always about where we want to be
When we do a data protection gap analysis there are essentially two things we need.
- To understand how you process personal data as part of your activities.
- To know what controls you currently have in place or the extent to which you already comply with the regulatory requirements.
We can then determine the extent to which you don’t currently comply with the regulatory requirements and give you a list of actions you need to take to close the gap.
A report including a compliance action plan
We deliver a practical report in plain language detailing your current status, ideal status, and legal and compliance gaps. Our report also highlights risks and recommends action to be taken in the form of a compliance action plan, which includes a roadmap. Depending on the type of analysis, our report is made up of different components.
Different levels of analysis
You can do a gap analysis at various different levels. You can do a high-level one or a very in-depth analysis, or anything in between. In a data protection context:
- A high-level gap analysis:
- one awareness and planning workshop of up to four hours;
- we map the top one or two key activities that are unique to your organisation at a high-level; and
- we identify the top 5 to 10 actions that you need to take first in order of priority.
- A medium-level gap analysis:
- up to two four-hour awareness workshops and up to ten two-hour planning workshops;
- we map about 10 to 20 activities that are unique to your organisation in some detail;
- we identify the top 10 to 20 actions that you need to take first in order of priority; and
- we provide you with a list of all the other actions you need to take to comply.
- An in-depth gap analysis can involve hundreds of workshops over more than a year, mapping all activities in detail and identifying all actions that you need to take to comply.
They obviously get more time consuming and expensive the more in-depth you want to go. Only the largest of large organisations whose business models involve data and who have significant resources should attempt an in-depth gap analysis.