Sunteți pe pagina 1din 15

Security Classification: [Insert classification]

Version: 1
Dated: dd/mm/yy
GDPR Gap Assessment Tool Approval: [Name of approver]
Note: this gap assessment must be conducted with reference to a copy of the GDPR

Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
CHAPTER I - General provisions
Article 1 Subject-matter and objectives All None - informational only
Article 2 Material scope All Has it been established that the GDPR applies to the personal data Yes
processing activities that the organization undertakes?
Article 3 Territorial scope All Has it been established that the GDPR applies, based on the data Yes
subjects whose personal data we process?
Article 4 Definitions All None - informational only

Total: 2
CHAPTER II - Principles
Article 5 - Principles relating to processing of personal data 1a Are personal data processed lawfully, fairly and transparently? Yes
1b Are personal data collected for specified, explicit and legitimate Yes
purposes?
1c Are personal data collected adequate, relevant and limited to what is Yes
necessary?
1d Are personal data accurate and, where necessary, kept up to date? Yes

1e Are personal data kept for no longer than is necessary? Yes


1f Are personal data processed in a manner that ensures its appropriate Yes
security?
2 As the controller, can we demonstrate compliance with all principles? Yes
Article 6 - Lawfulness of processing 1 Has the lawful basis for processing of all personal data been Yes
established?
2 None - informational only
3 None - informational only
4 For additional processing, has compatibility with the initial purpose Yes
been established in compliance with the required criteria?
Article 7 - Conditions for consent 1 Can consent be demonstrated in all cases? Yes
2 Are all requests for consent clearly distinguishable? Yes
3 Are facilities for consent withdrawal in place? Yes
4 Is consent freely given in all cases? Yes
Article 8 - Conditions applicable to child's consent in relation to All For children, has consent been given by the holder of parental Yes
information society services responsibility in all cases?
Article 9 - Processing of special categories of personal data All Is all processing of special categories of personal data clearly justified? Yes
Article 10 - Processing of personal data relating to criminal All None - informational only
convictions and offences
Article 11 - Processing which does not require identification All Have processing cases where the data subject cannot be identified, Yes
been defined?

Total: 16
CHAPTER III - Rights of the data subject

07/09/2019 Page 1 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
Section 1 - Transparency and modalities
Article 12 - Transparent information, communication and 1 Is all information provided to the data subject in a concise, transparent, Yes
modalities for the exercise of the rights of the data subject intelligible and easily accessible form, using clear and plain language,
and in the required formats?

2 Is the exercise of data subject rights facilitated as required? Yes


3 Are the required timeframes for responding to data subject requests Yes
met?
4 Are the required timeframes met for informing the data subject where Yes
action is not taken?
5 Are clear criteria defined for charging for manifestly unfounded or Yes
excessive requests?
6 Are procedures in place for confirming the identity of the requester? Yes

7 None - informational only


8 None - informational only

Total: 6
Section 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are 1 Is all of the required information provided to the data subject at the Yes
collected from the data subject point where personal data are obtained?
2 Is all of the required additional information provided to the data subject Yes
at the point where personal data are obtained?
3 Is information provided to data subjects about further processing for Yes
additional purposes when required?
4 Is it clearly defined in which cases a data subject will already have the Yes
required information?
Article 14 - Information to be provided where personal data 1 Is all of the required information provided to the data subject in cases Yes
have not been obtained from the data subject where personal data is not obtained directly from them?
2 Is all of the required additional information provided to the data subject Yes
in cases where personal data is not obtained directly from them?
3 Is the required information provided to the data subject according to Yes
the timescales required?
4 Is information provided to data subjects about further processing for Yes
additional purposes when required?
5 Is it clearly defined in which cases the required information does not Yes
need to be provided?
Article 15 - Right of access by the data subject 1 Are procedures in place for responding to data subject access Yes
requests and providing the required information?
2 Is information regarding international transfers available to the data Yes
subject where appropriate?
3 Are procedures in place to provide copies of the personal data and in Yes
the correct form?
4 None - informational only

Total: 12
Section 3 - Rectification and erasure
Article 16 - Right to rectification All Are procedures in place to rectify inaccurate personal data and to Yes
have incomplete personal data completed?
Article 17 - Right to erasure ('right to be forgotten') 1 Are procedures in place to erase personal data without undue delay Yes
when a data subject requests it on legitimate grounds?
2 Are procedures in place to inform other controllers of erasure Yes
requests, where appropriate?

07/09/2019 Page 2 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
3 Is it clearly defined under what circumstances erasure requests will be Yes
accepted or denied?
Article 18 - Right to restriction of processing 1 Are procedures in place to restrict processing when a data subject Yes
requests it on legitimate grounds?
2 Are procedures in place to obtain data subject consent before Yes
processing that has been restricted is performed?
3 Are data subjects informed before relevant restrictions of processing Yes
are lifted?
Article 19 - Notification obligation regarding rectification or All Are procedures in place to communicate rectification or erasure of Yes
erasure of personal data or restriction of processing personal data or restriction of processing to relevant third parties?
Article 20 - Right to data portability 1 Are facilities in place to provide the data subject's personal data on Yes
request in a structured, commonly used and machine-readable
2 format?
Are facilities in place to transmit the data subject's personal data to Yes
another controller?
3 None - informational only
4 None - informational only

Total: 10
Section 4 - Right to object and automated individual decision-making
Article 21 - Right to object 1 Are procedures in place to receive, assess and comply with objections Yes
to processing of personal data?
2 Are procedures in place to receive objections to processing related to Yes
direct marketing specifically?
3 Are procedures in place to comply with objections to processing Yes
related to direct marketing?
4 Is the right to object explicitly brought to the attention of the data Yes
subject, at the latest at the time of the first communication?
5 None - informational only
6 Is it clear which processing (if any) is in the public interest? Yes
Article 22 - Automated individual decision-making, including 1 Is it clear which processing involves automated decision making, Yes
profiling including profiling?
2 Is the basis of any automated decision making clear? Yes
3 Are procedures in place to allow human intervention and obtain the Yes
views of the data subject with regard to automated decision making?
4 Have decisions that use special categories of personal data been Yes
identified and suitable safeguarding measures put in place?

9
Total:
Section 5 - Restrictions
Article 23 - Restrictions 1 Is it known to what extent Union or Member State law restricts the Yes
scope of the obligations and rights provided for in Articles 12 to 22 and
Article 34, and the relevant parts of Article 5?
2 Are the specifics of any restrictions of Union or Member State law Yes
clearly known, defined and understood?

Total: 2
CHAPTER IV - Controller and processor
Section 1 - General obligations
Article 24 - Responsibility of the controller 1 Are appropriate technical and organisational measures in place to Yes
ensure, and to be able to demonstrate, that processing is performed in
accordance with the GDPR?

07/09/2019 Page 3 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
1 Are these measures reviewed and updated where necessary? Yes
2 Are appropriate data protection policies implemented? Yes
3 None - informational only
Article 25 - Data protection by design and by default 1 Are appropriate technical and organisational measures implemented in Yes
order to meet the requirements of this Regulation and protect the
rights of data subjects?
2 Are only personal data which are necessary for each specific purpose Yes
of the processing processed?
3 None - informational only
Article 26 - Joint controllers 1 Are all Joint Controller instances identified and the relative Yes
responsibilities defined and agreed?
2 Does each joint controller arrangement duly reflect the respective roles Yes
and relationships and is the essence of the arrangement made
available to the data subject?
3 None - informational only
Article 27 - Representatives of controllers or processors not 1 If the controller or processor is not established in the European Union, Yes
established in the Union has a representative in the Union been designated in writing?
2 Has it been established whether or not parapgrah 1 of this article Yes
applies?
3 Is the representative in one of the member states where the data Yes
subjects are?
4 Has the representative been mandated by the controller or processor Yes
to be addressed by the supervisory authority and data subjects?
5 None - informational only
Article 28 - Processor 1 Have sufficient guarantees been obtained from processors to Yes
implement appropriate technical and organisational measures in
accordance with the GDPR?
2 Has it been made clear to processors that no other processors shall Yes
be engaged without the written authorisation of the controller?
3 Are binding contracts in place with all processors, that meet the Yes
requirements of the GDPR as stated in Article 28 para 3 points a to h?
4 Where a processor engages another processor, are the same data Yes
protection obligations imposed?
5 None - informational only
6 Has the inclusion of standard contractual clauses been considered Yes
and, if appropriate, implemented?
7 None - informational only
8 None - informational only
9 Are the relevant contracts in writing? Yes
10 None - informational only
Article 29 - Processing under the authority of the controller or All Has it been made clear to all parties that processing of personal data Yes
processor must only take place under the authority of the controller?
Article 30 - Records of processing activities 1 If required, are the required records of processing maintained by the Yes
controller?
2 If required, are the required records of categories of processing Yes
activities maintained by the processor?
3 If required, are the records in writing? Yes
4 If required, are the records available to the supervisory authority on Yes
request?
5 Has it been established whether the obligations to maintain records Yes
apply?

07/09/2019 Page 4 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
Article 31 - Cooperation with the supervisory authority All Do the controller and processor cooperate with the supervisory Yes
authority on request?

Total: 24
Section 2 - Security of personal data
Article 32 - Security of processing 1 Are appropriate technical and organisational measures implemented, Yes
to ensure a level of security appropriate to the risk to personal data?

2 Is due consideration made of the risks from accidental or unlawful Yes


destruction, loss, alteration, unauthorised disclosure of, or access to
personal data transmitted, stored or otherwise processed?
3 Have available approved codes of conduct been considered and, if Yes
appropriate, implemented?

4 Are controls in place to ensure that any natural person acting under Yes
the authority of the controller or the processor who has access to
personal data does not process them except on instructions from the
controller?
Article 33 - Notification of a personal data breach to the 1 Are procedures in place to inform the supervisory authority of a Yes
supervisory authority notifiable personal data breach within the timeframe laid out in the
GDPR?
2 Is it clear to the processor that they must notify the controller of a Yes
personal data breach without undue delay?
3 Are procedures in place to ensure that the notification of a personal Yes
data breach to the supervisory authority includes all of the required
information?
4 Do notification procedures allow for the further provision of information Yes
in phases?
5 Are personal data breaches documented? Yes

Article 34 - Communication of a personal data breach to the 1 Yes


When the personal data breach is likely to result in a high risk to the
data subject
rights and freedoms of natural persons, are procedures in place to
communicate the personal data breach to the data subject without
undue delay?
2 Are communications to the data subject in clear and plain language Yes
and include the required information?
3 Are procedures in place to assess whether communication to the data Yes
subject is required?
4 Do procedures allow for communication to the data subject being Yes
required by the supervisory authority?

Total: 13
Section 3 - Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessment 1 Are data protection impact assessments carried out where required? Yes
2 If designated, is the advice of the data protection officer sought when Yes
carrying out a data protection impact assessment?
3 Are data protection impact assessments carried out in the cases listed Yes
in points a to c?
4 Has the list of processing operations which require a data protection Yes
impact assessment, published by the supervisory authority, been
reviewed, if available?
5 Has the list of processing operations which do not require a data Yes
protection impact assessment, published by the supervisory authority,
been reviewed, if available?
6 None - informational only

07/09/2019 Page 5 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
7 Do data protection impact assessments contain all of the required Yes
information?
8 None - informational only
9 Are the views of data subjects or their representatives on the intended Yes
processing sought, where appropriate?
10 Have any cases where a data protection impact assessment is not Yes
required due to Union or Member State law been determined?
11 Are reviews carried out to confirm that processing is in accordance Yes
with the data protection impact assessment, and in the case of
changes to risk of the processing?
Article 36 - Prior consultation 1 Is the supervisory authority consulted in cases of high risk processing? Yes
2 None - informational only
3 Is the required information provided when consulting with the Yes
supervisory authority?
4 None - informational only
5 None - informational only

Total: 11
Section 4 - Data protection officer
Article 37 - Designation of the data protection officer 1 Has it been established whether a data protection officer is required Yes
and if one is required, has one been designated?
2 If required, has a data protection officer been appointed for a group of Yes
undertakings?
3 If a public authority or body, has a data protection officer been Yes
appointed for several authorities or bodies?
4 None - informational only
5 Does the designated data protection officer possess the required Yes
professional qualities and expert knowledge of data protection law and
are they able to fulfil the required tasks?
6 Has it been decided whether to appoint internally of use a service Yes
contract?
7 Have the contact details of the data protection officer been published Yes
and communicated to the supervisory authority?
Article 38 - Position of the data protection officer 1 Is the data protection officer involved, properly and in a timely manner, Yes
in all issues which relate to the protection of personal data?
2 Are the resources provided to the data protection officer to carry out Yes
required tasks, and access to personal data and processing
operations, and to maintain his or her expert knowledge?
3 Is the data protection officer independent and free from undue Yes
influence and does he or she report to the highest level of
management?
4 Is the data protection officer available to be contacted by data Yes
subjects?
5 Does the data protection officer understand that he or she is bound by Yes
secrecy or confidentiality concerning the performance of his or her
tasks?
6 Have any conflicts of interests of other duties of the data protection Yes
officer been resolved?
Article 39 - Tasks of the data protection officer 1 Has the data protection officer been assigned the required minimum Yes
tasks?
2 Does the data protection officer have due regard to the risk associated Yes
with processing operations, in the performance of his or her tasks?

07/09/2019 Page 6 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point

Total: 14
Section 5 - Codes of conduct and certification
Article 40 - Codes of conduct All None - informational only
Article 41 - Monitoring of approved codes of conduct All None - informational only
Article 42 - Certification All None - informational only
Article 43 - Certification bodies All None - informational only

Total: 0
CHAPTER V - Transfers of personal data to third countries or international
organisations
Article 44 - General principle for transfers All Are the provisions of Chapter V applied to all transfers of personal Yes
data to a third country or to an international organisation?
Article 45 - Transfers on the basis of an adequacy decision 1 Have those transfers which do not require specific authorisation been Yes
identified?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 None - informational only
7 None - informational only
8 None - informational only
9 None - informational only
Article 46 - Transfers subject to appropriate safeguards 1 Are all transfers of personal data subject to appropriate safeguards, Yes
and are they performed on condition that enforceable data subject
rights and effective legal remedies for data subjects are available
within the receiving country or international organisation?
2 Has it been identified which of the appropriate safeguards in the list in Yes
point 2 a to f, if any, apply to each transfer?
3 Has it been identified which of the appropriate safeguards in the list in Yes
point 3 a to b, if any, apply to each transfer?
4 None - informational only
5 None - informational only
Article 47 - Binding corporate rules 1 Have any binding corporate rules used for transfers of personal data Yes
been approved by the supervisory authority?
2 Do the binding corporate rules include the information required in point Yes
2 a to n?
3 None - informational only
Article 48 - Transfers or disclosures not authorised by Union law All None - informational only
Article 49 - Derogations for specific situations 1 Has it been established if any of the derogations for specific situations Yes
apply to current or planned transfers of personal data?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 For transfers that are not based on specific provisions of the GDPR, Yes
has the controller or processor documented the required assessment
as well as the suitable safeguards in place?

07/09/2019 Page 7 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
Article 50 - International cooperation for the protection of All None - informational only
personal data

Total: 9
CHAPTER VI - Independent supervisory authorities
Section 1 - Independent status
Article 51 - Supervisory authority All None - informational only
Article 52 - Independence All None - informational only
Article 53 - General conditions for the members of the All None - informational only
supervisory authority
Article 54 - Rules on the establishment of the supervisory All None - informational only
authority
Section 2 - Competence, tasks and powers
Article 55 - Competence All None - informational only
Article 56 - Competence of the lead supervisory authority All None - informational only
Article 57 - Tasks All None - informational only
Article 58 - Powers All None - informational only
Article 59 - Activity reports All None - informational only

Total: 0
CHAPTER VII - Cooperation and consistency
Section 1 - Cooperation
Article 60 - Cooperation between the lead supervisory authority All None - informational only
and the other supervisory authorities concerned
Article 61 - Mutual assistance All None - informational only
Article 62 - Joint operations of supervisory authorities All None - informational only
Section 2 - Consistency
Article 63 - Consistency mechanism All None - informational only
Article 64 - Opinion of the Board All None - informational only
Article 65 - Dispute resolution by the Board All None - informational only
Article 66 - Urgency procedure All None - informational only
Article 67 - Exchange of information All None - informational only
Section 3 - European data protection board
Article 68 - European Data Protection Board All None - informational only
Article 69 - Independence All None - informational only
Article 70 - Tasks of the Board All None - informational only
Article 71 - Reports All None - informational only
Article 72 - Procedure All None - informational only
Article 73 - Chair All None - informational only
Article 74 - Tasks of the Chair All None - informational only
Article 75 - Secretariat All None - informational only
Article 76 - Confidentiality All None - informational only

07/09/2019 Page 8 of 15 Confidential


Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point

Total: 0
CHAPTER VIII - Remedies, liability and penalties
Article 77 - Right to lodge a complaint with a supervisory All None - informational only
authority
Article 78 - Right to an effective judicial remedy against a All None - informational only
supervisory authority
Article 79 - Right to an effective judicial remedy against a All None - informational only
controller or processor
Article 80 - Representation of data subjects All None - informational only
Article 81 - Suspension of proceedings All None - informational only
Article 82 - Right to compensation and liability All None - informational only
Article 83 - General conditions for imposing administrative fines All None - informational only
Article 84 - Penalties All None - informational only

Total: 0
CHAPTER IX - Provisions relating to specific processing situations
Article 85 - Processing and freedom of expression and All None - informational only
information
Article 86 - Processing and public access to official documents All None - informational only
Article 87 - Processing of the national identification number All None - informational only
Article 88 - Processing in the context of employment All None - informational only
Article 89 - Safeguards and derogations relating to processing All None - informational only
for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes
Article 90 - Obligations of secrecy All None - informational only
Article 91 - Existing data protection rules of churches and All None - informational only
religious associations

Total: 0
CHAPTER X - Delegated acts and implementing acts
Article 92 - Exercise of the delegation All None - informational only
Article 93 - Committee procedure All None - informational only

Total: 0
CHAPTER XI - Final provisions
Article 94 - Repeal of Directive 95/46/EC All None - informational only
Article 95 - Relationship with Directive 2002/58/EC All None - informational only
Article 96 - Relationship with previously concluded Agreements All None - informational only
Article 97 - Commission reports All None - informational only
Article 98 - Review of other Union legal acts on data protection All None - informational only
Article 99 - Entry into force and application All None - informational only

Total: 0

07/09/2019 Page 9 of 15 Confidential


Gap Assessment Results

General Data Protection Regulation

Number of Number of Number of


GDPR Chapter and Section requirements in requirements applicable
section applicable requirements met
CHAPTER I - General provisions 2 2 2
CHAPTER II - Principles 16 16 16
CHAPTER III - Section 1 - Transparency and modalities 6 6 6
CHAPTER III - Section 2 - Information and access to personal data 12 12 12
CHAPTER III - Section 3 - Rectification and erasure 10 10 10
CHAPTER III - Section 4 - Right to object and automated individual decision-making 9 9 9
CHAPTER III - Section 5 - Restrictions 2 2 2
CHAPTER IV - Section 1 - General obligations 24 24 24
CHAPTER IV - Section 2 - Security of personal data 13 13 13
CHAPTER IV - Section 3 - Data protection impact assessment and prior consultation 11 11 11
CHAPTER IV - Section 4 - Data protection officer 14 14 14
CHAPTER V - Transfers of personal data 9 9 9
Totals 128 128 128

GDPR Gap Assessment Page 10 of 15 Confidential


% Compliant

100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%

GDPR Gap Assessment Page 11 of 15 Confidential


Num ber of Requirem ents
Level of Compliance to the GDPR

30

25

20

15

10

0 GDPR Chapter/Section

Number of requirements applicable


Number of applicable requirements met

GDPR Gap Assessment Page 12 of 15 Confidential


P ercentage requirem ents m et
Percentage Compliance to the GDPR

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%
GDPR Chapter/Section

GDPR Gap Assessment Page 13 of 15 Confidential


Percentage Compliance to the GDPR
Radar Chart

CHAPTER I - General provisions


CHAPTER V - Transfers of personal data CHAPT
100%

CHAPTER IV - Section 4 - Data protection officer


50%

CHAPTER IV - Section 3 - Data protection impact assessment and prior consultation 0%CHAPTER III - Section

CHAPTER IV - Section 2 - Security of personal data

CHAPTER IV - Section 1 - General obligations CHAPT


CHAPTER III - Section 5 - Restrictions
mpliance to the GDPR
dar Chart

CHAPTER I - General provisions


CHAPTER II - Principles
100%

CHAPTER III - Section 1 - Transparency and modalities


50%

0%CHAPTER III - Section 2 - Information and access to personal data

CHAPTER III - Section 3 - Rectification and erasure

CHAPTER III - Section 4 - Right to object and automated individual decision-making


HAPTER III - Section 5 - Restrictions