GDPR GAP analysis

GDPR

Law and Internet Foundation provides consulting services and assistance in connection with the drafting of a comprehensive legal analysis of the compliance of the processes related to the processing of personal data with the requirements of the GDPR.

Within the analysis, a thorough study of the data processing activities of the organization and their current level of compliance with the GDPR is carried out, the risks associated with these activities are identified and recommendations are made to bring them into line with the requirements of the Regulation.

For the purpose of carrying out a legal analysis of compliance, the following activities are carried out:

1. Audit and research of the overall personal data processing activities in the organization:

  • review and analysis of the legal framework (laws and secondary legislation) – relevant to public bodies or sectors for which the entire legal framework should be examined;
  • research of internal documents and registers;
  • identifying, grouping and analyzing the competences;
  • research of the actual processes and practices related to the processing of personal data;
  • collecting survey information;

2. Legal analysis (gap analysis) of the collected information to examine the compliance with the requirements of the GDPR with focus on:

  • conducting interviews, focus groups and / or observations;
  • the categories of personal data which are processed; the categories of subjects whose data are processed;
  • the legal grounds for the processing of personal data;
  • the means of processing personal data (automatic or non-automatic);
  • the ways of assigning the processing of personal data to persons inside and outside the organization and the volume of the parties' obligations in relation to such processing;
  • the principles related to the processing of personal data;
  • the need to ensure the observation of the rights of individuals with regard to the processing of their personal data, including by adopting internal procedures for considering and responding to requests by individuals to exercise their rights;
  • The obligations to document and prove the presence of valid informed consent for the processing of personal data;
  • the requirements under Art. 13 and 14 GDPR that individuals must be informed about the processing of their personal data;
  • the necessary technical and organizational data protection measures which have been taken and the internal document reflecting these measures;
  • the obligation under Art. 30 GDPR for keeping records of personal data;
  • the need to settle the relations connected to transfer of personal data with third parties, including contractors / suppliers / partners (administrator-administrator relations) and with subcontractors and external service providers (administrator-processor relations);
  • the obligation to react in the case of a breach of data security;
  • the transfer of data to recipients in non-EU countries and the obligations associated with such transfer;
  • the obligation to assign a Data Protection Officer (DPO).