How a data protection gap analysis can help your business

How a data protection gap analysis can help your business

Carrying out a Gap Analysis will help to determine whether your organisation has implemented data protection effectively. It will also allow us to show whether or not your organisation’s policies are being followed when data is processed.

Read more: How a data protection gap analysis can help your business

Another name for a gap analysis is a data protection audit or health check.

Completing a gap analysis enables organisations to identify and control potential risks and avoid breaches. It also ensures that the organisation follows the UK GDPR and/or Data Protection Act 2018 (the Act). This can help organisations protect themselves against potential financial penalties and legal claims from those whose data has been breached. Non-compliance can also result in negative publicity, harming an organisation’s reputation. When an organisation complies with these requirements, it effectively identifies and controls risks. Therefore, it protects itself as much as possible in case of a data breach.

An audit will typically assess your organisation’s procedures, systems, records, and activities to:

  • Ensure the appropriate policies and procedures are in place
  • Verify that those policies and procedures are being followed
  • Test the adequacy controls in place
  • Detect breaches or potential breaches of compliance
  • Recommend any indicated changes in management, policy, and procedure.

Benefits of gap analysis

It’s an audit of data protection implementation in your organisation. For me, it is more of a health check with some great benefits for a business. A gap analysis can help your business:

  • Improving compliance: a gap analysis can help you to develop a plan to bring your business into compliance. This can help you to avoid costly fines and legal actions.
  • Reducing risk: A gap analysis can help you to identify where your business is vulnerable to data breaches or other security incidents. You can reduce the risk of a data breach and protect your business from the consequences of such an incident.
  • Enhancing security: A gap analysis can help you to identify areas where your security measures may be lacking. A plan can be created to improve your security posture and protect your business from cyber threats.
  • Building customer trust: With strong data protection measures and ensuring compliance with regulations, you can build trust with your customers. This can result in increased customer loyalty and positive word-of-mouth recommendations.
  • Avoiding reputational damage: A data breach can harm your business’s reputation. You can prevent the negative impact of a data breach on your brand image.
  • Streamlining processes: You to streamline your data protection processes by identifying areas where you may be duplicating efforts or using outdated technologies. By optimising your operations, you can save time and money while maintaining a high level of data protection. 

Completing a gap analysis

Knowing how to go about it is essential if you’re convinced that a data protection gap analysis is the right step for your business. Here are a few steps you can take to ensure that your gap analysis is practical:

  • Could you define your scope? Decide which business areas you want to assess in your gap analysis. This could include policies, procedures, technologies, and practices related to data protection.
  • Identify your assets: Determine what types of sensitive data your business handles, where it’s stored, who has access to it, and how it’s processed.
  • Evaluate your current state: Assess your data protection measures and identify areas where you may be non-compliant with regulations or vulnerable to data breaches.
  • You can develop a plan: Based on your assessment, you can create a plan to address any gaps or vulnerabilities you’ve identified. This plan should prioritise the most critical issues and outline specific steps to improve your data protection measures.
  • Monitor and update: Regularly monitor and update your data protection measures to ensure they remain effective and compliant with regulations.

By following these steps, you’ll be well on your way to implementing a thorough and effective data protection gap analysis for your business. Remember, taking proactive steps to protect sensitive data is crucial in today’s digital landscape.


Overall, a data protection gap analysis is a proactive step that can help your business stay ahead of potential data breaches and ensure compliance with data protection regulations.

It also provides:

  • Recommendations on mitigating non-compliance risks.
  • Reducing the chance of damage and distress to individuals.
  • Minimising regulatory action against your organisation for a breach of the Act.

Overall, a data protection gap analysis is a proactive tool to help your business protect its sensitive data and comply with data protection regulations.

If you need help to get started on completing an analysis or would like to have a fresh set of one of our team complete it for you, please book a free discovery call here.

Privacy Management – What is all the fuss about?

Privacy Management – What is all the fuss about?

Privacy management can be a contentious issue. Isn’t it the business’s data when I have it? The data is out there, so why can’t I use it? Why should businesses care about the management of data and privacy?


The Universal Declaration of Human Rights in 1948, has one of the earliest statements towards the right to an individual’s privacy.

That was over 70 years ago, and the rights of an individual, in relation to privacy, are still being defined and redefined; 1973 and the first Data Act, in Sweden. The 1998 Data Protection Act in the UK and then, subsequently, the 2018 General Data Protection Regulations (GDPR), led to countries around Europe updating their own data protection laws.

Businesses have adapted and changed in 70 years, especially with the advancement and speed in technology. Hence the changes and updates in legislation, especially in relation to information sharing.

Privacy conflict

Businesses need data to run their businesses. Ideally, many businesses would say, they need to gather information to contact prospective clients and use that data as they want within their business. Look at the big tech companies, like Meta, Google and Amazon, who rely on the collection and ‘reusing/distributing’ of data as a fundamental cornerstone of their business. The selling of data can be a considerable income stream.

It is no wonder that businesses, no matter how big or small, have difficulties with privacy; especially when you have to balance the needs of the business with the needs of the individual. The individual has rights!

And there is the conflict. Many businesses argue either the information is out there or that the person has given it to them, so why can’t I use it the way they want to?

Good data management is good for business. Having everything in place can mean that things run smoother, and ore importantly, it can help reduce costs (especially in relation to software).

Who’s data is it?

GDPR set out to clarify the importance of privacy and data security. More importantly, it determines who the owner of the data is. The individual owns the data, and not the business. Businesses are, in effect, custodians of the information held by a living person. As a result, they have to follow the principles of the regulations.

  • Lawfulness, Fairness and Transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

In short, that means that businesses need to

  1. Identify the legal reason for collecting and storing the information AND have a way of informing the individuals.
  2. Ensure individuals’ rights are protected and acted upon.
  3. Only use the information for the purpose it was collected. This means we can not collect information and then use it for whatever reason we want, regardless of it being in the public domain.
  4. Only collect and store the bare minimum we need for the minimum amount of time we need to store it
  5. Ensure that the information we keep is accurate and if not correct it
  6. Ensure that the data is not lost or destroyed
  7. Being able to show compliance with the legislation.

Managing privacy

Saying we are data protection compliant is not enough. Businesses need to prove it. Some key areas to look at are

  1. Know your data
    • Map out what data you collect, save and keep; for what reason, and where it is.
  2. Only use it for the purpose collected
    • One example of this is, networking contacts can not be added to your email marketing or send sales emails. They consented for you to have their details; they did not consent for you to add them to your email marketing
  3. Keep it up-to-date and accurate
    • Account status, contact information, and payment history.
  4. Assess, review, and update
    • Assess what documentation you have and need
    • Review for updates and changes in practice
    • Look at trends in data security
  5. Secure it
    • Ensure that physical material is locked away securely
    • Ensure digital devices are secure and backed-up
  6. Training
    • Train your staff on what is data protection, and IT security
    • Have policies and processes in place, so they know what to do
  7. Keep records
    • log incidents and lessons learned
    • keep records of equipment, software
    • risk assessments and DPIAs

Sounds complicated?

It doesn’t need to be complicated. Help is at hand. As a data protection specialist, I am here to support and assist with your data protection woes. Why not get in touch?

Five Tips for GDPR

Five Tips for GDPR

If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.


When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.

Control and rights are both fundamental underpinning principles of GDPR.

How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include

  • the contact details of the company;
  • if required, the Data Protection Officer,
  • the purpose and lawful bases for processing the data
  • and the categories of personal data you hold to name a few.

Mapping your data

Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.

Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.

Reporting breaches

Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.

Data breaches can take many forms, such as:

  • Device loss or theft
  • Phishing scams
  • Hacking
  • Lost or stolen external USB drives

Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.

Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.

Knowing your subject’s rights

Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.

Data subjects have some or all of the following rights:

The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)

A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)

The right to rectification (If the subject feels their data is incomplete or inaccurate.)

A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)

The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)

A right to portability (The right to obtain their data and reuse it for another purpose or service.)

Being accountable

For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.

For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.

Know Your Consultant

Know Your Consultant

As business owners, we are specialists in our own right. But we do not know everything – no matter how much we Google. Sometimes, it is too time-consuming to do it ourselves, too technical or just brain-numbingly boring. That is when we need to look externally for help, either as a long-term solution or as a short burst of guidance using a consultant. But getting that help can be a project in itself. How do you find the perfect fit?

Try our quiz