Please note: This sample only shows part of the Gap Assessment Tool
VERSION: DATED: APPROVAL:
UK GDPR Gap Assessment Tool Note: this gap assessment must be conducted with reference to a copy of the UK GDPR CHAPTER/SECTION
ARTICLE
CHAPTER I: General Provisions
Article 1 - Subject-matter and objectives Article 2 - Material scope
PARAGRAPH AND POINT REQUIREMENTS All
None - informational only
All
Article 3 - Territorial scope
All
Article 4 - Definitions
All
Has it been established that the UK GDPR applies to the personal data processing activities that the organisation undertakes? Has it been established that the UK GDPR applies, based on the data subjects whose personal data we process? None - informational only
Article 5 - Principles relating to processing of personal data
1a
COMPLIANT? ACTION REQUIRED TO ACHIEVE COMPLIANCE
Totals:
CHAPTER II: Principles
Are the personal data collected adequate, relevant and limited to what is necessary?
Yes
1d
Are personal data is accurate and, where necessary, kept up to date? Are personal data kept for no longer than is necessary? Are personal data processed in a manner that ensures its appropriate security? As the controller, can we demonstrate compliance with all principles? Has the lawful basis for processing of all personal data been established? [Not included in UK GDPR] None - informational only For additional processing, has compatibility with the initial purpose been established in compliance with the required criteria? Can consent be demonstrated in all cases?
Yes
Are all requests for consent clearly distinguishable? Are facilities for consent withdrawal in place? Is consent freely given in all cases? For children, has consent been given by the holder of parental responsibility in all cases?
Yes
Is all processing of special categories of personal data clearly justified? None - informational only
Yes
Have processing cases where the data subject cannot be identified, been defined?
Yes
2 1 2 3 4
1 2 3
Article 8 - Conditions applicable to child's consent in relation to information society services Article 9 - Processing of special categories of personal data Article 10 - Processing of personal data relating to criminal convictions and offences Article 11 - Processing which does not require identification
2
1c
1f
Article 7 - Conditions for consent
Yes
Yes
1e
Article 6 - Lawfulness of processing
Yes
Are personal data processed lawfully, fairly and transparently? Are personal data collected for specified, explicit and legitimate purposes?
1b
4 All
All All
All
1 dd/mm/yyyy [Name of approver]
Totals:
Yes
Yes Yes Yes Yes
Yes
Yes
Yes Yes Yes
16
ACTION OWNER