Security Classification: Version: Dated:
GDPR Gap Assessment Tool
[Insert classification] 1 dd/mm/yy [Name of approver]
Approval:
Note: this gap assessment must be conducted with reference to a copy of the GDPR
Chapter
Section
Article
Paragraph Requirements and Point
Compliant?
CHAPTER I - General provisions Article 1 Subject-matter and objectives Article 2 Material scope
All All
Article 3 Territorial scope
All
Article 4 Definitions
All
None - informational only Has it been established that the GDPR applies to the personal data processing activities that the organization undertakes? Has it been established that the GDPR applies, based on the data subjects whose personal data we process? None - informational only Total:
Yes Yes
2
CHAPTER II - Principles Article 5 - Principles relating to processing of personal data
1a
Are personal data processed lawfully, fairly and transparently?
Yes
1b
Are personal data collected for specified, explicit and legitimate purposes? Are the personal data collected adequate, relevant and limited to what is necessary? Are personal data is accurate and, where necessary, kept up to date? Are personal data kept for no longer than is necessary?
Yes
1f
Are personal data processed in a manner that ensures its appropriate security?
Yes
2
As the controller, can we demonstrate compliance with all principles? Has the lawful basis for processing of all personal data been established?
Yes
1c 1d 1e
Article 6 - Lawfulness of processing
Article 7 - Conditions for consent
1
Yes Yes Yes
Yes
2
None - informational only
3
None - informational only
4
For additional processing, has compatibility with the initial purpose been established in compliance with the required criteria?
Yes
1 2 3 4
Can consent be demonstrated in all cases? Are all requests for consent clearly distinguishable? Are facilities for consent withdrawal in place? Is consent freely given in all cases?
Yes Yes Yes Yes
Action required to achieve compliance
Action owner
Gap Assessment Results General Data Protection Regulation
GDPR Chapter and Section
CHAPTER I - General provisions CHAPTER II - Principles CHAPTER III - Section 1 - Transparency and modalities CHAPTER III - Section 2 - Information and access to personal data CHAPTER III - Section 3 - Rectification and erasure CHAPTER III - Section 4 - Right to object and automated individual decision-making CHAPTER III - Section 5 - Restrictions CHAPTER IV - Section 1 - General obligations CHAPTER IV - Section 2 - Security of personal data CHAPTER IV - Section 3 - Data protection impact assessment and prior consultation CHAPTER IV - Section 4 - Data protection officer CHAPTER V - Transfers of personal data Totals
Number of requirements in section
Number of requirements applicable
2 16 6 12 10 9 2 24 13 11 14 9 128
2 16 6 12 10 9 2 24 13 11 14 9 128
Number of % Compliant applicable requirements met
2 16 6 12 10 9 2 24 13 11 14 9 128
100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Percentage Compliance to the GDPR 100%
Percentage requirements met
90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
GDPR Chapter/Section