CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance
🔍 Phase 0 3-4 weeks

Phase 0: GDPR Gap Assessment

Before implementing anything, you need to understand where the organization stands today. A gap assessment compares the current state against GDPR requirements and produces a prioritized remediation roadmap. This is the foundation for everything that follows.

🎯 Objectives

  • Assess the organization's current level of GDPR compliance across all key areas
  • Identify the highest-risk gaps that need immediate attention
  • Understand the scope of personal data processing across the organization
  • Build the business case for GDPR compliance investment
  • Produce a prioritized remediation roadmap with effort estimates

Stakeholder Interviews and Awareness Assessment

Interview 15-25 key stakeholders across business units, IT, legal, HR, marketing, and customer service. Assess their understanding of GDPR, current data handling practices, and known pain points. Use a standardized questionnaire covering data collection, storage, sharing, retention, security, and breach history.

🎓 Beginner's Note

The interviews are not just about collecting information — they are your first chance to build relationships and establish credibility. Many people will be nervous about GDPR (fear of fines). Your job is to be a supportive guide, not an auditor finding fault.

💡 Consultant Tips

  • Start with department heads, then drill into teams that handle the most personal data (HR, Marketing, Customer Service, IT)
  • Ask about recent incidents: data breaches, customer complaints about privacy, subject access requests they could not fulfill
  • Gauge the organizational culture: is privacy seen as important or as an obstacle?
  • Document everything — direct quotes from stakeholders are powerful in the business case

Data Processing Inventory (High-Level)

Create a preliminary inventory of all personal data processing activities. For each major business process (HR, sales, marketing, customer support, finance), identify: what personal data is collected, where it is stored, who accesses it, who it is shared with, and how long it is kept. This does not need to be exhaustive at this stage — focus on the top 20-30 processing activities.

🎓 Beginner's Note

This initial inventory is a rough map, not a final product. You will build the detailed Article 30 ROPA in Phase 1. The goal here is to understand the landscape well enough to assess gaps and prioritize remediation.

💡 Consultant Tips

  • Use a simple spreadsheet template: Process Name, Data Categories, Systems, Legal Basis (if known), Retention Period, Third Parties
  • Do not try to boil the ocean — focus on the most important processes first
  • Talk to the people who actually DO the processing, not just their managers
  • Look for 'shadow IT' — personal data in spreadsheets, personal email, shared drives, Slack channels

Policy and Documentation Review

Review all existing privacy-related documentation: privacy notices, data protection policies, cookie policies, consent forms, data processing agreements with vendors, employee privacy notices, retention schedules, breach response plans, and DPIA templates. Assess each against GDPR requirements.

🎓 Beginner's Note

Many organizations have SOME privacy documentation from pre-GDPR days. It is almost never sufficient. Common gaps: no Article 30 records, no DPIA process, privacy notices missing required information, no data processing agreements with cloud vendors.

💡 Consultant Tips

  • Create a document inventory checklist of all required GDPR documents
  • Score each document: Exists and compliant / Exists but needs updating / Does not exist
  • Pay special attention to privacy notices — they are the most visible GDPR document and the most commonly non-compliant
  • Check if data processing agreements (Article 28) are in place with ALL processors

Technical Security Assessment

Assess the technical security measures protecting personal data: encryption (at rest and in transit), access controls, network security, backup procedures, logging and monitoring, endpoint protection, and vulnerability management. Map these against Article 32 requirements.

🎓 Beginner's Note

Article 32 requires 'appropriate technical and organizational measures' to ensure security. What is appropriate depends on the risk level, the state of the art, and the cost. You do not need military-grade security for a mailing list, but you do need strong measures for health data or financial data.

💡 Consultant Tips

  • Work with the IT security team or CISO — they may already have assessments you can build on
  • Check: Is personal data encrypted at rest in databases? In transit? On laptops?
  • Review access control: Is access to personal data on a need-to-know basis? Are permissions regularly reviewed?
  • Assess data backup and recovery: Can you restore data? Are backups also included in DSAR/erasure scope?

Third-Party and Vendor Assessment

Identify all third parties who process personal data on behalf of the organization (processors) or receive personal data (controllers/joint controllers). Assess whether appropriate data processing agreements are in place and whether these third parties meet GDPR requirements.

🎓 Beginner's Note

Many organizations are surprised by how many third parties have access to their personal data. Every SaaS tool (Salesforce, Mailchimp, Slack, Zoom, HubSpot) is likely a data processor. Each one needs a proper Data Processing Agreement.

💡 Consultant Tips

  • Start with IT procurement records and accounts payable to find all vendors
  • Check for cloud services, SaaS tools, marketing platforms, payroll providers, analytics tools
  • Assess international transfers: which vendors are outside the EU/EEA?
  • Review existing contracts for Article 28 required clauses

Gap Analysis Report and Roadmap

Compile all findings into a structured gap analysis report. For each GDPR requirement area, document the current state, the gap, the risk level (High/Medium/Low), and recommended remediation actions. Prioritize by risk and create a phased remediation roadmap.

🎓 Beginner's Note

The gap analysis report is your most important Phase 0 deliverable. It should be clear enough that an executive with no privacy knowledge can understand the risks and the investment required. Use visuals: heatmaps, traffic lights, risk matrices. Avoid jargon.

💡 Consultant Tips

  • Use a traffic light system: Red (major gap, high risk), Amber (partial compliance, medium risk), Green (compliant)
  • Prioritize: Lawful basis gaps, breach response gaps, and missing data subject rights processes are typically highest risk
  • Include effort estimates (person-weeks) and cost estimates for each remediation item
  • Present the roadmap to executive sponsors before starting Phase 1

📦 Phase Deliverables

GDPR Gap Analysis Report (with traffic-light scoring across all requirement areas)
Preliminary Data Processing Inventory (top 20-30 activities)
Policy and Documentation Assessment (exists/needs updating/missing)
Third-Party/Vendor Risk Assessment
Technical Security Gap Assessment
Prioritized Remediation Roadmap (phased, with effort and cost estimates)
Executive Summary Presentation (for sponsor/board-level briefing)
← Back to GDPR Compliance