Blog Post
keepmesafe • Nov 09, 2020

Are you GDPR Compliant?

GDPR Gap Analysis - Case Study 
February 2020

This organisation is an independent fostering agency whose mission is to provide high quality care placements to children and young people for Local Authorities. To support the complex dynamics of information exchanges that take place in the social care sector, the organisation wanted to ensure that they had robust policies and procedures in place to protect the data they controlled and processed. 



Guardian Saints were engaged to undertake a ‘Gap Analysis’ to determine the organisations level of compliance against the requirements of the GDPR 2016 and the DPA 2018. 



* As data protection is a sensitive subject the agency wishes to remain anonymous, which we respect.

Challenge 

The organisation had conducted an internal review of their Data Protection and Cyber Security position and taken measures towards compliance. However, they felt it was imperative to gain an independent assessment of their position against the regulations.

Having attended Guardian Saints GDPR workshops, the organisation decided to engage in our GDPR Gap Analysis service, which uses recognised standards and methodologies to audit and highlight any further required action. This process can be considered a GDPR ‘Health Check’, which determines an organisation’s level of compliance and identifies appropriate ‘remedies’, should they be needed.

Solution and Services provided by Guardian Saints
  • Initial assessment to scope and determine requirements
  • Two days ‘on site’ information gathering, including: 
    • Review of existing documentation and procedures
    • Conducting interviews with the organisations key personnel
    • Review and clarification from the organisations perspective
  • Onsite presentation of the final report to senior stakeholders, detailing actions required to attain full compliance with the regulations
  • All-staff training session outlining the organisations successes and challenges in Data Protection and Cyber Security awareness

Benefits
  • An independent review of processes and documentation provides a route to compliance through remediation, resolution and action.
  • A detailed Gap Analysis supports senior management in aligning resources to ensure the protection of the rights of data subjects including foster carers, young people in care, employees, panel members and third-party suppliers. 
  •  Delivers a structured approach to implementation of corrective activity underpinned by a remediation and action plan. 
  • Provides clarity for the organisation, enabling them to effectively manage and control both budgeting and resource requirements. 

Outcome 

The Gap Analysis demonstrated that this organisation is a proactive fostering agency with many of the areas under scrutiny having been implemented to some degree, as noted below:
  • Leadership commitment and direction - the Directors of the organisation were found to be fully committed to the protection of the children’s data within their remit.
  • The organisation has appointed a Data Protection Officer, who has been provided adequate time and budget to ensure the development of their knowledge and understanding of Data Protection.
  • It is noted that foundational work has taken place. This has been evidenced by a mature framework built on embedded policy and process with signposting through to the DPO for confirmatory guidance. Policy and guidance are cornerstones of compliance with GDPR.
  • The organisation has ensured that all staff, carers and others which may come into contact or have an impact on personal data, receive regular training that commensurate with their roles. The organisation ensures ongoing awareness training and involvement of staff via quarterly meetings.

A detailed report highlighted risks and process gaps within the organisation alongside determining the action priorities, these included:
  • A lack of an implemented framework for Information Security. The organisation has requested Guardian Saints to provide a quotation for the implementation and certification of the Cyber Essentials Scheme. As part of this process Guardian Saints provided the organisation with an IT security template to aid in the implementation of IT security best practices.
  • A review of the policies in place noted that some updates and clarification were required. The organisation has engaged with Guardian Saints to assist in this process.
  • At the time of the Gap Analysis it was noted that the data mapping process was ongoing, it was recommended that the organisation set a target date for completion.
  • Whilst it was noted during the Gap Analysis that the organisation had established good Privacy Notice policies, the analysis highlighted that these polices did not fully cover the requirements of Article 13 and 14 of the GDPR. Guardian Saints provided the organisation with the Privacy Notice templates for them to incorporate into their existing policies. 
Although access controls were good, there was room for improvement when providing access procedures for external professionals and advisors.

Where Data Protection and Cyber Security controls are in place, the organisation do not have the evidence of standards alignment to assure data subjects, customers and suppliers that information is protected. Guardian Saints’ advice is to gain Cyber Essentials Certification, a Government scheme that ensures security standards are maintained, as referenced in point 2.a. above.

Through this analysis, the risks were identified and an action plan set out providing the organisation with a clear direction and the confidence to address any gaps, thus working towards GDPR compliance and continuous protection of the rights of their data subjects.



The Guardian Saints Team was invited to undertake a GDPR GAP analysis of our organisation in early 2020. This was following some excellent feedback at a training session they put on for NAFP members which two of our staff attended.



Guardian Saints worked closely with us before, during and after the GAP analysis audit, giving clear guidance around what information was needed and the overall process they were going to follow. 



After completion of the audit they assisted us in updating our Privacy Notices and Information Security Policy, as well as reassuring us that the safeguards and security put in place by our IT providers was of the high level we expected.



Guardian Saints then presented training to the whole agency around Data Protection and GDPR. This was a really fun and interactive session for everyone, which is quite impressive given the topic! Some of the feedback from our staff group around the training was as follows:



“I was surprised that training on data protection could be delivered in way that was interesting and engaging. It's an easy topic to poke fun at - Guardian Saints did a great job at overcoming preconceptions of 'this is going to be boring' and I came away feeling the session was very worthwhile - and relevant to my role. I was impressed!”



“A very clear presentation of quite a complex topic. Well delivered, relaxed learning environment.”



“Much of the content was a helpful refresh of the knowledge I'd learned on a data protection training package I'd recently completed. It demystified the complexities, and Cemented in my mind/approach a more considered way of thinking about data protection.”



Our advice to others considering engaging Guardian Saints would be that regardless of your size or how sure or unsure you are of your data protection processes, it’s well worth inviting them in to do a GAP analysis. We were really pleased with the coverage of the audit and the support they have provided to improve our practice subsequently has been massively helpful.



Data Protection is really important within the area we operate as the information we handle is so sensitive. Undergoing this audit allows us to demonstrate to all our stakeholders how seriously we take Data Protection and our ongoing commitment to looking after the information of individuals we work with. 



Share by: