ISO27701 Gap Assessment Tool
This Excel sheet must be removed from the final version of the document.
Design
This spreadsheet has been designed using CertiKit's colour scheme. To choose a different colour scheme, go to the Page Layout ribbon, select Themes and choose a different style.
Purpose of this document
This document should be used to assess the level of conformity of an organization against the ISO/IEC 27701 standard. It may be used by a consultant on behalf of a client or by an organization directly.
Areas of the standard addressed
All areas of the ISO/IEC 27701 standard and the EU and UK GDPR are covered.
General guidance
This tool allows you to perform a gap assessment against the ISO27701 standard and against the EU and UK versions of the GDPR. The questions asked are based on the contents of the relevant standard or regulation and are designed to give a reasonable assessment of the degree to which the relevant requirements are met. In all cases a "Yes" answer is taken as a positive indication. The results are summarised in a series of tables and in a selection of charts, organized by standard or regulation.
If you would prefer to assess your conformity directly against the exact requirements of the ISO27701 standard, CertiKit offers a separate chargeable product, the CertiKit ISO27701 Enhanced Gap Assessment Tool which lists the requirements from the standard, word for word, line by line. Because this second option contains the full text from the standard, it is subject to a licensing agreement that CertiKit maintains with the ISO via BSI. The ISO27701 Enhanced Gap Assessment Tool is available for purchase from our website.
Review frequency
It is a good idea to revisit this assessment on a regular basis throughout your project to obtain an indication of progress and as a final check prior to an external audit.
Toolkit version number
ISO/IEC 27701 Toolkit Version 2
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Assessment Details
Security classification
Standard assessed
Date(s) of assessment
Location of assessment
Assessor
Assessment participants
Purpose of assessment
Scope of assessment
Privacy Information Management System Privacy Information management: Requirements
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the privacy information management system
Has the organization defined whether it is a PII controller and/or processor?
Have external and internal factors relevant to the PIMS been identified?
Has the list of interested parties been defined?
Is the processing of PII included in the scope of the PIMS?
4.4 Privacy information management system Is a PIMS in place?
5 Leadership
5.1 Leadership and commitment
5.2 Privacy policy
Does top management demonstrate leadership and commitment to the PIMS by providing resources and communicating effectively? (see list in the standard)
Is a documented privacy policy in place?
Does it set objectives for the PIMS?
Does it commit the organization to satisfying requirements and continually improving the PIMS?
Is it adequately communicated?
5.3 Roles, responsibilities and authorities Are roles, responsibilities and authorities for the PIMS defined?
6 Planning
6.1 Actions to address risks and opportunities
General
Does the plan for the PIMS take into account the relevant issues and requirements?
Are all of the relevant risks and opportunities determined?
Are actions planned to address the identified risks and opportunities?
Is a documented information privacy risk assessment process defined and applied?
Is it clear when risk assessments should be carried out?
Has a risk assessment been carried out?
Have risk owners been identified?
Have risks been analysed, evaluated and prioritised for treatment?
6.2 Privacy objectives and planning to achieve them
6.3 Planning of changes
6.1.3 Privacy risk treatment
Is there a documented privacy risk treatment process?
Have appropriate risk treatment options been selected for each risk that exceeds the risk acceptance criteria?
Have necessary controls been selected for each risk that requires treatment?
Has a Statement of Applicability been created?
Is there a plan to implement the identified treatments?
Has the risk treatment plan been approved by risk owners?
Have measurable privacy objectives been established and communicated?
Is there a plan to achieve the defined privacy objectives?
Is there a process to cater for the planning of expected and unexpected changes to the PIMS?
Totals: 17
7 Support
7.1 Resources Are PIMS resources determined and provided?
7.2 Competence
Are all of the relevant people sufficiently competent to perform their roles?
Where necessary, is action taken to improve competence and are records kept?
7.3 Awareness Are all relevant people aware of the privacy policy and the importance of good privacy?
7.4 Communication Is effective internal and external communication in place?
7.5 Documented information
8 Operation
8.1 Operational planning and control
General Is all of the documented information required by the standard in place?
7.5.2 Creating and updating documented information Are standards used for documentation such as titles, references, format, review and approval?
7.5.3 Control of documented information Is the lifecycle of documented information controlled, including that from outside the organization?
Are planned changes controlled and the consequences of unplanned changes mitigated?
Are outsourced processes identified and controlled?
8.2 Privacy risk assessment Are documented risk assessments carried out at planned intervals and when significant change happens?
8.3 Privacy risk treatment Is the privacy risk treatment plan being implemented and results documented?
9 Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Continual improvement
Is it clearly defined what needs to be monitored and measured to determine the effectiveness of the PIMS?
Are the methods for monitoring, measurement, analysis and evaluation clearly defined and the results documented?
Are appropriate internal audits being carried out by suitably qualified and impartial people?
Are the audit results being communicated to management so that action can be taken?
Are documented management reviews being held regularly?
Are all of the topics listed in the standard covered in each management review?
Totals: 6
Is the PIMS being continually improved?
10.2 Nonconformity and corrective action Are nonconformities being identified, documented and addressed?
Totals: 2
Annex A - Table A.1 - Control objectives and controls for PII controllers
A.1.2 Conditions for collection and processing
A.1.3 Obligations to PII principals
A.1.2.2 Identify and document purpose Have all of the PII and the purposes of processing it been documented?
A.1.2.3 Identify lawful basis Does all of the processing have an identified lawful basis?
A.1.2.4 Determine when and how consent is to be obtained Is it clear how the obtaining of consent will be done and recorded?
A.1.2.5 Obtain and record consent Are the procedures for consent followed?
A.1.2.6 Privacy impact assessment Are privacy impact assessments carried out where required?
A.1.2.7 Contracts with PII processors Are compliant contracts in place with all PII processors?
A.1.2.8 Joint PII controller Has it been agreed with joint controllers who will do what?
A.1.2.9 Records related to processing PII Is it clear what records must be kept and are they maintained?
Totals:
A.1.3.2 Determining and fulfilling obligations to PII principals Are the rights of the PII principals understood and can they be met?
A.1.3.3 Determining information for PII principals Are clear privacy policies in place?
A.1.3.4 Providing information to PII principals Are clear privacy policies communicated to PII principals?
A.1.4 Privacy by design and privacy by default
A.1.5 PII sharing, transfer, and disclosure
A.1.3.5 Providing mechanism to modify or withdraw consent Can a PII principal withdraw consent easily? Yes
A.1.3.6 Providing mechanism to object to PII processing Can a PII principal object to processing easily? Yes
A.1.3.7 Access, correction and/or erasure Can a PII principal access, correct or erase their PII easily?
A.1.3.8 PII controllers' obligations to inform third parties Is good communication in place with processors about situations where PII principals exercise their rights?
A.1.3.9 Providing copy of PII processed Can a copy of the PII be provided when requested?
A.1.3.10 Handling requests Is there a process in place for requests from PII principals?
A.1.3.11 Automated decision making Is it clear where automated decision-making is used? Yes
Totals: 10
A.1.4.2 Limit collection Is PII collection appropriately limited?
A.1.4.3 Limit processing Is PII processing limited to that required to achieve the purpose?
A.1.4.4 Accuracy and quality Are adequate efforts made to ensure the accuracy of PII? Yes
A.1.4.5 PII minimization objectives Are controls in place to minimize the amount of PII used? Yes
A.1.4.6 PII de-identification and deletion at the end of processing When no longer used, is PII deleted or deidentified? Yes
A.1.4.7 Temporary files Are temporary files containing PII deleted promptly?
A.1.4.8 Retention Are effective retention policies in place? Yes
A.1.4.9 Disposal Is PII disposed of appropriately when no longer required? Yes
A.1.4.10 PII transmission controls When PII is transferred across a network, is it adequately protected? Yes
Totals: 9
A.1.5.2 Identify basis for PII transfer between jurisdictions Are all international transfers of PII legal? Yes
A.1.5.3 Countries and international organizations to which PII can be transferred Is there a list of countries to which PII may be transferred? Yes
A.1.5.4 Records of transfer of PII Are records of transfers kept? Yes
A.1.5.5 Records of PII disclosure to third parties Are records kept of disclosures of PII to third parties? Yes
Totals: 4 Annex A - Table A.2 - Control objectives and controls for PII processors
A.2.2 Conditions for collection and processing
A.2.2.2 Customer agreement Does the contract with the controller cover how the processor will assist the controller in meeting their obligations? Yes
A.2.2.3 Organization’s purposes Is processing always restricted to that requested by the controller? Yes
A.2.3 Obligations to PII principals
A.2.4 Privacy by design and privacy by default
A.2.5 PII sharing, transfer, and disclosure
A.2.2.4 Marketing and advertising use If the processed PII is also used for marketing, is prior consent from the PII principal always established? Yes
A.2.2.5 Infringing instruction Is the controller told if a request is thought to be unlawful? Yes
A.2.2.6 Customer obligations Is the customer always given enough information to be able to comply with their obligations?
A.2.2.7 Records related to processing PII Are appropriate records kept of processing?
A.2.3.2 Comply with obligations to PII principals Are methods made available to the controller to allow them to meet their obligations e.g. to the PII principal? Yes
Totals: 1
A.2.4.2 Temporary files Are temporary files containing PII deleted promptly?
A.2.4.3 Return, transfer or disposal of PII Is PII returned, transferred or disposed of securely?
A.2.4.4 PII transmission controls When PII is transferred across a network, is it adequately protected? Yes
Totals: 3
A.2.5.2 Basis for PII transfer between jurisdictions Is the controller kept informed of international transfers of PII and given the chance to object? Yes
A.2.5.3 Countries and international organizations to which PII can be transferred Is there a list of countries to which PII may be transferred? Yes
A.2.5.4 Records of PII disclosure to third parties Are records kept of disclosures of PII to third parties? Yes
A.2.5.5 Notification of PII disclosure requests Is the controller told when PII is disclosed to third parties? Yes
A.2.5.6 Legally binding PII disclosures Are only legally binding or authorised disclosures made?
A.2.5.7 Disclosure of subcontractors used to process PII Is the controller told of sub-contractors used? Yes
A.2.5.8 Engagement of a subcontractor to process PII Are only agreed sub-contractors used? Yes
A.2.5.9 Change of subcontractor to process PII Is the controller told of changes to subcontractors used, and given a chance to object? Yes
Totals: 8 Annex A - Table A.3 - Control objectives and controls for PII controllers and PII processors
A.3 Security considerations for PII controllers and processors
A.3.3 Policies for information security An appropriate set of information security policies has been approved and communicated, and reviews happen when required.
A.3.4 Information security roles and responsibilities Everyone knows what their information security roles and responsibilities are.
A.3.5 Classification of information
A.3.6 Labelling of information
A.3.7 Information transfer
A.3.8 Identity management
A.3.9 Access rights
A.3.10 Addressing information security within supplier agreements
A.3.11 Information security incident management planning and preparation
A.3.12 Response to information security incidents
A.3.13 Legal, statutory, regulatory and contractual requirements
A.3.14 Protection of records
A.3.15 Independent review of information security
An information classification scheme is in effect and is being used in all areas within scope.
Everyone knows how to label information appropriately according to the classification scheme.
Ways in which information must be transferred, both internally and externally, are defined.
Appropriate methods are used to establish the identity of the person or system making a request, for example to access information.
Access rights to assets are assigned according to a documented policy.
The ways in which the organization will interface with suppliers from an information security point of view, are agreed.
There are defined procedures for incident management and everyone involved knows about them.
When they happen, incidents are responded to effectively according to the documented procedures.
The relevant requirements are known and are taken into account when implemeting information security procedures and controls.
Processes are in place to protect records throughout their lifecycle.
The approach to information security is independently reviewed on a regular basis to identify improvements.
A.3.16 Compliance with policies, rules and standards for information security Management regularly checks that information security rules and controls are correctly followed by everyone.
A.3.17 Information security awareness, education and training Awareness, education and training are conducted to make sure everyone has the skills to maintain information security.
A.3.18 Confidentiality or non-disclosure agreements Agreements are documented and signed when protected information is shared.
A.3.19 Clear desk and clear screen Devices and sensitive paper documents are protected from prying eyes.
A.3.20 Storage media Storage media are managed throughout their lifecycle and appropriately protected, for example using encryption.
A.3.21 Secure disposal or re-use of equipment There is a procedure in place to ensure that storage media are wiped and software licenses reclaimed when devices are disposed of.
A.3.22 User endpoint devices
There is a policy setting out how endpoint devices must be protected and all relevant personnel are aware of its contents.
A.3.23 Secure authentication Multi-factor authentication (MFA) is used where possible and appropriate to protect information.
A.3.24 Information backup
A.3.25 Logging
A.3.26 Use of cryptography
A.3.27 Secure development life cycle
A.3.28 Application security requirements
A.3.29 Secure system architecture and engineering principles
A.3.30 Outsourced development
A.3.31 Test information
Appropriate backups are taken according to a documented policy and are regularly tested.
Logs are kept and protected that record activities on information systems for analysis and investigation.
Approved ways to use cryptography are defined and implemented.
Software and systems are developed in a secure way according to established rules.
The security of applications is designed and evaluated as part of system development or acquisition.
A set of principles have been defined for the security of the overall architecture of the organization's systems and services.
Appropriate control is exercised over the security of software developed by external third parties.
Test data is chosen carefully and with due regard to the protection of sensitive information.
Totals:
Yes
Assessment
EU GDPR Gap Assessment Tool
Note: this gap assessment must be conducted with reference to a copy of the EU GDPR
CHAPTER I: General Provisions Article 1 - Subject-matter and objectives
Article 2 - Material scope
None - informational only
Has it been established that the GDPR applies to the personal data processing activities that the organisation undertakes?
Article 3 - Territorial scope All Has it been established that the GDPR applies, based on the data subjects whose personal data we process?
Article 4 - Definitions
CHAPTER II: Principles
Article 5 - Principles relating to processing of personal data
None - informational only
Are personal data processed lawfully, fairly and transparently?
Are personal data collected for specified, explicit and legitimate purposes?
Are the personal data collected adequate, relevant and limited to what is necessary?
Are personal data is accurate and, where necessary, kept up to date?
Are personal data kept for no longer than is necessary?
Are personal data processed in a manner that ensures its appropriate security?
As the controller, can we demonstrate compliance with all principles?
Article 6 - Lawfulness of processing 1 Has the lawful basis for processing of all personal data been established?
2 None - informational only 3 None - informational only
For additional processing, has compatibility with the initial purpose been established in compliance with the required criteria?
Article 7 - Conditions for consent
Can consent be demonstrated in all cases?
Are all requests for consent clearly distinguishable?
Are facilities for consent withdrawal in place?
Is consent freely given in all cases?
Article 8 - Conditions applicable to child's consent in relation to information society services
Article 9 - Processing of special categories of personal data
For children, has consent been given by the holder of parental responsibility in all cases?
Is all processing of special categories of personal data clearly justified?
VERSION:
CHAPTER III: Rights of the data subject
Section 1: Transparency and modalities
Article 10 - Processing of personal data relating to criminal convictions and offences
Article 11 - Processing which does not require identification
All None - informational only
Have processing cases where the data subject cannot be identified, been defined?
Section 2: Information and access to personal data
Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
1 Is all information provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and in the required formats?
2 Is the exercise of data subject rights facilitated as required?
3 Are the required timeframes for responding to data subject requests met?
4 Are the required timeframes met for informing the data subject where action is not taken?
5 Are clear criteria defined for charging for manifestly unfounded or excessive requests?
6 Are procedures in place for confirming the identity of the requester?
7 None - informational only
8 None - informational only
Article 13 - Information to be provided where personal data are collected from the data subject
Article 14 - Information to be provided where personal data have not been obtained from the data subject
Totals: 6
1 Is all of the required information provided to the data subject at the point where personal data are obtained?
2 Is all of the required additional information provided to the data subject at the point where personal data are obtained?
3 Is information provided to data subjects about further processing for additional purposes when required?
4 Is it clearly defined in which cases a data subject will already have the required information?
1 Is all of the required information provided to the data subject in cases where personal data is not obtained directly from them?
2 Is all of the required additional information provided to the data subject in cases where personal data is not obtained directly from them?
3 Is the required information provided to the data subject according to the timescales required?
4 Is information provided to data subjects about further processing for additional purposes when required?
5 Is it clearly defined in which cases the required information does not need to be provided?
Article 15 - Right of access by the data subject 1
Section 3: Rectification and erasure Article 16 - Right to rectification
Section 4: Right to object and automated individual decision-making
Are procedures in place for responding to data subject access requests and providing the required information?
2 Is information regarding international transfers available to the data subject where appropriate?
3 Are procedures in place to provide copies of the personal data and in the correct form?
4 None - informational only
Are procedures in place to rectify inaccurate personal data and to have incomplete personal data completed?
Article 17 - Right to erasure ('right to be forgotten') 1 Are procedures in place to erase personal data without undue delay when a data subject requests it on legitimate grounds?
2 Are procedures in place to inform other controllers of erasure requests, where appropriate?
3 Is it clearly defined under what circumstances erasure requests will be accepted or denied?
Article 18 - Right to restriction of processing 1 Are procedures in place to restrict processing when a data subject requests it on legitimate grounds?
2 Are procedures in place to obtain data subject consent before processing that has been restricted is performed?
3 Are data subjects informed before relevant restrictions of processing are lifted?
Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 - Right to data portability
Are procedures in place to communicate rectification or erasure of personal data or restriction of processing to relevant third parties?
Are facilities in place to provide the data subject's personal data on request in a structured, commonly used and machinereadable format?
2 Are facilities in place to transmit the data subject's personal data to another controller?
3 None - informational only
4 None - informational only
Article 21 - Right to object 1 Are procedures in place to receive, assess and comply with objections to processing of personal data?
2 Are procedures in place to receive objections to processing related to direct marketing specifically?
Section 5: Restrictions
Article 22 - Automated individual decision-making, including profiling
3 Are procedures in place to comply with objections to processing related to direct marketing?
4 Is the right to object explicitly brought to the attention of the data subject, at the latest at the time of the first communication?
5 None - informational only
6 Is it clear which processing (if any) is in the public interest?
Is it clear which processing involves automated decision making, including profiling?
2 Is the basis of any automated decision making clear?
3 Are procedures in place to allow human intervention and obtain the views of the data subject with regard to automated decision making?
4 Have decisions that use special categories of personal data been identified and suitable safeguarding measures put in place?
Article 23 - Restrictions
IV: Controller and processor
Section 1: General obligations Article 24 - Responsibility of the controller
1 Is it known to what extent Union or Member State law restricts the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, and the relevant parts of Article 5?
2 Are the specifics of any restrictions of Union or Member State law clearly known, defined and understood?
Are appropriate technical and organisational measures in place to ensure, and to be able to demonstrate, that processing is performed in accordance with the GDPR?
1 Are these measures reviewed and updated where necessary?
2 Are appropriate data protection policies implemented?
3 None - informational only
Article 25 - Data protection by design and by default 1 Are appropriate technical and organisational measures implemented in order to meet the requirements of this Regulation and protect the rights of data subjects?
2 Are only personal data which are necessary for each specific purpose of the processing processed?
3 None - informational only
CHAPTER
Article 26 - Joint controllers
Article 27 - Representatives of controllers or processors not established in the Union
1 Are all Joint Controller instances identified and the relative responsibilities defined and agreed?
2 Does each joint controller arrangement duly reflect the respective roles and relationships and is the essence of the arrangement made available to the data subject?
3 None - informational only
1 If the controller or processor is not established in the European Union, has a representative in the Union been designated in writing?
2 Has it been established whether or not paragraph 1 of this article applies?
3 Is the representative in one of the member states where the data subjects are?
4 Has the representative been mandated by the controller or processor to be addressed by the supervisory authority and data subjects?
5 None - informational only
Article 28 - Processor 1 Have sufficient guarantees been obtained from processors to implement appropriate technical and organisational measures in accordance with the GDPR?
2 Has it been made clear to processors that no other processors shall be engaged without the written authorisation of the controller?
3 Are binding contracts in place with all processors, that meet the requirements of the GDPR as stated in Article 28 para 3 points a to h?
4 Where a processor engages another processor, are the same data protection obligations imposed?
5 None - informational only
6 Has the inclusion of standard contractual clauses been considered and, if appropriate, implemented?
7 None - informational only
8 None - informational only
9 Are the relevant contracts in writing?
10 None - informational only
Article 29 - Processing under the authority of the controller or processor
All Has it been made clear to all parties that processing of personal data must only take place under the authority of the controller?
Article 30 - Records of processing activities 1 If required, are the required records of processing maintained by the controller?
2 If required, are the required records of categories of processing activities maintained by the processor?
3 If required, are the records in writing?
4 If required, are the records available to the supervisory authority on request?
5 Has it been established whether the obligations to maintain records apply?
Article 31 - Cooperation with the supervisory authority All Do the controller and processor cooperate with the supervisory authority on request?
Section 2: Security of personal data Article 32 - Security of processing 1 Are appropriate technical and organisational measures implemented, to ensure a level of security appropriate to the risk to personal data?
2 Is due consideration made of the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed?
3 Have available approved codes of conduct been considered and, if appropriate, implemented?
4 Are controls in place to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller?
Article 33 - Notification of a personal data breach to the supervisory authority
1 Are procedures in place to inform the supervisory authority of a notifiable personal data breach within the timeframe laid out in the GDPR?
2 Is it clear to the processor that they must notify the controller of a personal data breach without undue delay?
3 Are procedures in place to ensure that the notification of a personal data breach to the supervisory authority includes all of the required information?
4 Do notification procedures allow for the further provision of information in phases?
5 Are personal data breaches documented?
Article 34 - Communication of a personal data breach to the data subject 1 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, are procedures in place to communicate the personal data breach to the data subject without undue delay?
2 Are communications to the data subject in clear and plain language and include the required information?
3 Are procedures in place to assess whether communication to the data subject is required?
4 Do procedures allow for communication to the data subject being required by the supervisory authority?
Section 3: Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessment
1 Are data protection impact assessments carried out where required?
2 If designated, is the advice of the data protection officer sought when carrying out a data protection impact assessment?
3 Are data protection impact assessments carried out in the cases listed in points a to c?
4 Has the list of processing operations which require a data protection impact assessment, published by the supervisory authority, been reviewed, if available?
5 Has the list of processing operations which do not require a data protection impact assessment, published by the supervisory authority, been reviewed, if available?
6 None - informational only
7 Do data protection impact assessments contain all of the required information?
8 None - informational only
9 Are the views of data subjects or their representatives on the intended processing sought, where appropriate?
10 Have any cases where a data protection impact assessment is not required due to Union or Member State law been determined?
11 Are reviews carried out to confirm that processing is in accordance with the data protection impact assessment, and in the case of changes to risk of the processing?
Article 36 - Prior consultation
Is the supervisory authority consulted in cases of high risk processing?
2 None - informational only
3 Is the required information provided when consulting with the supervisory authority?
4 None - informational only
5 None - informational only
Section 4: Data protection officer
Totals:
37 - Designation of the data protection officer 1 Has it been established whether a data protection officer is required and if one is required, has one been designated?
2 If required, has a data protection officer been appointed for a group of undertakings?
3 If a public authority or body, has a data protection officer been appointed for several authorities or bodies?
4 None - informational only
5 Does the designated data protection officer possess the required professional qualities and expert knowledge of data protection law and are they able to fulfil the required tasks?
6 Has it been decided whether to appoint internally of use a service contract?
Article 38 - Position of the data protection officer
Article 39 - Tasks of the data protection officer
7 Have the contact details of the data protection officer been published and communicated to the supervisory authority?
Is the data protection officer involved, properly and in a timely manner, in all issues which relate to the protection of personal data?
2 Are the resources provided to the data protection officer to carry out required tasks, and access to personal data and processing operations, and to maintain his or her expert knowledge?
3 Is the data protection officer independent and free from undue influence and does he or she report to the highest level of management?
4 Is the data protection officer available to be contacted by data subjects?
5 Does the data protection officer understand that he or she is bound by secrecy or confidentiality concerning the performance of his or her tasks?
6 Have any conflicts of interests of other duties of the data protection officer been resolved?
Has the data protection officer been assigned the required minimum tasks?
2 Does the data protection officer have due regard to the risk associated with processing operations, in the performance of his or her tasks?
41 - Monitoring of approved codes of conduct
42 - Certification
- informational only Article 43 - Certification bodies
CHAPTER V: Transfers of personal data to third countries or international organisations
Article 44 - General principle for transfers
Article 45 - Transfers on the basis of an adequacy decision
Are the provisions of Chapter V applied to all transfers of personal data to a third country or to an international organisation?
Have those transfers which do not require specific authorisation been identified?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 None - informational only
7 None - informational only
Article 46 - Transfers subject to appropriate safeguards
8 None - informational only
9 None - informational only
1 Are all transfers of personal data subject to appropriate safeguards, and are they performed on condition that enforceable data subject rights and effective legal remedies for data subjects are available within the receiving country or international organisation?
2 Has it been identified which of the appropriate safeguards in the list in point 2 a to f, if any, apply to each transfer?
3 Has it been identified which of the appropriate safeguards in the list in point 3 a to b, if any, apply to each transfer?
4 None - informational only
5 None - informational only
Article 47 - Binding corporate rules
Article 48 - Transfers or disclosures not authorised by Union law
Article 49 - Derogations for specific situations
1 Have any binding corporate rules used for transfers of personal data been approved by the supervisory authority?
2 Do the binding corporate rules include the information required in point 2 a to n?
3 None - informational only
All None - informational only
1 Has it been established if any of the derogations for specific situations apply to current or planned transfers of personal data?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 For transfers that are not based on specific provisions of the GDPR, has the controller or processor documented the required assessment as well as the suitable safeguards in place?
Article 50 - International cooperation for the protection of personal data All None - informational only
CHAPTER VI: Independent supervisory authorities
Section 1: Independent status
Article 51 - Supervisory authority
Article 52 - Independence
Article 53 - General conditions for the members of the supervisory authority
Totals: 9
None - informational only
None - informational only
None - informational only
Article 54 - Rules on the establishment of the supervisory authority All None - informational only
CHAPTER/SECTION
Section 2: Competence, tasks and powers Article 55 - Competence All None - informational only
Article 56 - Competence of the lead supervisory authority All None - informational only
Article 57 - Tasks
None - informational only
Article 58 - Powers All None - informational only
Article 59 - Activity reports
Cooperation and consistency
Section 1: Cooperation
Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61 - Mutual assistance
Article 62 - Joint operations of supervisory authorities
Section 2: Consistency Article 63 - Consistency mechanism
only
- informational only
None - informational only
None - informational only
Article 64 - Opinion of the Board All None - informational only
Article 65 - Dispute resolution by the Board All None - informational only
Article 66 - Urgency procedure All None - informational only
Article 67 - Exchange of information All None - informational only
Section 3: European data protection board Article 68 - European Data Protection Board
Article 69 - Independence
Article 70 - Tasks of the Board
- informational only
- informational only
None - informational only
Article 71 - Reports All None - informational only
Article 72 - Procedure All None - informational only
Article 73 - Chair All None - informational only
Article 74 - Tasks of the Chair All None - informational only
Article 75 - Secretariat All None - informational only
Article 76 - Confidentiality All None - informational only
CHAPTER VIII: Remedies, liability and penalties
Article 77 - Right to lodge a complaint with a supervisory authority
Article 78 - Right to an effective judicial remedy against a supervisory authority
Article 79 - Right to an effective judicial remedy against a controller or processor
Article 80 - Representation of data subjects
Article 81 - Suspension of proceedings
None - informational only
- informational only
- informational only
None - informational only
None - informational only
CHAPTER VII:
Article 82 - Right to compensation and liability
Article 83 - General conditions for imposing administrative fines
Article 84 - Penalties
CHAPTER IX: Provisions relating to specific processing situations
Article 85 - Processing and freedom of expression and information
Article 86 - Processing and public access to official documents
Article 87 - Processing of the national identification number
Article 88 - Processing in the context of employment
Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 90 - Obligations of secrecy
Article 91 - Existing data protection rules of churches and religious associations
CHAPTER X: Delegated acts and implementing acts
Article 92 - Exercise of the delegation
Article 93 - Committee procedure
CHAPTER XI: Final provisions
Article 94 - Repeal of Directive 95/46/EC
Article 95 - Relationship with Directive 2002/58/EC
Article 96 - Relationship with previously concluded Agreements
Article 97 - Commission reports
Article 98 - Review of other Union legal acts on data protection
Article 99 - Entry into force and application
None - informational only
None - informational only
None - informational only
- informational only
None - informational only
None - informational only
- informational only
- informational only
None - informational only
- informational only
UK GDPR Gap Assessment Tool
Note: this gap assessment must be conducted with reference to a copy of the UK GDPR
CHAPTER I: General Provisions
CHAPTER II: Principles
1 - Subject-matter and objectives
Article 2 - Material scope
Article 3 - Territorial scope
Article 4 - Definitions
None - informational only
Has it been established that the UK GDPR applies to the personal data processing activities that the organisation undertakes?
Has it been established that the UK GDPR applies, based on the data subjects whose personal data we process?
None - informational only
Article 5 - Principles relating to processing of personal data 1a Are personal data processed lawfully, fairly and transparently?
Are personal data collected for specified, explicit and legitimate purposes?
Are the personal data collected adequate, relevant and limited to what is necessary?
Are personal data is accurate and, where necessary, kept up to date?
Are personal data kept for no longer than is necessary?
Are personal data processed in a manner that ensures its appropriate security?
2 As the controller, can we demonstrate compliance with all principles?
Article 6 - Lawfulness of processing 1 Has the lawful basis for processing of all personal data been established?
2 [Not included in UK GDPR] 3 None - informational only
For additional processing, has compatibility with the initial purpose been established in compliance with the required criteria?
Article 7 - Conditions for consent
Can consent be demonstrated in all cases?
Are all requests for consent clearly distinguishable?
3 Are facilities for consent withdrawal in place?
Is consent freely given in all cases?
Article 8 - Conditions applicable to child's consent in relation to information society services
For children, has consent been given by the holder of parental responsibility in all cases?
Article 9 - Processing of special categories of personal data All Is all processing of special categories of personal data clearly justified?
CHAPTER III: Rights of the data subject
Section 1: Transparency and modalities
Article 10 - Processing of personal data relating to criminal convictions and offences
Article 11 - Processing which does not require identification
All None - informational only
Have processing cases where the data subject cannot be identified, been defined?
Section 2: Information and access to personal data
Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
1 Is all information provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and in the required formats?
2 Is the exercise of data subject rights facilitated as required?
3 Are the required timeframes for responding to data subject requests met?
4 Are the required timeframes met for informing the data subject where action is not taken?
5 Are clear criteria defined for charging for manifestly unfounded or excessive requests?
6 Are procedures in place for confirming the identity of the requester?
6A None - informational only
6B None - informational only
7 None - informational only
8 [Not included in UK GDPR]
Article 13 - Information to be provided where personal data are collected from the data subject
Article 14 - Information to be provided where personal data have not been obtained from the data subject
Totals: 6
1 Is all of the required information provided to the data subject at the point where personal data are obtained?
2 Is all of the required additional information provided to the data subject at the point where personal data are obtained?
3 Is information provided to data subjects about further processing for additional purposes when required?
4 Is it clearly defined in which cases a data subject will already have the required information?
1 Is all of the required information provided to the data subject in cases where personal data is not obtained directly from them?
2 Is all of the required additional information provided to the data subject in cases where personal data is not obtained directly from them?
3 Is the required information provided to the data subject according to the timescales required?
Section 3: Rectification and erasure
Article 15 - Right of access by the data subject
4 Is information provided to data subjects about further processing for additional purposes when required?
5 Is it clearly defined in which cases the required information does not need to be provided?
Are procedures in place for responding to data subject access requests and providing the required information?
2 Is information regarding international transfers available to the data subject where appropriate?
3 Are procedures in place to provide copies of the personal data and in the correct form?
None - informational only
16 - Right to rectification All Are procedures in place to rectify inaccurate personal data and to have incomplete personal data completed?
Article 17 - Right to erasure ('right to be forgotten')
Are procedures in place to erase personal data without undue delay when a data subject requests it on legitimate grounds?
2 Are procedures in place to inform other controllers of erasure requests, where appropriate?
3 Is it clearly defined under what circumstances erasure requests will be accepted or denied?
Article 18 - Right to restriction of processing 1 Are procedures in place to restrict processing when a data subject requests it on legitimate grounds?
2 Are procedures in place to obtain data subject consent before processing that has been restricted is performed?
3 Are data subjects informed before relevant restrictions of processing are lifted?
Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 - Right to data portability
Are procedures in place to communicate rectification or erasure of personal data or restriction of processing to relevant third parties?
Are facilities in place to provide the data subject's personal data on request in a structured, commonly used and machinereadable format?
2 Are facilities in place to transmit the data subject's personal data to another controller?
3 None - informational only
4 None - informational only Totals:
Section 4: Right to object and automated individual decision-making Article 21 - Right to object 1 Are procedures in place to receive, assess and comply with objections to processing of personal data?
Section 5: Restrictions
Article 22 - Automated individual decision-making, including profiling
2 Are procedures in place to receive objections to processing related to direct marketing specifically?
3 Are procedures in place to comply with objections to processing related to direct marketing?
4 Is the right to object explicitly brought to the attention of the data subject, at the latest at the time of the first communication?
5 None - informational only
6 Is it clear which processing (if any) is in the public interest?
1 Is it clear which processing involves automated decision making, including profiling?
2 Is the basis of any automated decision making clear?
3 Are procedures in place to allow human intervention and obtain the views of the data subject with regard to automated decision making?
3A Has section 14 of the 2018 Act been checked to see if it applies?
4 Have decisions that use special categories of personal data been identified and suitable safeguarding measures put in place?
Totals:
Article 23 - Restrictions
IV: Controller and processor
Section 1: General obligations
Article 24 - Responsibility of the controller
Article 25 - Data protection by design and by default
Is it known to what extent the Secretary of State has restricted the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, and the relevant parts of Article 5?
2 Are the specifics of any restrictions clearly known, defined and understood?
3 None - informational only
Totals: 2
Are appropriate technical and organisational measures in place to ensure, and to be able to demonstrate, that processing is performed in accordance with the UK GDPR?
1 Are these measures reviewed and updated where necessary?
2 Are appropriate data protection policies implemented?
3 None - informational only
Are appropriate technical and organisational measures implemented in order to meet the requirements of this Regulation and protect the rights of data subjects?
CHAPTER
2 Are only personal data which are necessary for each specific purpose of the processing processed?
3 None - informational only
Article 26 - Joint controllers 1 Are all Joint Controller instances identified and the relative responsibilities defined and agreed?
2 Does each joint controller arrangement duly reflect the respective roles and relationships and is the essence of the arrangement made available to the data subject?
3 None - informational only
Article 27 - Representatives of controllers or processors not established in the United Kingdom
1 If the controller or processor is not established in the United Kingdom, has a representative in the UK been designated in writing?
2 Has it been established whether or not paragraph 1 of this article applies?
3 [Not included in UK GDPR]
4 Has the representative been mandated by the controller or processor to be addressed by the Information Commissioner's Office and data subjects?
5 None - informational only
Article 28 - Processor 1 Have sufficient guarantees been obtained from processors to implement appropriate technical and organisational measures in accordance with the UK GDPR?
2 Has it been made clear to processors that no other processors shall be engaged without the written authorisation of the controller?
3 Are binding contracts in place with all processors, that meet the requirements of the UK GDPR as stated in Article 28 para 3 points a to h?
4 Where a processor engages another processor, are the same data protection obligations imposed?
5 None - informational only
6 Has the inclusion of standard contractual clauses been considered and, if appropriate, implemented?
7 [Not included in UK GDPR]
8 None - informational only
9 Are the relevant contracts in writing?
10 None - informational only
Article 29 - Processing under the authority of the controller or processor
All Has it been made clear to all parties that processing of personal data must only take place under the authority of the controller?
Article 30 - Records of processing activities 1 If required, are the required records of processing maintained by the controller?
2 If required, are the required records of categories of processing activities maintained by the processor?
3 If required, are the records in writing?
4 If required, are the records available to the ICO on request?
5 Has it been established whether the obligations to maintain records apply?
Article 31 - Cooperation with the Commissioner All Do the controller and processor cooperate with the ICO on request?
Totals:
Section 2: Security of personal data
Article 32 - Security of processing
Article 33 - Notification of a personal data breach to the Commissioner
Are appropriate technical and organisational measures implemented, to ensure a level of security appropriate to the risk to personal data?
2 Is due consideration made of the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed?
3 Have available approved codes of conduct been considered and, if appropriate, implemented?
4 Are controls in place to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller?
1 Are procedures in place to inform the ICO of a notifiable personal data breach within the timeframe laid out in the UK GDPR?
2 Is it clear to the processor that they must notify the controller of a personal data breach without undue delay?
3 Are procedures in place to ensure that the notification of a personal data breach to the ICO includes all of the required information?
4 Do notification procedures allow for the further provision of information in phases?
5 Are personal data breaches documented?
Article 34 - Communication of a personal data breach to the data subject 1 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, are procedures in place to communicate the personal data breach to the data subject without undue delay?
2 Are communications to the data subject in clear and plain language and include the required information?
3 Are procedures in place to assess whether communication to the data subject is required?
4 Do procedures allow for communication to the data subject being required by the ICO?
Section 3: Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessment
1 Are data protection impact assessments carried out where required?
2 If designated, is the advice of the data protection officer sought when carrying out a data protection impact assessment?
3 Are data protection impact assessments carried out in the cases listed in points a to c?
4 Has the list of processing operations which require a data protection impact assessment, published by the ICO, been reviewed, if available?
5 Has the list of processing operations which do not require a data protection impact assessment, published by the ICO, been reviewed, if available?
6 [Not included in UK GDPR]
7 Do data protection impact assessments contain all of the required information?
8 None - informational only
9 Are the views of data subjects or their representatives on the intended processing sought, where appropriate?
10 Have any cases where a data protection impact assessment is not required because it has already been carried out been determined?
11 Are reviews carried out to confirm that processing is in accordance with the data protection impact assessment, and in the case of changes to risk of the processing?
Article 36 - Prior consultation 1 Is the ICO consulted in cases of high risk processing?
2 None - informational only
3 Is the required information provided when consulting with the ICO?
4 None - informational only
4A None - informational only
5 [Not included in UK GDPR]
Section 4: Data protection officer
Article 37 - Designation of the data protection officer
Totals: 11
1 Has it been established whether a data protection officer is required and if one is required, has one been designated?
2 If required, has a data protection officer been appointed for a group of undertakings?
3 If a public authority or body, has a data protection officer been appointed for several authorities or bodies?
4 None - informational only
5 Does the designated data protection officer possess the required professional qualities and expert knowledge of data protection law and are they able to fulfil the required tasks?
Article 38 - Position of the data protection officer
6 Has it been decided whether to appoint internally of use a service contract?
7 Have the contact details of the data protection officer been published and communicated to the ICO?
1 Is the data protection officer involved, properly and in a timely manner, in all issues which relate to the protection of personal data?
2 Are the resources provided to the data protection officer to carry out required tasks, and access to personal data and processing operations, and to maintain his or her expert knowledge?
3 Is the data protection officer independent and free from undue influence and does he or she report to the highest level of management?
4 Is the data protection officer available to be contacted by data subjects?
5 Does the data protection officer understand that he or she is bound by secrecy or confidentiality concerning the performance of his or her tasks?
6 Have any conflicts of interests of other duties of the data protection officer been resolved?
Article 39 - Tasks of the data protection officer
Has the data protection officer been assigned the required minimum tasks?
2 Does the data protection officer have due regard to the risk associated with processing operations, in the performance of his or her tasks?
Article 42 - Certification
Article 43 - Certification bodies
CHAPTER V: Transfers of personal data to third countries or international organisations
Article 44 - General principle for transfers
Article 45 - Transfers on the basis of an adequacy decision
None - informational only
Are the provisions of Chapter V applied to all transfers of personal data to a third country or to an international organisation?
Have those transfers which do not require specific authorisation been identified?
2 None - informational only
3 [Not included in UK GDPR]
[Not included in UK GDPR]
[Not included in UK GDPR]
6 [Not included in UK GDPR]
7 None - informational only
8 [Not included in UK GDPR]
9 [Not included in UK GDPR]
Article 46 - Transfers subject to appropriate safeguards 1 Are all transfers of personal data subject to appropriate safeguards, and are they performed on condition that enforceable data subject rights and effective legal remedies for data subjects are available within the receiving country or international organisation?
2 Has it been identified which of the appropriate safeguards in the list in point 2 a to f, if any, apply to each transfer?
3 Has it been identified which of the appropriate safeguards in the list in point 3 a to b, if any, apply to each transfer?
4 [Not included in UK GDPR]
5 [Not included in UK GDPR]
Article 47 - Binding corporate rules
Have any binding corporate rules used for transfers of personal data been approved by the ICO?
2 Do the binding corporate rules include the information required in point 2 a to n?
3 [Not included in UK GDPR]
Article 48 - [Not included in UK GDPR]
Article 49 - Derogations for specific situations
Article 50 - International cooperation for the protection of personal data
CHAPTER VI: The Commissioner
Section 1: Independent status Article 51 - Monitoring the application of this Regulation
1 Has it been established if any of the derogations for specific situations apply to current or planned transfers of personal data?
2 None - informational only
3 None - informational only
4 None - informational only
5 [Not included in UK GDPR]
5A None - informational only
6 For transfers that are not based on specific provisions of the UK GDPR, has the controller or processor documented the required assessment as well as the suitable safeguards in place?
All None - informational only
None - informational only
Article 52 - Independence All None - informational only
Article 53 - [Not included in UK GDPR]
Article 54 - [Not included in UK GDPR]
CHAPTER/SECTION
Section 2: Tasks and powers
Article 55 - [Not included in UK GDPR]
Article 56 - [Not included in UK GDPR]
Article 57 - Tasks
Article 58 - Powers
Article 59 - Activity reports
CHAPTER VII - [Not included in UK GDPR]
CHAPTER VIII: Remedies, liability and penalties
Article 77 - Right to lodge a complaint with the Commissioner
Article 78 - Right to an effective judicial remedy against the Commissioner
Article 79 - Right to an effective judicial remedy against a controller or processor
Article 80 - Representation of data subjects
Article 81 - [Not included in UK GDPR]
Article 82 - Right to compensation and liability
Article 83 - General conditions for imposing administrative fines
Article 84 - Penalties
CHAPTER IX: Provisions relating to specific processing situations
Article 85 - Processing and freedom of expression and information
Article 86 - Processing and public access to official documents
Article 86A - Processing and national security and defence
Article 87 - [Not included in UK GDPR]
Article 88 - [Not included in UK GDPR]
Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
None - informational only
None - informational only
None - informational only
None - informational only
None - informational only
None - informational only
only
- informational only
- informational only
- informational only
None - informational only
CHAPTER/SECTION
CHAPTER X - [Not included in UK GDPR]
Article 90 - [Not included in UK GDPR]
Article 91 - [Not included in UK GDPR]
CHAPTER XI: Final provisions
Article 94 - Repeal of Directive 95/46/EC
Article 95 - Relationship with Directive 2002/58/EC
Article 96 - Relationship with previously concluded Agreements
Article 97 - [Not included in UK GDPR]
Article 98 - [Not included in UK GDPR]
Article 99 - [Not included in UK GDPR]