How do you know if you're doing the right thing?
GDPR is undeniably complex. But management teams still need an simplified aggregate view, with the assurance that they have appropriate controls or remediation activities underway.
Company level Readiness Assessments need to provide senior management with a strategic analysis of the current state, a vision of the target state and a clear path to green. Beneath this, process level gap analysis and Data Protection Impact Assessments (DPIA) should use a similar structure, to provide traceability of controls.
There is no recognised industry standards for Readiness Assessments, so the approach must be well structured with clear linkage to the underlying legislation, and with output that can be easily understood and acted upon.
We suggest that online checklists should be treated with care, as the high level questions can often be misinterpreted. Using an experienced practitioner to read the relevant business documents and work closely with business teams to understand what they actually do with data is critical for success. Its got to be more of an audit than social media quiz!
Our GDPR Maturity Model Assessment incorporates a series of questions, which are grouped into 6 key segments for a clear view of current state:
Our assessments include analysis of key documents, in advance of workshops where we complete a series of surveys to obtain a complete and consistent view. Our final report includes the maturity rating for key controls, as well as recommended remediation actions and priorities.
The approach has been successfully used with organisations of varying sizes, including a FTSE 100 company, to assess their high-level alignment with current legislation, establish remediation programmes, and monitor improvements.
For organisations looking for greater comfort around the information security controls, we also support organisations to obtain Cyber Essentials and ISO 27001 certifications. Both are well recognised by the ICO and the UK government as good practise standards.
The assessment is also used as a core tool in our outsourced Data Protection Officer services to monitor on-going performance and for assurance deep-dives.
Contact us to discuss the GDPR readiness assessment for your business.