Security Classification: Version: Dated:
GDPR Gap Assessment Tool
[Insert classification] 1 dd/mm/yy [Name of approver]
Approval:
Note: this gap assessment must be conducted with reference to a copy of the GDPR
Chapter
Section
Article
Paragraph Requirements and Point
Compliant?
CHAPTER I - General provisions Article 1 Subject-matter and objectives Article 2 Material scope
All All
Article 3 Territorial scope
All
Article 4 Definitions
All
None - informational only Has it been established that the GDPR applies to the personal data processing activities that the organization undertakes? Has it been established that the GDPR applies, based on the data subjects whose personal data we process? None - informational only Total:
Yes Yes
2
CHAPTER II - Principles Article 5 - Principles relating to processing of personal data
1a
Are personal data processed lawfully, fairly and transparently?
Yes
1b
Are personal data collected for specified, explicit and legitimate purposes? Are the personal data collected adequate, relevant and limited to what is necessary? Are personal data is accurate and, where necessary, kept up to date? Are personal data kept for no longer than is necessary?
Yes
1f
Are personal data processed in a manner that ensures its appropriate security?
Yes
2
As the controller, can we demonstrate compliance with all principles? Has the lawful basis for processing of all personal data been established?
Yes
1c 1d 1e
Article 6 - Lawfulness of processing
Article 7 - Conditions for consent
1
Yes Yes Yes
Yes
2
None - informational only
3
None - informational only
4
For additional processing, has compatibility with the initial purpose been established in compliance with the required criteria?
Yes
1 2 3 4
Can consent be demonstrated in all cases? Are all requests for consent clearly distinguishable? Are facilities for consent withdrawal in place? Is consent freely given in all cases?
Yes Yes Yes Yes
Action required to achieve compliance
Action owner