Conducting a Data Protection Maturity and Gap Assessment
Accountability is one of the principles of data protection. This principle requires the company to take responsibility for what the company do with personal data and how it complies with the other principles. It follows that this principle establishes the company must demonstrate its compliance, i.e. implement the necessary procedures and develop documents.
Developing a privacy program is an implementation of the principle of accountability. Essentially, a privacy program is a set of procedures and documents (both internal and external) designed to protect personal data. The program aims to ensure that all aspects of data protection are adhered to, from data collection to data disposal.
Creation and further implementation of a privacy program are no simple things; there are complex tasks that require careful consideration and effort. This section outlines the main aspects that a company must take into account while developing its privacy program to ensure the secure processing of all personal data and compliance with GDPR requirements.
It is essential to focus on the nuances involved in performing maturity (and gap) assessments within a company’s operations and understand the basics of the fundamental elements necessary for establishing a privacy program. In this section, you will find about:
a maturity assessment and maturity models in privacy (according to the assessment system proposed by the Commission Nationale de l’Informatique et des Libertés (CNIL));
a gap assessment (assessment of gaps regarding the processing of personal data under the GDPR);
a data mapping (detailed diagrams of how personal information is collected, stored and processed) as well as privacy controls mapping;
risk assessments;
distribution of responsibilities, powers and resources within the company.
Maturity assessment and maturity models in privacy
Maturity models are an assessment that allows companies to examine their current progress in a particular area of activity. Various types of these models exist, tailored to different industries, such as business processes and capabilities. Now, let’s explore the realm of privacy maturity models.
Recently, maturity models have also appeared in the field of privacy, which were developed by consulting firms or regulatory bodies, such as the maturity model from the French Supervisory Authority (CNIL). Notably, the CNIL has underlined that this model incorporates maturity levels outlined in international standards, such as ISO/IEC 21827, for effective data protection management. It outlines eight actions across five levels, all dedicated to safeguarding data.
According to CNIL, this model provides a foundation for constructing a strategic action plan to attain the targeted level of maturity in data protection. In essence, the model allows companies to assess their own level of maturity in the field of privacy and determine how to improve data protection management. Based on this self-assessment, the company can develop an action plan to address any identified gaps in the safeguarding of personal data, making strides towards a more robust privacy framework.
At its core, this evaluation model aims to lay the groundwork for fostering a sustainable approach to privacy in line with the accountability principle. Yet, it’s crucial to note, as emphasized by CNIL, that the model isn’t a guarantee of achieving GDPR compliance. Instead, it functions more as a tool for introspection and self-verification in the realm of GDPR and encourages companies to assess themselves, fostering a proactive approach to privacy measures rather than merely ensuring bare minimum compliance.
The assessment by CNIL contains eight main actions and five levels that apply to these eight actions:
1.
Defining and implementing privacy procedures.
2.
Managing data protection.
3.
Carrying out data inventory.
4.
Ensuring legal compliance.
5.
Training and raising awareness.
6.
Processing data subjects’ requests.
7.
Managing security risks.
8.
Managing data breaches.
A company can independently assess its maturity level step by step according to the list of levels and actions applicable to data protection activities laid out in Table. Let’s dive into a real-life scenario, focusing on conducting employee training for protecting personal data.
According to the table, if a company consistently provides training on emerging technologies and personal data protection matters, it aligns with the highest (fifth) level of maturity assessment outlined by CNIL. Additionally, it emphasizes the importance of surveying employees to gauge their awareness of personal data protection, a key aspect corresponding to the fourth level, along with fulfilling all previous actions as per the five-level structure. This underscores the significance of ongoing training and employee engagement in compliance with data protection practices.
The company has the flexibility to evaluate its maturity level for each activity independently. It can then determine if its personal data protection efforts align with the fifth level across all activities or if there’s a need to reassess and enhance specific areas. This self-assessment empowers the company to highlight strengths and areas for improvement, fostering a proactive approach to refining personal data protection.
Table of levels and actions to assess data protection activities
Informal practice
Repeatable and consistent practice
Defined practice
Controlled process
Continuously optimized process
Defining and implementing data protection procedures
Some best practices are occasionally implemented (e.g., minimizing the collection or erasure of data).
Documents relating to data protection (best practices, rules, examples, etc.) are shared. There is data protection documentation.
Formal documentation is communicated to all employees. Procedures are formalized and transmitted to all employees.
An annual review of policies and procedures is carried out. Indicators are produced (e.g., on the implementation of the rules, etc.)
Policies and procedures are updated whenever a possible improvement is identified.
Managing data protection
Responsibilities relating to data protection are identified within the company.
A person responsible for questions relating to data protection and interactions with the people concerned (letters, etc.), is identified.
A data protection officer is appointed.
The data protection officer provides an annual review of their actions to the management of the company.
Resources are regularly allocated to implement action plans with regard to the data protection officer’s assessment and ensure their implementation and continuous improvement.
Carrying out data inventory
The company is capable of identifying the processing of personal data that it implements.
The processing of personal data is identified and/or reported centrally.
A record of processing activities, compliant with the GDPR, is kept.
The completeness and quality of the records are regularly checked.
The register is a tool for managing actions related to personal data processing (e.g.: it serves as a census, but also as an instrument for comparative risk management and monitoring of action plans).
Ensuring legal compliance
Data subjects are made aware of the locations where their personal data is being collected, such as websites and forms.
Legal notices are conducted for each processing, along with fundamental principles and contractual clauses.
Standard clauses for contracts with contractors are formalized and used. Data protection impact assessments are carried out on processing likely to cause high risks to individuals’ rights.
Regular reviews of legal notices and contractual clauses are scheduled and carried out. Action plans are created and implemented.
Data protection is taken into account from the initiation of projects in collaboration with the data protection officer. Possible improvements are regularly studied. Legal and technical monitoring is carried out.
Training and raising awareness
Some employees are aware of data protection.
The employees are trained to identify and transmit requests from data subjects and the supervisory authority to the person in charge.
Awareness sessions are regularly organized for employees.
Indicators qualitatively and quantitatively measure understanding of topics related to data protection (e.g., surveys, annual questionnaires, etc.).
Training or information sessions are regularly offered on new technologies or issues relating to data protection.
Processing data subjects’ requests
Requests are managed on a case-by-case basis.
Standard patterns are created to respond to requests regularly made.
Standard responses to requests to exercise rights and questions are created and used. The procedure for managing requests to exercise rights is defined and communicated to employees. A contact form is set up on the website and all requests are centralized.
The person in charge of data protection is systematically informed of each request concerning personal rights. Requests to exercise rights are subject to indicators which appear in the annual report.
The process for managing requests to exercise the data subjects’ rights and the tools are regularly improved.
Managing security risks
Basic security measures are put in place (e.g., authorizations, etc.).
Reference frameworks are used to choose and implement security measures (e.g.: CNIL personal data security guide, internal security policy, etc.).
Data protection impact assessments (DPIAs) include an assessment of security risks. The identified risk studies are the subject of action plans.
The effectiveness and efficiency of action plans are verified, and residual risks are monitored using indicators.
Risk studies and action plans are subject to an annual review. Active monitoring is carried out on vulnerabilities and corrective actions are taken in the event of an impact on the information system.
Managing data breaches
Security incidents are reported. Corrective measures are sometimes taken.
Incident management includes data breaches. Corrective measures are taken. Communication with people whose data has been breached is planned.
A formal data breach management procedure is systematically implemented, including recording all violations in a dedicated register and creating an action plan to reduce the risk of future breaches.
The application of corrective measures is verified to reduce the risk of future data breaches. Data breach monitoring indicators are created and communicated (e.g. in the annual report).
A review of violations is regularly carried out in order to identify and implement measures to improve data security.
Assessing what a company lacks in order to comply with the GDPR
Performing a gap assessment can help a company identify areas that require changes or improvements. Typically, a gap assessment report includes an exhaustive list of GDPR requirements relevant to the company, accompanied by actionable recommendations on how the company can align itself with these requirements.
Gap assessment provides the following benefits for a company:
checking whether GDPR requirements apply to a company;
assessment of GDPR compliance;
improving the protection of personal data;
providing assurance to customers that the company cares about the protection of their data.
Development of a data flow map
A data flow map serves as a visual representation, illustrating the flow of personal data, commonly known as data mapping. It aids in comprehending the fundamental principles guiding the flow of personal data throughout its processing lifecycle.
The result is the creation of a guide detailing the actual processes involved in the processing of personal data. This document provides an understanding of the general algorithms of the company’s work with personal data.
Why does it matter?
To adhere to GDPR regulations, it’s essential to have a clear understanding of who holds control over specific data and the conditions under which this occurs. While there are various approaches to defining this, data flow mapping proves beneficial by distinctly identifying responsible parties in the process.
How it works?
The company can implement the Personal Data Mapping Procedure, which outlines the principles for constructing a map of personal data movement and describes the legal aspects that must be addressed during the processing of personal data.
For instance, there could be two annexes within the Personal Data Mapping Procedure:
1. Personal Data Capture Form (let’s designate this as Annex A); and
2. Records of Processing Activities (Annex B).
Annex A serves to identify activities requiring further scrutiny, such as instances where consent is necessary but not currently obtained or the collection of personal data falling within special categories of personal data (sensitive data) as defined by GDPR.
Annex B serves to outline key details such as the Company’s role in data processing (whether it operates as a controller or processor), the contact information of the controller, and if applicable, details about the Data Protection Officer (DPO) or the representative. Also, it should cover the types of data subjects whose personal data is processed, the purpose of processing and the duration for which personal data is retained, and the technical and organizational measures implemented during the processing and transfer of personal data.
The initiation of the Personal Data Mapping Procedure is flexible, allowing for documentation and understanding of personal data use as needed. However, it deserves particular attention, especially before commencing any personal data processing.
To create a data flow map, it is necessary to:
1
2
3
Understand the data flow
Determine the main elements of the data flow map
Describe the data flow
This involves scenarios like the transfer of personal data from a European Union/European Economic Area (EU/EEA) based company to one established in a non-EU/EEA country. For example, the exchange of customer information between an online platform and a payment processing service during an e-commerce transaction.
When delving into the realm of personal data processing, it proves valuable to address certain questions, though this list is not exhaustive:What is the legal basis and purpose of personal data processing?What data is processed (name, e-mail, address, etc.), and what is the category of processed data (sensitive data or only general category of data)?In what form is the data stored?How does the company collect data (mail, phone, social media), and how does the company share it internally (within the company) and externally (to third parties)?Where does the company place and store data (cloud services, etc.)?Who is responsible for the proper storage of personal data?Who has access to the data?
Before describing the data flow of personal data, it’s also essential to conduct an analysis of potential future data processing scenarios.
Challenges may surface in the following areas:
defining personal data: It’s essential to acknowledge that personal data can take various forms, and complications may arise in precisely determining what falls under this category;
determining the purpose and legal basis of data processing: It’s essential to esure that the company takes into account all legal and contractual obligations when creating a data flow map.
Creation of privacy controls map
Mapping privacy controls is an essential step to ensure that the company has considered all GDPR requirements in its data processing operations. To define the concept of “controls,” these are essentially the measures in place to ensure compliance. Control mapping’s primary goal is to establish precise control objectives aligned with GDPR and identify possible gaps.
Assigning responsibilities for executing the privacy program is crucial, and the company can designate a Data Protection Officer (DPO) and/or a privacy manager (internal employees or external contractors can fill these roles) to implement privacy controls and further foster GDPR compliance within the company.
Risk assessment
Any company subject to the GDPR can conduct a regular risk assessment to identify potential breaches in the processing of personal data and implement necessary protective measures.
As outlined in Article 32 of the GDPR, the controller and the processor must take the necessary technical and organizational measures to guarantee a sufficient level of security for personal data. It is worth considering the ISO 27001 standard to determine the most appropriate risk mitigation solutions. This comprehensive approach ensures the company’s compliance with GDPR mandates, including safeguarding the privacy of data processing systems, regularly evaluating the efficacy of technical and organizational measures for data security, and maintaining the capability to restore access to personal data when required.
Distribution of responsibility, powers and resources
Ensuring a seamless and effective gap assessment process requires a clear distribution of responsibility, powers, and resources within the company. It is essential to highlight the division of duties and responsibilities that may arise, particularly in cases involving joint controllership, where two or more entities jointly determine the purposes and means of personal data processing.
Joint controllers are obligated to outline and mutually agree on their respective responsibilities for GDPR compliance. In essence, they must establish a clear understanding of “who does what” by collaboratively deciding which tasks each party will undertake. This collaborative effort ensures that the processing aligns with the obligations set forth by the GDPR.
Such division of duties should cover the controller’s obligations to comply with general principles of data protection, implementation of security measures, obligations to report data protection violations, conducting data protection impact assessments (if any), involvement of processors, transfer of personal data to third countries, etc.
Responsibilities do not necessarily have to be shared equally between joint controllers. In this regard, the EU Court noted that “[…] the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”.
In the event that it is not possible to allocate obligations, such as when joint controllers use shared data processing tools or data processing systems, such controllers must ensure compliance, in particular, with the principle of purpose limitation and take measures to ensure the security of personal data processed with shared tools.
The European Data Protection Board (EDPB) recommends documenting the relevant factors and carrying out an internal analysis in the case of allocation of different obligations. Such an internal analysis is in accordance with the principle of accountability.
Conclusions
Creating a privacy program tailored to the company’s needs is essential for GDPR compliance. A generic, one-size-fits-all approach will not suffice. To develop the privacy program for your company, consider the recommendations and take into account your own experience and the company’s data processing procedures. This will help you build a successful program that meets GDPR requirements and safeguards the processed data.
We use cookies to recognize your device and save the actions you have previously made on the Site, to improve users’ experience, to display ads based on your interests, as well as to ensure the proper functionality of the Website.
For these reasons, we may share your usage data with third parties defined in our Cookies Policy. By clicking “Accept all cookies,” you consent to store and use on your device the information described in our Cookies Policy and Privacy Policy.
While by clicking “Decline unnecessary cookies”, you decline to store on your device marketing and statistical cookies.
To find out more about the categories of personal data collected and the purposes for which such data will be used, read our Cookies Policy.
