Académique Documents
Professionnel Documents
Culture Documents
Version: 1
Dated: dd/mm/yy
GDPR Gap Assessment Tool Approval: [Name of approver]
Note: this gap assessment must be conducted with reference to a copy of the GDPR
Paragraph
Chapter Section Article Requirements Compliant? Action required to achieve compliance Action owner
and Point
CHAPTER I - General provisions
Article 1 Subject-matter and objectives All None - informational only
Article 2 Material scope All Has it been established that the GDPR applies to the personal data Yes
processing activities that the organization undertakes?
Article 3 Territorial scope All Has it been established that the GDPR applies, based on the data Yes
subjects whose personal data we process?
Article 4 Definitions All None - informational only
Total: 2
CHAPTER II - Principles
Article 5 - Principles relating to processing of personal data 1a Are personal data processed lawfully, fairly and transparently? Yes
1b Are personal data collected for specified, explicit and legitimate Yes
purposes?
1c Are personal data collected adequate, relevant and limited to what is Yes
necessary?
1d Are personal data accurate and, where necessary, kept up to date? Yes
Total: 16
CHAPTER III - Rights of the data subject
Total: 6
Section 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are 1 Is all of the required information provided to the data subject at the Yes
collected from the data subject point where personal data are obtained?
2 Is all of the required additional information provided to the data subject Yes
at the point where personal data are obtained?
3 Is information provided to data subjects about further processing for Yes
additional purposes when required?
4 Is it clearly defined in which cases a data subject will already have the Yes
required information?
Article 14 - Information to be provided where personal data 1 Is all of the required information provided to the data subject in cases Yes
have not been obtained from the data subject where personal data is not obtained directly from them?
2 Is all of the required additional information provided to the data subject Yes
in cases where personal data is not obtained directly from them?
3 Is the required information provided to the data subject according to Yes
the timescales required?
4 Is information provided to data subjects about further processing for Yes
additional purposes when required?
5 Is it clearly defined in which cases the required information does not Yes
need to be provided?
Article 15 - Right of access by the data subject 1 Are procedures in place for responding to data subject access Yes
requests and providing the required information?
2 Is information regarding international transfers available to the data Yes
subject where appropriate?
3 Are procedures in place to provide copies of the personal data and in Yes
the correct form?
4 None - informational only
Total: 12
Section 3 - Rectification and erasure
Article 16 - Right to rectification All Are procedures in place to rectify inaccurate personal data and to Yes
have incomplete personal data completed?
Article 17 - Right to erasure ('right to be forgotten') 1 Are procedures in place to erase personal data without undue delay Yes
when a data subject requests it on legitimate grounds?
2 Are procedures in place to inform other controllers of erasure Yes
requests, where appropriate?
Total: 10
Section 4 - Right to object and automated individual decision-making
Article 21 - Right to object 1 Are procedures in place to receive, assess and comply with objections Yes
to processing of personal data?
2 Are procedures in place to receive objections to processing related to Yes
direct marketing specifically?
3 Are procedures in place to comply with objections to processing Yes
related to direct marketing?
4 Is the right to object explicitly brought to the attention of the data Yes
subject, at the latest at the time of the first communication?
5 None - informational only
6 Is it clear which processing (if any) is in the public interest? Yes
Article 22 - Automated individual decision-making, including 1 Is it clear which processing involves automated decision making, Yes
profiling including profiling?
2 Is the basis of any automated decision making clear? Yes
3 Are procedures in place to allow human intervention and obtain the Yes
views of the data subject with regard to automated decision making?
4 Have decisions that use special categories of personal data been Yes
identified and suitable safeguarding measures put in place?
9
Total:
Section 5 - Restrictions
Article 23 - Restrictions 1 Is it known to what extent Union or Member State law restricts the Yes
scope of the obligations and rights provided for in Articles 12 to 22 and
Article 34, and the relevant parts of Article 5?
2 Are the specifics of any restrictions of Union or Member State law Yes
clearly known, defined and understood?
Total: 2
CHAPTER IV - Controller and processor
Section 1 - General obligations
Article 24 - Responsibility of the controller 1 Are appropriate technical and organisational measures in place to Yes
ensure, and to be able to demonstrate, that processing is performed in
accordance with the GDPR?
Total: 24
Section 2 - Security of personal data
Article 32 - Security of processing 1 Are appropriate technical and organisational measures implemented, Yes
to ensure a level of security appropriate to the risk to personal data?
4 Are controls in place to ensure that any natural person acting under Yes
the authority of the controller or the processor who has access to
personal data does not process them except on instructions from the
controller?
Article 33 - Notification of a personal data breach to the 1 Are procedures in place to inform the supervisory authority of a Yes
supervisory authority notifiable personal data breach within the timeframe laid out in the
GDPR?
2 Is it clear to the processor that they must notify the controller of a Yes
personal data breach without undue delay?
3 Are procedures in place to ensure that the notification of a personal Yes
data breach to the supervisory authority includes all of the required
information?
4 Do notification procedures allow for the further provision of information Yes
in phases?
5 Are personal data breaches documented? Yes
Total: 13
Section 3 - Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessment 1 Are data protection impact assessments carried out where required? Yes
2 If designated, is the advice of the data protection officer sought when Yes
carrying out a data protection impact assessment?
3 Are data protection impact assessments carried out in the cases listed Yes
in points a to c?
4 Has the list of processing operations which require a data protection Yes
impact assessment, published by the supervisory authority, been
reviewed, if available?
5 Has the list of processing operations which do not require a data Yes
protection impact assessment, published by the supervisory authority,
been reviewed, if available?
6 None - informational only
Total: 11
Section 4 - Data protection officer
Article 37 - Designation of the data protection officer 1 Has it been established whether a data protection officer is required Yes
and if one is required, has one been designated?
2 If required, has a data protection officer been appointed for a group of Yes
undertakings?
3 If a public authority or body, has a data protection officer been Yes
appointed for several authorities or bodies?
4 None - informational only
5 Does the designated data protection officer possess the required Yes
professional qualities and expert knowledge of data protection law and
are they able to fulfil the required tasks?
6 Has it been decided whether to appoint internally of use a service Yes
contract?
7 Have the contact details of the data protection officer been published Yes
and communicated to the supervisory authority?
Article 38 - Position of the data protection officer 1 Is the data protection officer involved, properly and in a timely manner, Yes
in all issues which relate to the protection of personal data?
2 Are the resources provided to the data protection officer to carry out Yes
required tasks, and access to personal data and processing
operations, and to maintain his or her expert knowledge?
3 Is the data protection officer independent and free from undue Yes
influence and does he or she report to the highest level of
management?
4 Is the data protection officer available to be contacted by data Yes
subjects?
5 Does the data protection officer understand that he or she is bound by Yes
secrecy or confidentiality concerning the performance of his or her
tasks?
6 Have any conflicts of interests of other duties of the data protection Yes
officer been resolved?
Article 39 - Tasks of the data protection officer 1 Has the data protection officer been assigned the required minimum Yes
tasks?
2 Does the data protection officer have due regard to the risk associated Yes
with processing operations, in the performance of his or her tasks?
Total: 14
Section 5 - Codes of conduct and certification
Article 40 - Codes of conduct All None - informational only
Article 41 - Monitoring of approved codes of conduct All None - informational only
Article 42 - Certification All None - informational only
Article 43 - Certification bodies All None - informational only
Total: 0
CHAPTER V - Transfers of personal data to third countries or international
organisations
Article 44 - General principle for transfers All Are the provisions of Chapter V applied to all transfers of personal Yes
data to a third country or to an international organisation?
Article 45 - Transfers on the basis of an adequacy decision 1 Have those transfers which do not require specific authorisation been Yes
identified?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 None - informational only
7 None - informational only
8 None - informational only
9 None - informational only
Article 46 - Transfers subject to appropriate safeguards 1 Are all transfers of personal data subject to appropriate safeguards, Yes
and are they performed on condition that enforceable data subject
rights and effective legal remedies for data subjects are available
within the receiving country or international organisation?
2 Has it been identified which of the appropriate safeguards in the list in Yes
point 2 a to f, if any, apply to each transfer?
3 Has it been identified which of the appropriate safeguards in the list in Yes
point 3 a to b, if any, apply to each transfer?
4 None - informational only
5 None - informational only
Article 47 - Binding corporate rules 1 Have any binding corporate rules used for transfers of personal data Yes
been approved by the supervisory authority?
2 Do the binding corporate rules include the information required in point Yes
2 a to n?
3 None - informational only
Article 48 - Transfers or disclosures not authorised by Union law All None - informational only
Article 49 - Derogations for specific situations 1 Has it been established if any of the derogations for specific situations Yes
apply to current or planned transfers of personal data?
2 None - informational only
3 None - informational only
4 None - informational only
5 None - informational only
6 For transfers that are not based on specific provisions of the GDPR, Yes
has the controller or processor documented the required assessment
as well as the suitable safeguards in place?
Total: 9
CHAPTER VI - Independent supervisory authorities
Section 1 - Independent status
Article 51 - Supervisory authority All None - informational only
Article 52 - Independence All None - informational only
Article 53 - General conditions for the members of the All None - informational only
supervisory authority
Article 54 - Rules on the establishment of the supervisory All None - informational only
authority
Section 2 - Competence, tasks and powers
Article 55 - Competence All None - informational only
Article 56 - Competence of the lead supervisory authority All None - informational only
Article 57 - Tasks All None - informational only
Article 58 - Powers All None - informational only
Article 59 - Activity reports All None - informational only
Total: 0
CHAPTER VII - Cooperation and consistency
Section 1 - Cooperation
Article 60 - Cooperation between the lead supervisory authority All None - informational only
and the other supervisory authorities concerned
Article 61 - Mutual assistance All None - informational only
Article 62 - Joint operations of supervisory authorities All None - informational only
Section 2 - Consistency
Article 63 - Consistency mechanism All None - informational only
Article 64 - Opinion of the Board All None - informational only
Article 65 - Dispute resolution by the Board All None - informational only
Article 66 - Urgency procedure All None - informational only
Article 67 - Exchange of information All None - informational only
Section 3 - European data protection board
Article 68 - European Data Protection Board All None - informational only
Article 69 - Independence All None - informational only
Article 70 - Tasks of the Board All None - informational only
Article 71 - Reports All None - informational only
Article 72 - Procedure All None - informational only
Article 73 - Chair All None - informational only
Article 74 - Tasks of the Chair All None - informational only
Article 75 - Secretariat All None - informational only
Article 76 - Confidentiality All None - informational only
Total: 0
CHAPTER VIII - Remedies, liability and penalties
Article 77 - Right to lodge a complaint with a supervisory All None - informational only
authority
Article 78 - Right to an effective judicial remedy against a All None - informational only
supervisory authority
Article 79 - Right to an effective judicial remedy against a All None - informational only
controller or processor
Article 80 - Representation of data subjects All None - informational only
Article 81 - Suspension of proceedings All None - informational only
Article 82 - Right to compensation and liability All None - informational only
Article 83 - General conditions for imposing administrative fines All None - informational only
Article 84 - Penalties All None - informational only
Total: 0
CHAPTER IX - Provisions relating to specific processing situations
Article 85 - Processing and freedom of expression and All None - informational only
information
Article 86 - Processing and public access to official documents All None - informational only
Article 87 - Processing of the national identification number All None - informational only
Article 88 - Processing in the context of employment All None - informational only
Article 89 - Safeguards and derogations relating to processing All None - informational only
for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes
Article 90 - Obligations of secrecy All None - informational only
Article 91 - Existing data protection rules of churches and All None - informational only
religious associations
Total: 0
CHAPTER X - Delegated acts and implementing acts
Article 92 - Exercise of the delegation All None - informational only
Article 93 - Committee procedure All None - informational only
Total: 0
CHAPTER XI - Final provisions
Article 94 - Repeal of Directive 95/46/EC All None - informational only
Article 95 - Relationship with Directive 2002/58/EC All None - informational only
Article 96 - Relationship with previously concluded Agreements All None - informational only
Article 97 - Commission reports All None - informational only
Article 98 - Review of other Union legal acts on data protection All None - informational only
Article 99 - Entry into force and application All None - informational only
Total: 0
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
30
25
20
15
10
0 GDPR Chapter/Section
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
GDPR Chapter/Section
CHAPTER IV - Section 3 - Data protection impact assessment and prior consultation 0%CHAPTER III - Section