We offer a range of high level GDPR Audits & GDPR Gap Analysis to test compliance with data protection laws and standards. Contact us today.

1. GDPR AUDIT - GDPR
GAP ANALYSIS COST
| DATA PROTECTION
PEOPLE
We offer a range of high level GDPR Audits & GDPR Gap
Analysis to test compliance with data protection laws and
standards. Contact us today.

2. OVERVIEW OF GDPR AUDIT
AND GAP ANALYSIS
What is a GDPR Audit?
A GDPR audit is a structured review of an organization’s data protection practices, policies,
systems, and processes. Its primary aim is to assess the level of compliance with GDPR
requirements and ensure that all personal data is processed lawfully, transparently, and
securely.
The audit typically examines:
Data governance structures
Legal bases for processing personal data
Record-keeping practices
Security measures and breach response protocols
Procedures for managing data subject rights
Training and awareness programs
What is a GDPR Gap Analysis?
A GDPR gap analysis is a targeted assessment designed to identify specific areas where an
organization falls short of GDPR compliance. Unlike a full audit, which provides a
comprehensive compliance picture, a gap analysis focuses on highlighting deficiencies and
risks that need immediate attention.
Key elements include:
Mapping existing data processing activities
Evaluating current policies and procedures
Comparing actual practices to GDPR requirements
Recommending remediation actions
Why Conduct an Audit or Gap Analysis?
Conducting a GDPR audit or gap analysis helps organizations:
Understand their current compliance status
Minimize the risk of data breaches and regulatory fines
Prioritize areas requiring urgent improvement
Demonstrate accountability to stakeholders and regulators
Build trust with customers, clients, and partners

3. SCOPE OF A GDPR GAP ANALYSIS
The scope of a GDPR gap analysis typically covers the following key areas:
1. Data Mapping and Inventory
Identification of all personal data your organisation collects, stores, processes, and shares
Classification of data by type, sensitivity, source, and storage location
Mapping data flows across departments, systems, third parties, and jurisdictions
2. Legal Basis for Processing
Reviewing how lawful bases (e.g. consent, contractual necessity, legitimate interest) are determined and
recorded
Assessing whether current processing activities meet the requirements of the lawful basis claimed
Ensuring appropriate consent mechanisms and documentation are in place
3. Data Subject Rights
Evaluation of policies and procedures for managing data subject access requests (DSARs)
Review of how rights such as rectification, erasure, objection, restriction, and data portability are facilitated
Assessment of response times, tracking, and staff training in handling requests
4. Policies and Procedures
Examination of data protection policies, privacy notices, retention policies, and internal procedures
Assessment of version control, accessibility, and staff awareness
Ensuring documentation reflects actual practices and GDPR requirements
5. Risk Management and DPIAs
Review of how Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing
Identification and prioritisation of data protection risks
Evaluation of mitigation strategies and incident response planning
6. Security and Breach Management
Assessment of technical and organisational measures for data security
Review of breach detection, reporting, and investigation processes
Evaluation of staff awareness and breach response readiness
7. Third-Party Processors and Data Sharing
Review of contracts with processors and data-sharing agreements
Evaluation of due diligence processes for selecting and monitoring third-party vendors
Ensuring proper safeguards are in place for international data transfers
8. Governance and Accountability
Examination of roles and responsibilities (e.g. Data Protection Officer, senior management oversight)
Evaluation of training programs, audit trails, and evidence of compliance
Assessment of how accountability is demonstrated throughout the organisation

4. Below are the typical deliverables included in a GDPR gap analysis report:
1. Executive Summary
High-level overview of findings, risks, and recommended next steps
Summary of compliance status across core GDPR areas
Designed for senior management and board-level stakeholders
2. Detailed Gap Analysis Report
In-depth assessment of your organisation's current GDPR posture
Section-by-section breakdown aligned with GDPR articles and principles
Clear identification of compliance gaps and associated risks
3. Risk Register
Tabulated record of identified risks with severity ratings (e.g., high, medium, low)
Explanation of risk impact and likelihood
Helps prioritise remediation efforts based on risk exposure
4. Action Plan and Recommendations
Practical, step-by-step guidance to close identified gaps
Assignable actions with suggested timeframes and resource requirements
Structured roadmap to full compliance
5. Data Processing Inventory (if applicable)
Structured record of personal data assets, processing activities, and data flows
Categorisation by data type, lawful basis, retention schedule, and location
Supports Article 30 Records of Processing Activities (RoPA) requirements
6. Policy and Document Review Summary
Audit of key GDPR-related policies such as privacy notices, data retention, and breach procedures
Comments on compliance adequacy and suggestions for revision or development
May include draft policy templates or improvement suggestions
7. Staff Awareness and Training Insights
Review of training materials and awareness levels across the organisation
Recommendations for closing knowledge or procedural gaps
Optional inclusion of training support or e-learning tools
8. Optional Presentation or Debrief Session
Interactive session with stakeholders to present findings and next steps
Opportunity for Q&A, clarification, and strategic planning
Supports organisation-wide understanding of data protection responsibilities
DELIVERABLES AND REPORTING

5. 0113 869 1290
The Tannery, 91 Kirkstall Rd, Leeds, LS3 1HS United Kingdom
https://dataprotectionpeople.com/service/gdpr-audits/
info@dataprotectionpeople.com
CONTACT US