GDPR gap analysis: understanding where risk really sits

A GDPR gap analysis is designed to address that uncertainty. Rather than producing generic documentation, it provides a structured assessment of how current practices align with UK GDPR requirements, identifying where risk exists and what needs to change.

At JVR Consultancy, a GDPR gap analysis is used as a practical starting point for proportionate, defensible GDPR compliance.

What a GDPR gap analysis is — and what it is not

A GDPR gap analysis is not a legal audit and it is not a box-ticking exercise. Its purpose is to compare how personal data is actually processed in an organisation against what UK GDPR expects, highlighting gaps between policy and practice.

This includes understanding:

• What personal data the organisation holds
• Why it is held and on what lawful basis
• Where it is stored and who can access it
• Which suppliers or platforms process data on the organisation’s behalf
• How long data is retained in practice

The output is clarity in day to day processes, not paperwork that sits on a shelf, to be ignored until a company has a breach.

How JVR Consultancy approaches GDPR gap analysis

JVR Consultancy’s approach focuses on operational reality. The analysis typically begins with structured discovery; reviewing an organisation’s systems, data types, suppliers and internal responsibilities. This helps establish an accurate picture of how data flows through the organisation, rather than relying on assumptions or outdated documentation.

Key areas reviewed usually include:

Data awareness and mapping

Identifying what personal data exists across systems, shared locations and third-party platforms, and how it moves between them.

Lawful basis and transparency

Assessing the justification for processing personal data — whether that is consent, contractual necessity, legal obligation or legitimate interests — and checking that privacy notices accurately reflect how data is actually used. Where consent is relied upon as a justification for processing personal data, JVR considers whether that consent can genuinely be managed, tracked and withdrawn across systems without creating additional risk.

Access and security controls

Reviewing who can access personal data, whether permissions are appropriate, and whether basic security measures align with the sensitivity of the data being processed.

Retention practices

Comparing an organisation’s documented retention rules with what actually happens in systems and shared locations. In practice, personal data is often kept far longer than intended because systems retain it by default, no one owns deletion decisions, or teams keep data “just in case”. This increases exposure if data is accessed improperly or involved in a breach, without delivering any real operational benefit.

Supplier and third-party processing

Examining how accountability is managed where suppliers, cloud platforms or outsourced services process personal data on the organisation’s behalf.

Incident readiness

Assessing whether the organisation can recognise a potential breach, escalate it appropriately and make confident reporting decisions if required.

Prioritising risk, not generating long action lists

A key outcome of a GDPR gap analysis is prioritisation. Not all gaps present the same level of risk, and UK GDPR does not expect organisations to eliminate risk entirely.

Findings are assessed based on:

• Likelihood of harm
• Scale and sensitivity of data
• Regulatory and client expectations
• Practical ability to improve controls

This allows organisations to focus effort where it matters most, rather than attempting to address everything at once.

Why organisations use gap analysis as a foundation

Organisations often engage JVR for a GDPR gap analysis when:

• Documentation no longer reflects current operations
• New systems or suppliers have been introduced
• Procurement or client due diligence is increasing
• Responsibility for data protection is unclear
• Confidence around incident response is low

In these situations, a gap analysis provides a clear, defensible baseline — helping organisations understand where they stand and what proportionate improvement looks like.

From assessment to sustainable compliance

A GDPR gap analysis is rarely the end point. For many organisations, it becomes the foundation for more sustainable governance, whether that involves targeted remediation, policy updates, staff awareness or ongoing advisory support.

JVR Consultancy supports organisations in translating the findings into practical next steps, aligned with how they operate in reality and the level of risk they face.

The objective is not perfection, but confidence — knowing where data sits, how it is used and how decisions can be justified under scrutiny.