In the final weeks and months leading up to the arrival of GDPR, a number of nervous businesses were sold on the idea of commissioning a gap analysis or gap assessment by their agencies and consultants.
These were (often cheap and cheerful) assessments showing the organisation's current level of compliance with GDPR. The idea was that they would highlight the “records of processing activities” required by Article 30 of the regulations and help to identify and prioritise the key areas that the business would have to address to get over the deadline.
It all seemed very tempting: companies would find out their weak spots, save money, comply with GDPR fast and keep the regulator happy.
One moment in time
It may have been fine for May 25th when GDPR went live, but a gap analysis created for that deadline cannot be relied on in the longer term. The picture it drew is becoming more obsolete every day.
For example, in the event of a data breach, relying on previous or historical assessments might not show you all of the data subjects being affected. Additionally, historical assessments will not provide a real-time view of all the data stores that can potentially contain data subjects’ personal information.
Personal data is dynamic
The key issue is the ever-changing nature of personal data. Businesses’ systems and processes are constantly updated and shifting and the data they collect and collate is equally dynamic. No static gap analysis can allow an organisation to fully understand its data privacy needs five or ten years from now.
Gap assessments also push organisations towards a reactive and potentially more expensive approach: a process that’s designed to collate and deliver the data that the regulator will require should it ever ask for it.
But you’re not in business with the regulator, you’re in business with your customers. And a system designed to keep their personal data safe and completely transparent, in a world of privacy by design, will also keep the regulator satisfied as a matter of course.
You need dynamic data mapping
Businesses should be looking to take a step beyond the simple GDPR compliance that gap assessments helped them create. They instead require a system that puts privacy in the business’s DNA. One that future-proofs the organisation’s privacy credentials and ensures that Personal Data Governance is at the core of everything it does.
A key element of this is dynamic data mapping, where the picture of the organisation’s records and processes changes in real time and reflects the shifting needs and requirements of the business.
We have been working with a number of companies on moving them past the simple, static approach to GDPR compliance derived from gap analysis and towards a deeper and more holistic view of Personal Data Governance. To find out more, click here or contact us at +44 (0)20 3582 5055.