GDPR Gap Assessment v1.0

GDPR Gap Assessment Instructions
1 Complete the "Background" and "Privacy Program" tabs

Change the titles in cell A2 (area of the organization) to your liking in each of the
2 "Assessment" tabs. The "Executive Summary" tab will automatically be updated.
Change the subarea or process listed in cells C3 and 5C to your liking. The "Executive
3 Summary" tab will automatically be updated.
4 Start an assessment and answer the questions.
5 Progress in each area will be reflected in the "Excutive Summary" tab.
Feel free to edit, change, steal, share, or use this assessment spreadsheet for inspiration.
Mike Muha
https://www.mikemuha.com
GDPR Gap Assessment
Background
Provide enough information so a Data Protection Officer gets a generally idea about what your
organization does and what kind of processing takes place.
Scope
Company name
Affiliate 1
Affiliate 2
Products
Briefly describe the products that process personal information
Workforce
Describe your workforce (number of employees, locations, if you use contractors)
Overview of processing activities that use personal information
Overview 2 Confidential
GDPR Gap Assessment
Executive Summary
Unanswered
Area Progress questions
As an Organization
Governance Privacy Program 0% 17
As Controller
Human Resource Recruiting data 0% 89
Human Resource Employee data 0% 89
Sales & Marketing Leads, Opportunities 0% 89
Sales & Marketing Customers
Finance & Accounting Travel and Expenses 0% 89
Finance & Accounting Payroll 0% 89
As Processor
Products Prod 1 0% 89
Products Prod 2 0% 89
Services Global Services 0% 89
Services Global Support 0% 89
GDPR Gap Assessment
Privacy Program
Section 2 - Security of personal data

Article 33 - Notification of a personal data breach to the supervisory authority (75, 85, 87, 88)
1 As controller: Do we have a breach notification procedure in place? -Select-
2 As processor: Do we have a breach notification procedure in place? -Select-
3 Do we record and track breaches? -Select-
Article 34 - Communication of a personal data breach to the data subject (75, 86, 87, 88)
1 Can we notify data subjects with undue delay of a breach that is high risk to
the individual? -Select-
Section 3 - Data protection impact assessment and prior consultation

Article 35 - Data protection impact assessment (75, 84, 89, 90, 91, 92, 93)
1 Do we have a process for performing DPIAs in place? -Select-
2 Do we seek the advice of the DPO around DPIAs? -Select-
Section 4 - Data protection officer

Article 37 - Designation of the data protection officer (97)
1 Are we required to have a DPO and if so, do we have one? -Select-
2 DPO's contact details are published -Select-
3 Supervisory Authority has DPO contact details -Select-
Article 38 - Position of the data protection officer (97)
Does the DPO's reporting arrangements meet the requirements these
requirements?
1 Independence -Select-
2 Direct access to top management -Select-
3 Adequately resourced -Select-
4 Competent (knowledge of the GDPR) -Select-
5 Informed (and up-to-date with current developments) -Select-
6 Knowledgeable about cyber security -Select-
Privacy Program 4 Confidential

7 Does the level responsibility match the scope of the privacy compliance
framework (PCF)? -Select-
Article 39 - Tasks of the data protection officer (97)
1 Awareness-raising and training of staff involved in processing operations
-Select-
Percent Compliant: 0%
Number of unanswered questions: 17
Privacy Program 5 Confidential

GDPR Gap Assessment
Human Resource
Recruiting data Recruiting comments / evidence Employee data Employee comments / evidence
CHAPTER II - Principles
Article 5 - Principles relating to processing of personal data (39)

1 Is personal data processed lawfully, fairly and transparently? -Select- -Select-
2 Is the Privacy Notice easily accessible at the time the individual first interacts
with the product or service (e.g., accessible via website homepage or app -Select- -Select-
store listing)?
3 Is the Privacy Notice easily distinguishable from other information (e.g.,

Terms of Service) the organization provides? -Select- -Select-
4 Is the Privacy Notice written in plain language so that it is easily understood
by individuals? -Select- -Select-
5 Is it collected for specified, explicit and legitimate purposes? -Select- -Select-
6 Is it adequate, relevant and limited? -Select- -Select-
7 Is it accurate and kept up to date? -Select- -Select-
8 Is it only kept as long a necessary? -Select- -Select-
9 Is it processed in a secure manner? -Select- -Select-
10 Can we demonstrate compliance with the above? -Select- -Select-
Article 6 - Lawfulness of processing (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 155)
1 Have we determined the lawfulness of processing? -Select- -Select-
Article 7 - Conditions for consent (32, 33, 42, 43)
1 Can we demonstrate consent (i.e., do we log consent)? -Select- -Select-
2 Is the request for consent conspicuous and set out from the rest of the text
of the Privacy Notice (e.g., bold, highlighted, etc.)? -Select- -Select-
3 Can the individual withdraw consent easily? -Select- -Select-
Article 8 - Conditions applicable to child's consent in relation to information society services (38)
1 Do we provide information society services to children? -Select- -Select-
2 Do we collect personal information directly from children? -Select- -Select-
Article 9 - Processing of special categories of personal data (51, 52, 53, 54, 55, 56)
1 Do we process any special categories of personal data? -Select- -Select-
2 Do we have a legal basis for processing those special categories? -Select- -Select-
Article 10 - Processing of personal data relating to criminal convictions and offences
1 Do we process data relating to criminal convictions and offences? -Select- -Select-
2 Do we have a legal basis for processing criminal data? -Select- -Select-
Article 11 - Processing which does not require identification (57) -Select- -Select-
CHAPTER III - Rights of the data subject
Section 1 - Transparency and modalities

Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject ( 58, 59)
1 Do we have a documented subject access request process in place? -Select- -Select-
2 Can we show that we respond to SARs without undue delay? -Select- -Select-
3 Do we provide requested information for free? -Select- -Select-
Gap Assessment for HR 6 Confidential

4 If needed, do we have a process to request proof of identity? -Select- -Select-
Section 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are collected from the data subject (60, 61, 62)
1 Does the Privacy Notice provide…
... contact details for the controller or the controller's representative? -Select- -Select-
2 … contact details of the data protection officer (if any) -Select- -Select-
3 … purposes of processing (reason for collection of data) -Select- -Select-
4 … the legal basis for processing -Select- -Select-
5 … if applicable, the legitimate interest we invoke -Select- -Select-
6 ...describe the purposes for which collected personal information, including
sensitive information, will be used? -Select- -Select-
7 … the recipient or categories of recipients? -Select- -Select-
8 ...describe the types of personal information, including sensitive information,
collected from individuals? -Select- -Select-
9 …if personal information will be transferred to a third country or
international organization and whether there is a legitimate transfer -Select- -Select-
mechanism in place?
10 ..a way to obtain of copy a copy of safeguards -Select- -Select-

11 …the retention period for the information -Select- -Select-
12 …where appropriate, the right of access, rectification, erasure, restriction of
processing, right to object, and right to data portability? -Select- -Select-
13 … if applicable, the right to revoke consent -Select- -Select-

14 … the right to lodge a complaint with the Supervisory Authority -Select- -Select-
15 … if the right information is required by statute or contractual obligation,
and consequences for not providing -Select- -Select-
16 …a description of any automated decision-making, including profiling, along
with logic involved and consequences for the individual -Select- -Select-
17 If we decide to do further processing of the data for new purposes, do we

have a mechanism to inform the individual? -Select- -Select-
18 Is there an immediately visible, clearly labeled, and accessible notice
regarding the use of cookies and other passive technologies? -Select- -Select-
Article 14 - Information to be provided where personal data have not been obtained from the data subject
1 Do we provide notice to individuals within one month and in the first
communication? -Select- -Select-
Article 15 - Right of access by the data subject (63, 64)
1 Can we provide to the individual…
…the purpose of processing? -Select- -Select-
2 …categories at personal data we have? -Select- -Select-
3 …recipients of that data? -Select- -Select-
4 …the retention period? -Select- -Select-
5 ...their privacy rights? -Select- -Select-
6 …their right to lodge a complaint with the Supervisory Authority? -Select- -Select-
7 …the source of data if indirectly collected? -Select- -Select-
8 ...If data is transferred to another country, the safeguards that are in place?
-Select- -Select-

9 …a copy of their personal data in electronic format -Select- -Select-
Section 3 Rectification and erasure
Article 16 - Right to rectification (65)
1 Can we or the individual correct inaccurate data? -Select- -Select-
Article 17 - Right to erasure ('right to be forgotten') (65, 66)
1 Is there a way to "forget" an individual in cases where the right to erasure
can be invoked? -Select- -Select-
2 Are there legal compliance obligations that prevent us from erasing data?
-Select- -Select-
Article 18 - Right to restriction of processing (67)
1 Can we restrict processing of data if it is inaccurate or if we have unlawfully
collected it? -Select- -Select-
Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
1 Can we notify 3rd-parties about the individuals request to updated, erase,
and restrict processing of data? -Select- -Select-
Article 20 - Right to data portability (68)
1 Can we provide a copy of the individual's data in machine-readable format
if… -Select- -Select-
…processing is based on consent
2 …processing is carried out by automated means? -Select- -Select-

3 Can we transfer that data directly to another controller? -Select- -Select-
Section 4 - Right to object and automated individual decision-making
Article 21 - Right to object (69, 70)
1 The individual can object to automated processing and profiling -Select- -Select-
2 The individual can object to direct marketing -Select- -Select-
Article 22 - Automated individual decision-making, including profiling (71, 72)
1 The individual can require human intervention around automated processing
(unless in the performance of a contract with controller) -Select- -Select-
CHAPTER IV - Controller and processor
Section 1 - General obligations

Article 24 - Responsibility of the controller (74, 75, 76, 77, 83)
1 We have appropriate technical & organizational measures in place -Select- -Select-
2 We can demonstrate that processing complies with the GDPR -Select- -Select-
Article 25 - Data protection by design and by default (78)
1 We design data protection measures when we determine the means for
processing and during processing -Select- -Select-
2 Do we have measures in place to ensure we only collect necessary data
specific to the processing purpose? -Select- -Select-
Article 26 - Joint controllers (79) -Select- -Select-
Article 27 - Representatives of controllers or processors not established in the Union (80)
-Select- -Select-
Article 28 - Processor (81)

1 As Controller: Do we only use processors that provide sufficient guarantees
to implement appropriate technical and organisational measures, and to -Select- -Select-
protection the rights of individuals?
2 As processor…
…do we provide written notice before engaging a sub-processor? -Select- -Select-
3 …do we have a contract with the processor around processing? -Select- -Select-
4 …do we only process according to the contract? -Select- -Select-
5 …does our contract with sub-processors set out the same obligations we
have with the controller? -Select- -Select-
6 …Do we adhere to an approved code of conduct or certification mechanism?
-Select- -Select-
Article 29 - Processing under the authority of the controller or processor -Select- -Select-
Article 30 - Records of processing activities (13, 39, 82)
1 As Controller: we maintain a record of processing activities -Select- -Select-
2 As Processor: we maintain a record of processing activities -Select- -Select-

Article 32 - Security of processing (83, 74, 75, 76, 77)
1 We employ pseudonymisation and encryption of personal data -Select- -Select-
2 We ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services; -Select- -Select-
3 We can restore the availability and access to personal data in a timely
manner -Select- -Select-
4 We have process for regularly testing, assessing and evaluating security
controls -Select- -Select-
5 We perform risk management around processing activities -Select- -Select-
1 Are we required to perform a DPIA and, if so, have we performed a DPIA?
-Select- -Select-
Article 36 - Prior consultation (94, 95, 96)
1 We have documentation around prior consultation with the Supervisory
Authority for processing that would result in a high risk in the absence of -Select- -Select-
measures taken by the controller to mitigate the risk.
CHAPTER V - Transfers of personal data to third countries or international organisations
Article 44-49 - General principle for transfers (101, 102)

1 A transfers to 3rd countries have been verified for compliance -Select- -Select-
2 A process is in place to ensure new transfers are compliant -Select- -Select-
3 A record of compliance is maintained -Select- -Select-
Percent Compliant: 0% 0%
Number of unanswered questions: 89 89

GDPR Gap Assessment
Sales & Marketing
Leads,
Opportunities Leads, Opportunities comments / evidence Customers Customer comments / evidence

store listing)?


Gap Assessment for Marketing Sales 10 Confidential

Leads,
mechanism in place?


15 … if the right information is required by statute or contractual obligation, and
consequences for not providing -Select- -Select-

-Select- -Select-

Leads,
-Select- -Select-


-Select- -Select-

Leads,
2 As processor…
-Select- -Select-

-Select- -Select-


GDPR Gap Assessment
Finance & Accounting
Travel and
Expenses Travel and Expenses comments / evidence Payroll Payroll comments and evidence

store listing)?


Finance Assessment 14 Confidential

Travel and
mechanism in place?



-Select- -Select-

Travel and
-Select- -Select-


-Select- -Select-

Travel and
2 As processor…
-Select- -Select-

-Select- -Select-


GDPR Gap Assessment
Products
Prod 1 Prod 1 comments / evidence Prod 2 Prod 2 comments / evidence

store listing)?


Product Assessment 18 Confidential

mechanism in place?



-Select- -Select-

-Select- -Select-


-Select- -Select-
2 As processor…

-Select- -Select-

-Select- -Select-


GDPR Gap Assessment
Services
Global Services Global Services comments / evidence Global Support Global Support comments / evidence

store listing)?


Services Assessment 22 Confidential

mechanism in place?



-Select- -Select-

-Select- -Select-


-Select- -Select-
2 As processor…

-Select- -Select-

-Select- -Select-


GDPR Gap Assessment
xxx personal information
xxx xxx comments / evidence

store listing)?


TEMPLATE 26 Confidential
mechanism in place?



-Select- -Select-
-Select- -Select-


-Select- -Select-
2 As processor…
-Select- -Select-

-Select- -Select-


GDPR Gap Assessment v1.0

Uploaded by

Copyright:

Available Formats

GDPR Gap Assessment v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Gap Assessment v1.0

Uploaded by

Copyright:

Available Formats

GDPR Gap Assessment Instructions

1 Complete the "Background" and "Privacy Program" tabs

Overview of processing activities that use personal information

Section 2 - Security of personal data

Section 3 - Data protection impact assessment and prior consultation

Section 4 - Data protection officer

Privacy Program 4 Confidential

Privacy Program 5 Confidential

Article 5 - Principles relating to processing of personal data (39)

3 Is the Privacy Notice easily distinguishable from other information (e.g.,

CHAPTER III - Rights of the data subject

Section 1 - Transparency and modalities

Gap Assessment for HR 6 Confidential

10 ..a way to obtain of copy a copy of safeguards -Select- -Select-

13 … if applicable, the right to revoke consent -Select- -Select-

17 If we decide to do further processing of the data for new purposes, do we

Gap Assessment for HR 7 Confidential

2 …processing is carried out by automated means? -Select- -Select-

CHAPTER IV - Controller and processor

Section 1 - General obligations

Gap Assessment for HR 8 Confidential

Section 2 - Security of personal data

CHAPTER V - Transfers of personal data to third countries or international organisations

Article 44-49 - General principle for transfers (101, 102)

Gap Assessment for HR 9 Confidential

Article 5 - Principles relating to processing of personal data (39)

3 Is the Privacy Notice easily distinguishable from other information (e.g.,

CHAPTER III - Rights of the data subject

Section 1 - Transparency and modalities

Gap Assessment for Marketing Sales 10 Confidential

10 ..a way to obtain of copy a copy of safeguards -Select- -Select-

13 … if applicable, the right to revoke consent -Select- -Select-

17 If we decide to do further processing of the data for new purposes, do we

Gap Assessment for Marketing Sales 11 Confidential

2 …processing is carried out by automated means? -Select- -Select-

CHAPTER IV - Controller and processor

Section 1 - General obligations

Gap Assessment for Marketing Sales 12 Confidential

Section 2 - Security of personal data

CHAPTER V - Transfers of personal data to third countries or international organisations

Article 44-49 - General principle for transfers (101, 102)

Gap Assessment for Marketing Sales 13 Confidential

Article 5 - Principles relating to processing of personal data (39)

3 Is the Privacy Notice easily distinguishable from other information (e.g.,

CHAPTER III - Rights of the data subject

Section 1 - Transparency and modalities

Finance Assessment 14 Confidential

10 ..a way to obtain of copy a copy of safeguards -Select- -Select-

13 … if applicable, the right to revoke consent -Select- -Select-

17 If we decide to do further processing of the data for new purposes, do we

Finance Assessment 15 Confidential

2 …processing is carried out by automated means? -Select- -Select-

CHAPTER IV - Controller and processor

Section 1 - General obligations

Finance Assessment 16 Confidential

Section 2 - Security of personal data

CHAPTER V - Transfers of personal data to third countries or international organisations

Article 44-49 - General principle for transfers (101, 102)

Finance Assessment 17 Confidential

Article 5 - Principles relating to processing of personal data (39)