Skip to main content

GDPR Gap Assessment template

UPDATED with new link to the Gap Assessment Template.

It's hard to believe I'm still talking to companies who are only now getting started on GDPR compliance. In fact, Cisco's 2019 Data Privacy Benchmark Study found that only 59% of the 3,206 organizations they surveyed felt they were largely compliant. Nine percent had not even started their compliance work:
Cisco 2019 Data Privacy Compliance Benchmark Study diagram
There are other companies who are thinking to entering the EU market and they are starting down the path of understanding what is required from a GDPR perspective.

If I were starting my GDPR compliance journey, the first thing I would do is a gap assessment. There are many outstanding gap assessment tools available, including:

One thing I dislike about these tools is they think of an organization as a single entity: What gaps does the ORGANIZATION have? That's great for providing status to the board or senior management, but not great if you are trying to work with individual departments on compliance.

To that end, I've updated a spreadsheet I used for performing a gap assessment in my organization
The spreadsheet has tabs for different parts of the organization like HR, Sales & Marketing, Product Development and others. Each tab has a set of GDPR compliance questions for different processes in the organization. For example, there's a set of questions around data collected for recruiting and for managing employees. 

Now I have a tab in a spreadsheet that I can use when I talk with Human Resources, and another tab when talking to Product Development.

The assessment tabs roll-up into a Executive Summary tab which gives an overview of the total compliance effort.

The spreadsheet can be easily adapted to other organizations. Feel free to edit, change, steal, share, or use this GDPR Gap Assessment spreadsheet for inspiration.


  1. Fabulous resource Mike, thank you so much for sharing.

    1. Thanks Audrey! Hope it makes your job easier!

  2. Thank you Mike. The template will be extremely helpful. Do you also have a template on the GAP Analysis report?

  3. This is a great template, thank you! Do you have anything similar for CCPA, CDPA, or PIPEDA?

  4. Hi Chelsea! I've been wanting to create similar templates but haven't had time. I'll let you know if I do!


  5. Many thax. awesome tool !

  6. Mike, this Gap Analysis template will save me hours of work. Not all heroes wear capes. Thank you so much!


Post a Comment

Popular posts from this blog

Calculating the severity of a data breach

UPDATED with new link to breach severity calculator.  While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced to the European Union Agency for Network and Information Security (ENISA)'s " Recommendations for a methodology of the assessment of severity of personal data breaches " in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm? The methodology systematizes and standardizes the calculation “estimation of the magnitude of potential impact on the individuals derived from the data breach”. By answering a few questions about the breach, the methodology produces a severity score: Low : Individuals either will not be affected or may encounter a few inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.). Medium : Individuals may encounter signi

How to perform a Data Protection Impact Assessment

 (Updated! Originally published 2017 September 9) There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include: UK ICO's " Conducting Privacy Impact Assessment- Code of Practice Article 29 Data Protection Working Party's " Guidelines on Data Protection Impact Assessment (DPIA) France's CNIL's PIA Manual 1 - Methodology (how to carry out a PIA) ; PIA Manual 2 - Tools (templates and knowledge bases) , and PIA Manual 3 - Good Practices When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none. Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document