- Determine the specific privacy laws and regulations that are applicable to the business, products and service offerings of your organization (consider state, federal, and global laws).
- Identify who within your organization will be responsible for taking the lead on the Privacy Gap Assessment.
Conduct an inventory of data management practices
- Gather any existing and relevant internal and external documents to understand the current state of privacy compliance across the organization.
- Focus on enterprise policies and procedures in areas such as data subject rights management, consent and preference management, vendor privacy assessment, privacy training and awareness, data beach and incident response, as well as external-facing privacy notices.
- Identify whether any data inventory exists that identifies personal data elements collected and processed by the organization, referencing business processes, systems, and third parties.
- Where possible, perform or incorporate any existing data inventory or data mapping efforts as the basis for your gas assessment documentation.
- A top-down, comprehensive data inventory is typically the most efficient foundation for performing a gap assessment.
Perform the gap and risk assessment
- Use the assessment toolkit to assess the business processes, products, services, business systems, and third party relationships against the specific requirements of the relevant privacy laws and regulations.
- Identify the gaps and risks between the requirements of the law and the organization’s current state of compliance.
- Prioritize the gaps/risks identified based on the defined risk-rank criteria as well as operational, reputational and financial impact to the business.
- Develop a thorough analysis of overall privacy compliance readiness of the business processes, systems, and third parties across the organization.