Are you looking for someone to do a data protection, POPIA or GDPR compliance gap analysis for you? These are all types of regulatory compliance gap analysis that focus on different aspects of data protection. You can read more about regulatory compliance gap analysis in general terms, including their purpose, when to do one, the benefits of doing one. This page is about one kind of gap analysis – one that focuses on data protection. It is different from doing a data protection audit.

The purpose of a data protection gap analysis is to compare your organisation to an identified regulatory requirement (like POPIA or the GDPR) and find the gaps in compliance that you should correct. A gap analysis is a very important step in any compliance programme but it is only part of the journey towards compliance (and only part of the data protection life cycle). We can help you get this right.

Who should conduct a gap analysis?

  1. Conduct a data protection gap analysis yourself by asking us to empower you with the knowledge and tools to do so. Do this by attending one of our workshops, or joining our data protection programme and working through the module on doing a gap analysis.
  2. Ask Michalsons to conduct a gap analysis for you by asking us for a quote. This is sometimes referred to as the consultant-led approach and is best for comprehensive gap analysis and for larger organisations. Michalsons will work closely with the legal team or information officer in your organisation to effectively do the gap analysis. You need to appoint a champion (or project manager) in your organisation to help drive it from within. To accurately quote we will need an accurate scope and SOW.

The scope of a data protection gap analysis

It is very important to be clear on the scope of the gap analysis. The scope of a gap analysis is different for each organisation and a one-size-fits-all approach can’t work and does not exist. All organisations process different information, using different technologies, with different goals and different internal policies or rules. Thus they need to be considered individually. These are some of the factors.

  • What are you doing the analysis on? Your whole organisation? Your processes? Systems? Activities?
  • What are you comparing your organisation to? What are you trying to comply with? Do you have a data protection compliance framework? For example, must you comply with multiple data protection laws, only the GDPR, only POPIA, or only the extra compliance requirement in POPIA over and above the GDPR. This is obviously critical.
  • What level of gap analysis? High-level or comprehensive?
  • What is the best process for your organisation?
  • How are we going to do it? What method, process, software or tools are we going to use?

We recommend that you call it a data protection gap analysis. Some people call it a POPIA gap analysis or a GDPR gap analysis, but in our experience the border term of data protection gap analysis is better.

How to scope it?

  1. Scope the data protection, POPIA or GDPR gap analysis that your specific organisation needs yourself by asking us to empower you with the knowledge and tools to do it yourself. Like conducting the actual analysis, you learn how to scope it by attending one of our workshops, or joining our data protection programme and working through the module on doing a gap analysis.
  2. Ask Michalsons to scope the gap analysis for your organisation by asking us to carry out a requirements assessment (scoping exercise) with you and produce a statement of work (SOW).

Most organisations don’t know what they need, have no proper data governance structure to assess their needs and cannot accurately scope their requirements. An investigation and scoping exercise (requirement assessment) will allow a more accurate gap analysis (as well as an understanding of the priorities and dependencies) to determine what they should spend their money on and what money should be spent. Only after a gap analysis can you determine further actions and cost proposals.

How to conduct a gap analysis

Our gap analysis process normally includes us taking the following steps.

  1. Discover as much information ourselves as possible. If necessary, request you to send us various documents. Where necessary, send various people questionnaires to answer. We review your related contracts, policies and procedures.
  2. Workshop with or interview various people to discover more information and ask for further clarification. Analyse the extent to which an organisation is compliant with the relevant law and the associated legal risks. Workshops can be either awareness or planning workshops, and can vary significantly in number depending on the scope and level of the gap analysis.
  3. Document our findings by drafting and delivering a report, including actions that need to be taken. It is often useful to identify the top actions (about 10) that you need to take first (to fill gaps) in order of priority following a risk-based approach. And ideally, in a complete gaps analysis, you want to identify all the implementation actions that your organisation needs to take to comply. Depending on the level of the analysis, assigning the actions can also be done at this stage. Sometimes it is treated as a separate exercise.

Where necessary, we recommend solutions which would ensure compliance with regulatory requirements and implement best practice where sound business practice, rather than a legal requirement, dictate that you manage the risk. To idea is to promote the practice of data protection rather than do this by way of enforcement.

A gap analysis is always about where we want to be

We need to know what controls you currently have in place or the extent to which you already comply with the regulatory requirements. We can then determine the extent to which you don’t currently comply with the regulatory requirements and give you a list of actions you need to take to close the gap.

A gap analysis report, including a compliance action plan

We deliver a practical gap analysis report in plain language detailing your current status, ideal status, and legal and compliance gaps. Our report also highlights risks and recommends action to be taken in the form of a compliance action plan, which includes a road map. Depending on the type of analysis, our report is made up of different components.

Debrief

We arrange a follow-up call with you to discuss the gap analysis report and answer your questions.

Who will do it?

We have a team of skilled people who have an in-depth knowledge of data protection law. There will be a leader who will be supported by other specialists within the firm.

When should I do a data protection, POPIA or GDPR gap analysis?

You need to have a privacy strategy and conduct a gap analysis before you can draft your privacy policy, procedures, guidelines or other documents. The strategy should take into account the nature of your organisation, its activities and needs. The strategies range from minimalist to broad.

You also need to understand which of your current activities involve personal information (PI) and which laws apply to those activities. You have to create a record of your processing activities by mapping your activities. You cannot do a gap analysis on your activities if you don’t have a record of them. Mapping activities isn’t typically part of a gap analysis. However, you can do a gap analysis to check if you enable data subject rights and meet your obligations, without mapping your activities.